Edit tour

Windows Analysis Report
H75MnQEha8.exe

Overview

General Information

Sample name:	H75MnQEha8.exe renamed because original name is a hash value
Original sample name:	cc1bc30840dba38a500b470843d0b4b4921dad024861dd8fd10e445b77f23ea6.exe
Analysis ID:	1588323
MD5:	bf5080dcb84740587bfad2ff84979627
SHA1:	07d35a6a2d2a400b9244ee8188c5c830b2a246b3
SHA256:	cc1bc30840dba38a500b470843d0b4b4921dad024861dd8fd10e445b77f23ea6
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

H75MnQEha8.exe (PID: 5832 cmdline: "C:\Users\user\Desktop\H75MnQEha8.exe" MD5: BF5080DCB84740587BFAD2FF84979627)

RegSvcs.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\H75MnQEha8.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7294636257:AAGgJH_GmdGy0-9xaFS4mMSkGg2m4Qa6M6c", "Telegram Chatid": "1545867115"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xeed7:$a1: get_encryptedPassword 0xf1ff:$a2: get_encryptedUsername 0xec72:$a3: get_timePasswordChanged 0xed93:$a4: get_passwordField 0xeeed:$a5: set_encryptedPassword 0x1084b:$a7: get_logins 0x104fc:$a8: GetOutlookPasswords 0x102ee:$a9: StartKeylogger 0x1079b:$a10: KeyLoggerEventArgs 0x1034b:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf0d7:$a1: get_encryptedPassword 0xf3ff:$a2: get_encryptedUsername 0xee72:$a3: get_timePasswordChanged 0xef93:$a4: get_passwordField 0xf0ed:$a5: set_encryptedPassword 0x10a4b:$a7: get_logins 0x106fc:$a8: GetOutlookPasswords 0x104ee:$a9: StartKeylogger 0x1099b:$a10: KeyLoggerEventArgs 0x1054b:$a11: KeyLoggerEventArgsEventHandler
00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1408d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1358b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13899:$a4: \Orbitum\User Data\Default\Login Data 0x14691:$a5: \Kometa\User Data\Default\Login Data
00000007.00000002.2524827918.0000000002696000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: H75MnQEha8.exe PID: 5832	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: H75MnQEha8.exe PID: 5832	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: H75MnQEha8.exe PID: 5832	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: H75MnQEha8.exe PID: 5832	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1e9b3d:$a1: get_encryptedPassword 0x1e9e56:$a2: get_encryptedUsername 0x1e98ec:$a3: get_timePasswordChanged 0x1e9a0d:$a4: get_passwordField 0x1e9b53:$a5: set_encryptedPassword 0x1eb458:$a7: get_logins 0x1eb109:$a8: GetOutlookPasswords 0x1eaefb:$a9: StartKeylogger 0x1eb3a8:$a10: KeyLoggerEventArgs 0x1eaf58:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7116	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7116	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7116	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xb33c:$a1: get_encryptedPassword 0xb655:$a2: get_encryptedUsername 0xb0eb:$a3: get_timePasswordChanged 0xb20c:$a4: get_passwordField 0xb352:$a5: set_encryptedPassword 0xcc57:$a7: get_logins 0xc908:$a8: GetOutlookPasswords 0xc6fa:$a9: StartKeylogger 0xcba7:$a10: KeyLoggerEventArgs 0xc757:$a11: KeyLoggerEventArgsEventHandler
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.H75MnQEha8.exe.1810000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.H75MnQEha8.exe.1810000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.H75MnQEha8.exe.1810000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.H75MnQEha8.exe.1810000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf0d7:$a1: get_encryptedPassword 0xf3ff:$a2: get_encryptedUsername 0xee72:$a3: get_timePasswordChanged 0xef93:$a4: get_passwordField 0xf0ed:$a5: set_encryptedPassword 0x10a4b:$a7: get_logins 0x106fc:$a8: GetOutlookPasswords 0x104ee:$a9: StartKeylogger 0x1099b:$a10: KeyLoggerEventArgs 0x1054b:$a11: KeyLoggerEventArgsEventHandler
1.2.H75MnQEha8.exe.1810000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1408d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1358b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13899:$a4: \Orbitum\User Data\Default\Login Data 0x14691:$a5: \Kometa\User Data\Default\Login Data
7.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
7.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
7.2.RegSvcs.exe.600000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
7.2.RegSvcs.exe.600000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf0d7:$a1: get_encryptedPassword 0xf3ff:$a2: get_encryptedUsername 0xee72:$a3: get_timePasswordChanged 0xef93:$a4: get_passwordField 0xf0ed:$a5: set_encryptedPassword 0x10a4b:$a7: get_logins 0x106fc:$a8: GetOutlookPasswords 0x104ee:$a9: StartKeylogger 0x1099b:$a10: KeyLoggerEventArgs 0x1054b:$a11: KeyLoggerEventArgsEventHandler
7.2.RegSvcs.exe.600000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1408d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1358b:$a3: \Google\Chrome\User Data\Default\Login Data 0x13899:$a4: \Orbitum\User Data\Default\Login Data 0x14691:$a5: \Kometa\User Data\Default\Login Data
1.2.H75MnQEha8.exe.1810000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
1.2.H75MnQEha8.exe.1810000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.H75MnQEha8.exe.1810000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
1.2.H75MnQEha8.exe.1810000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd2d7:$a1: get_encryptedPassword 0xd5ff:$a2: get_encryptedUsername 0xd072:$a3: get_timePasswordChanged 0xd193:$a4: get_passwordField 0xd2ed:$a5: set_encryptedPassword 0xec4b:$a7: get_logins 0xe8fc:$a8: GetOutlookPasswords 0xe6ee:$a9: StartKeylogger 0xeb9b:$a10: KeyLoggerEventArgs 0xe74b:$a11: KeyLoggerEventArgsEventHandler
1.2.H75MnQEha8.exe.1810000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1228d:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1178b:$a3: \Google\Chrome\User Data\Default\Login Data 0x11a99:$a4: \Orbitum\User Data\Default\Login Data 0x12891:$a5: \Kometa\User Data\Default\Login Data
Click to see the 10 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T23:59:32.730263+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49700	132.226.8.169	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000007.00000002.2524827918.0000000002541000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7294636257:AAGgJH_GmdGy0-9xaFS4mMSkGg2m4Qa6M6c", "Telegram Chatid": "1545867115"}

Multi AV Scanner detection for submitted file

Source: H75MnQEha8.exe	ReversingLabs: Detection: 68%
Source: H75MnQEha8.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: H75MnQEha8.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: H75MnQEha8.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49701 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: H75MnQEha8.exe, 00000001.00000003.1284127001.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, H75MnQEha8.exe, 00000001.00000003.1279561358.0000000004270000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: H75MnQEha8.exe, 00000001.00000003.1284127001.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, H75MnQEha8.exe, 00000001.00000003.1279561358.0000000004270000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0028445A
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028C6D1 FindFirstFileW,FindClose,	1_2_0028C6D1
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0028C75C
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0028EF95
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0028F0F2
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0028F3F3
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_002837EF
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00283B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00283B12
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0028BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 008A9731h	7_2_008A9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 008A9E5Ah	7_2_008A9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 008A9E5Ah	7_2_008A9D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050762B5h	7_2_050760D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05076C3Fh	7_2_050760D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05073840h	7_2_05073598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050718A0h	7_2_050715F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050726E0h	7_2_05072438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05070740h	7_2_05070498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050749A0h	7_2_050746F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esp, ebp	7_2_05079120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050733E8h	7_2_05073140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05071448h	7_2_050711A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	7_2_050751D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050702E8h	7_2_05070040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05074548h	7_2_050742A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05070FF0h	7_2_05070D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05072F90h	7_2_05072CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 050740F0h	7_2_05073E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05072152h	7_2_05071EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05073C98h	7_2_050739F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05072B38h	7_2_05072890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05070B98h	7_2_050708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05074DF8h	7_2_05074B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05071CF8h	7_2_05071A50

Source: global traffic

HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 132.226.8.169 132.226.8.169
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49700 -> 132.226.8.169:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.7:49701 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

1_2_002922EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2524827918.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000007.00000002.2524827918.0000000002541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: H75MnQEha8.exe, 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000007.00000002.2524827918.0000000002541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: H75MnQEha8.exe, 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: H75MnQEha8.exe, 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00294164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00294164

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00294164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_00294164

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00293F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_00293F66

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_0028001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

1_2_0028001C

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_002ACABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: H75MnQEha8.exe PID: 5832, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7116, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: This is a third-party compiled AutoIt script.	1_2_00223B3A
Source: H75MnQEha8.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: H75MnQEha8.exe, 00000001.00000000.1265510028.00000000002D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2e68f952-a
Source: H75MnQEha8.exe, 00000001.00000000.1265510028.00000000002D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_cf8d8078-5
Source: H75MnQEha8.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5f9cd335-e
Source: H75MnQEha8.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_1765843e-f

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_0028A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

1_2_0028A1EF

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00278310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_00278310

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_002851BD

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0024D975	1_2_0024D975
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002421C5	1_2_002421C5
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002562D2	1_2_002562D2
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002A03DA	1_2_002A03DA
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0025242E	1_2_0025242E
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002425FA	1_2_002425FA
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0027E616	1_2_0027E616
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0022E6A0	1_2_0022E6A0
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002366E1	1_2_002366E1
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0025878F	1_2_0025878F
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00238808	1_2_00238808
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00256844	1_2_00256844
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002A0857	1_2_002A0857
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00288889	1_2_00288889
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0024CB21	1_2_0024CB21
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00256DB6	1_2_00256DB6
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00236F9E	1_2_00236F9E
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00233030	1_2_00233030
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00243187	1_2_00243187
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0024F1D9	1_2_0024F1D9
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00221287	1_2_00221287
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00241484	1_2_00241484
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00235520	1_2_00235520
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00247696	1_2_00247696
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00235760	1_2_00235760
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00241978	1_2_00241978
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00259AB5	1_2_00259AB5
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0022FCE0	1_2_0022FCE0
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0024BDA6	1_2_0024BDA6
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00241D90	1_2_00241D90
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002A7DDB	1_2_002A7DDB
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0022DF00	1_2_0022DF00
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00233FE0	1_2_00233FE0
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_01885B28	1_2_01885B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008AC530	7_2_008AC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008A27B9	7_2_008A27B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008A2DD1	7_2_008A2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008A9480	7_2_008A9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008AC521	7_2_008AC521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_008A946F	7_2_008A946F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05078030	7_2_05078030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050760D8	7_2_050760D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05077390	7_2_05077390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05076D48	7_2_05076D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050779E0	7_2_050779E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05073598	7_2_05073598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050715E8	7_2_050715E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050715F8	7_2_050715F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05072427	7_2_05072427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05072438	7_2_05072438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05070488	7_2_05070488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05070498	7_2_05070498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0507869F	7_2_0507869F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050786B0	7_2_050786B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050746E9	7_2_050746E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050746F8	7_2_050746F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05073132	7_2_05073132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05073140	7_2_05073140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05071190	7_2_05071190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050711A0	7_2_050711A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050751D8	7_2_050751D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05070006	7_2_05070006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0507802A	7_2_0507802A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05070040	7_2_05070040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050760C9	7_2_050760C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05077380	7_2_05077380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05074290	7_2_05074290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050742A0	7_2_050742A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05076D37	7_2_05076D37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05070D39	7_2_05070D39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05070D48	7_2_05070D48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05072CDA	7_2_05072CDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05072CE8	7_2_05072CE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05073E38	7_2_05073E38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05073E48	7_2_05073E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05071E9A	7_2_05071E9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05071EA8	7_2_05071EA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050779D0	7_2_050779D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050739E1	7_2_050739E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050739F0	7_2_050739F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05072880	7_2_05072880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05072890	7_2_05072890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050708E1	7_2_050708E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_050708F0	7_2_050708F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05074B40	7_2_05074B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05074B50	7_2_05074B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05071A40	7_2_05071A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_05071A50	7_2_05071A50

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: String function: 00240AE3 appears 70 times
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: String function: 00248900 appears 42 times
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: String function: 00227DE1 appears 35 times

Source: H75MnQEha8.exe, 00000001.00000003.1282227240.00000000041F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs H75MnQEha8.exe
Source: H75MnQEha8.exe, 00000001.00000003.1283011716.000000000439D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs H75MnQEha8.exe
Source: H75MnQEha8.exe, 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs H75MnQEha8.exe

Source: H75MnQEha8.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: H75MnQEha8.exe PID: 5832, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7116, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_0028A06A GetLastError,FormatMessageW,

1_2_0028A06A

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002781CB AdjustTokenPrivileges,CloseHandle,		1_2_002781CB
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_002787E1

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_0028B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_0028B333

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_0029EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_0029EE0D

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

1_2_002983BB

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00224E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_00224E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\H75MnQEha8.exe

File created: C:\Users\user~1\AppData\Local\Temp\autDE2.tmp

Jump to behavior

Source: H75MnQEha8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000007.00000002.2524827918.000000000265F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2524827918.0000000002630000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2525302689.000000000356D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2524827918.0000000002653000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2524827918.0000000002620000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2524827918.000000000263E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: H75MnQEha8.exe	ReversingLabs: Detection: 68%
Source: H75MnQEha8.exe	Virustotal: Detection: 72%

Source: unknown	Process created: C:\Users\user\Desktop\H75MnQEha8.exe "C:\Users\user\Desktop\H75MnQEha8.exe"
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\H75MnQEha8.exe"
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\H75MnQEha8.exe"	Jump to behavior

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: H75MnQEha8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: H75MnQEha8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: H75MnQEha8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: H75MnQEha8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: H75MnQEha8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: H75MnQEha8.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: H75MnQEha8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: H75MnQEha8.exe, 00000001.00000003.1284127001.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, H75MnQEha8.exe, 00000001.00000003.1279561358.0000000004270000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: H75MnQEha8.exe, 00000001.00000003.1284127001.00000000040D0000.00000004.00001000.00020000.00000000.sdmp, H75MnQEha8.exe, 00000001.00000003.1279561358.0000000004270000.00000004.00001000.00020000.00000000.sdmp

Source: H75MnQEha8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: H75MnQEha8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: H75MnQEha8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: H75MnQEha8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: H75MnQEha8.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00224B37 LoadLibraryA,GetProcAddress,

1_2_00224B37

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0022C508 push A30022BAh; retn 0022h	1_2_0022C50D
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00248945 push ecx; ret	1_2_00248958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0507BCDF push esp; retf	7_2_0507BD19

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_002248D7
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_002A5376

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00243187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00243187

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\H75MnQEha8.exe

API/Special instruction interceptor: Address: 188574C

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-102326

Source: C:\Users\user\Desktop\H75MnQEha8.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028445A GetFileAttributesW,FindFirstFileW,FindClose,	1_2_0028445A
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028C6D1 FindFirstFileW,FindClose,	1_2_0028C6D1
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	1_2_0028C75C
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0028EF95
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_0028F0F2
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0028F3F3
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_002837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_002837EF
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00283B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_00283B12
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0028BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	1_2_0028BCBC

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_002249A0

Source: RegSvcs.exe, 00000007.00000002.2524597495.00000000009D4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\H75MnQEha8.exe	API call chain: ExitProcess graph end node			graph_1-101161
Source: C:\Users\user\Desktop\H75MnQEha8.exe	API call chain: ExitProcess graph end node			graph_1-101380

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00293F09 BlockInput,

1_2_00293F09

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00223B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00223B3A

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00255A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_00255A7C

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00224B37 LoadLibraryA,GetProcAddress,

1_2_00224B37

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_01884368 mov eax, dword ptr fs:[00000030h]	1_2_01884368
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_018859B8 mov eax, dword ptr fs:[00000030h]	1_2_018859B8
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_01885A18 mov eax, dword ptr fs:[00000030h]	1_2_01885A18

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

1_2_002780A9

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0024A124 SetUnhandledExceptionFilter,		1_2_0024A124
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_0024A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0024A155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 4E2008

Jump to behavior

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002787B1 LogonUserW,

1_2_002787B1

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00223B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_00223B3A

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

1_2_002248D7

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00284C27 mouse_event,

1_2_00284C27

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\H75MnQEha8.exe"

Jump to behavior

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00277CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

1_2_00277CAF

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_0027874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_0027874B

Source: H75MnQEha8.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: H75MnQEha8.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_0024862B cpuid

1_2_0024862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00254E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00254E87

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00261E06 GetUserNameW,

1_2_00261E06

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_00253F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_00253F3A

Source: C:\Users\user\Desktop\H75MnQEha8.exe

Code function: 1_2_002249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_002249A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H75MnQEha8.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7116, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H75MnQEha8.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7116, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: H75MnQEha8.exe	Binary or memory string: WIN_81
Source: H75MnQEha8.exe	Binary or memory string: WIN_XP
Source: H75MnQEha8.exe	Binary or memory string: WIN_XPe
Source: H75MnQEha8.exe	Binary or memory string: WIN_VISTA
Source: H75MnQEha8.exe	Binary or memory string: WIN_7
Source: H75MnQEha8.exe	Binary or memory string: WIN_8
Source: H75MnQEha8.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2524827918.0000000002696000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H75MnQEha8.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7116, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H75MnQEha8.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7116, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegSvcs.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.H75MnQEha8.exe.1810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: H75MnQEha8.exe PID: 5832, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7116, type: MEMORYSTR

Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00296283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		1_2_00296283
Source: C:\Users\user\Desktop\H75MnQEha8.exe	Code function: 1_2_00296747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_00296747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	127 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	131 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
H75MnQEha8.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
H75MnQEha8.exe	72%	Virustotal		Browse
H75MnQEha8.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	132.226.8.169	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	H75MnQEha8.exe, 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000007.00000002.2524827918.00000000025DD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2524827918.00000000025DD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2524827918.00000000025AE000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000007.00000002.2524827918.0000000002541000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	H75MnQEha8.exe, 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	H75MnQEha8.exe, 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2524827918.00000000025C0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States		16989	UTMEMUS	false
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588323
Start date and time:	2025-01-10 23:58:33 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	H75MnQEha8.exe renamed because original name is a hash value
Original Sample Name:	cc1bc30840dba38a500b470843d0b4b4921dad024861dd8fd10e445b77f23ea6.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
132.226.8.169	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	V7OHj6ISEo.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	FylY1FW6fl.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	v4nrZtP7K2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	xom6WSISuh.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	3WgNXsWvMO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
104.21.112.1	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
checkip.dyndns.com	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.6.168
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UTMEMUS	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.8.169
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	4Vx2rUlb0f.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.8.169
	UF7jzc7ETP.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
	6ZoBPR3isG.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	132.226.247.73
CLOUDFLARENETUS	cOH7jKmo25.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	104.16.184.241
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	xJZHVgxQul.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	Unknown	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	6cicUo3f8g.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	7b4Iaf58Rp.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.112.1
	C5JLkBS1CX.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1

Process:	C:\Users\user\Desktop\H75MnQEha8.exe
File Type:	data
Category:	dropped
Size (bytes):	67342
Entropy (8bit):	7.905532232291793
Encrypted:	false
SSDEEP:	1536:V9SegyYEEu14OtrkPqA4qUwy+/ogKVxzZqesIV+u4Iy:fYhu14qAyA4UyNgK3zZqesIV6r
MD5:	C2E201A8C521FB8D6D02C3E39CB9B1F1
SHA1:	9736FF240C199E43C53762E205C859B36F0F372F
SHA-256:	97D95FEC619E28DA6186AC551922789548E94A698FBEC2F81E7145DDA18A695D
SHA-512:	DA5DA4194D2B646DF2C015E3F86D7CAF4B1C0F4EA7D4B6EBA651276A5059AC2A2CB06742EE3953B591FC2A0708195C10CD98CCA8737516858DAF85B106353476
Malicious:	false
Reputation:	low
Preview:	EA06..l..D4.Zm".9.UfSM^..M.L(u.Zc8.T.t....4L......M...f..5....Z..(tl%+?y.L.....E\.[..z.^OS..$3....7.N.q.T.ys...<.3].U.7.}^.b.N.R/S.^f..F..x..4kGR.U.S..J.(.Mi...,Z.U.m. .h}...DN.5..A...Vl.i.(..@..(...j..F.T.U.0..C.Md.....hw.G.......9.T.:.o.>.Y.........:....1D.F..;z.O. ..96...@..^....'z#8.L...5.Z.h.N^ .Bl.4L..._..iT.]'.:.cX.O@..P.&g.0...P..[\|v>.d....i.....M$...6..h@.....=S.c@.? ..v.\|.+...[...Mj.....8.4........B..hX......`.N)`.....'....D.h]...... .4)....r.Q......3.YU:..?...'3...kT.W..I....Lg....5..`[..-4.R;T.4.!..3.%^.J.....MS.M)...6.:..t.9..I..&.{5.9.Uc...IX.L(t...c:.V.....9.T.Wj...9..(u..p...Si..:._..r..R.q.."S.5b.5../....kN._.1..2D.8Y.....V..-.+.2?W.N..Y..c[..T.v^.R._.3.%R.`..f.`.b.]..4..d.z....K...5..^y.:.2.T-...aC.\...M..W.L..EN.........F.Z.5...qn.T.V.:.U...).R...<oQ`.........e...A.h..X.LbQ..F...UY..Q...+...j.R._,.4..J..l...ms.G3............x..h...V...G.T.."..UI...R.....,.@..&.m.>.F.Pj..].qD.Tf.`..Ql.4&.).0...(...R.[...u"...

C:\Users\user\AppData\Local\Temp\autE70.tmp

Download File

Process:	C:\Users\user\Desktop\H75MnQEha8.exe
File Type:	data
Category:	dropped
Size (bytes):	14638
Entropy (8bit):	7.633336692861168
Encrypted:	false
SSDEEP:	384:dTYznw6siKOPIyznfvWME9lMYIuIZ99Dea0Wp3isCLg:dAw6si7nfvWLbIZ9xeDZsCE
MD5:	35EC05A32DAD932EAE812EE83B1BAD23
SHA1:	EA8973D448FA04A1F624E9ACDA428B69C9094BC0
SHA-256:	6CDB290F9C4CC94636515D1DFD77E50E0B2E59E0DD9BD5E1706E95F90E4FB335
SHA-512:	403255F29CF4AA79550E7084164EF46E2CC7DC778E8CA483BDF89836F1D622955C35210B43059040D2893FE7571C725275023636D55B56CA57996164E94B5D5D
Malicious:	false
Reputation:	low
Preview:	EA06..0..Y&.y..+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\electicism

Download File

Process:	C:\Users\user\Desktop\H75MnQEha8.exe
File Type:	data
Category:	dropped
Size (bytes):	93184
Entropy (8bit):	6.94624986240059
Encrypted:	false
SSDEEP:	1536:qkvbaq91W+UOU8xkkGpIuMXnYkJHs4QNTOazxa9cKTbYx8ws6V3BKVWd:fG+1/UzkGNqJTaz1K388wN3oV8
MD5:	9FD4490A992A4920ACE4C6F6D56DB19E
SHA1:	BD074895AB11554D6F351A8224984CFC58EC1C3F
SHA-256:	D971966B497DA958F23C0A3B0A0508C24CD78BDBA69064B93942D9173EDF3F16
SHA-512:	8B87DBB4FA87CA351914F36703710FA13BBA6CB39B9680027FCE37C1087959B6E020FD1ACF290FB6105563AAA16BF46FC7A433D525F3FF95C15D7CDC05F3D8E2
Malicious:	false
Reputation:	low
Preview:	...5MHU94U24..ZM.0CRXV18.RSJ55NHU90U24TBZMF0CRXV18DRSJ55NHU9.U24Z].CF.J.y.0t.s."\Fn8'VW'SYt!;#(_7r:3.J1<s#[.....]:VQzOWGb0CRXV18..SJy4MH.Wx.24TBZMF0.RZW:9.RS(45N@U90U24j.[MF.CRX.08DR.J5.NHU;0U64TBZMF0ERXV18DRS.45NJU90U24VB:.F0SRXF18DRCJ5%NHU90U"4TBZMF0CRXV.GER.J55N.T9.P24TBZMF0CRXV18DRSJ5.OHY90U24TBZMF0CRXV18DRSJ55NHU90U24TBZMF0CRXV18DRSJ55NHU.0U:4TBZMF0CRXV9.DR.J55NHU90U24z6?520CR.608DrSJ5WOHU;0U24TBZMF0CRXV.8D2}8FG-HU9.P24T.[MF6CRX208DRSJ55NHU90Ur4T.t?#\,1XV=8DRS.45NJU90?34TBZMF0CRXV18.RS.55NHU90U24TBZMF0c.YV18DR.J55LHP9L.24$.ZME0CR.V1>..SJ.5NHU90U24TBZMF0CRXV18DRSJ55NHU90U24TBZMF0CR.+.7..#F..HU90U25VA^KN8CRXV18DR-J55.HU9pU24cBZMc0CR5V18`RSJK5NH+90UV4TB(MF0"RXVv8DR<J55 HU9NU24J@rRF0Ix~V3.dRS@5..;t90_.5TB^>d0CX.T18@!pJ5?.KU94&.4TH.IF0G!}V12.WSJ1..HV.&S24O-bMF:CQ.C78DIyl57fqU9:U..TA.X@0CIrt1:.[SJ1..;H90S.vTBP9O0CP.\18@xMH.vNH_..+!4TFqMl.=FXV5.Dxq4 5NL~9.wL"TB^fF.a,OV1<oRyL.WN:.50%1[5BZKn.CRR~q8DTS`.50FU94W].TBPkl.Cz.V1>Dz.J53Nb.9Nf24Pn]3u0CVs@O.DRW.3MNHSJ.U2>q.iMF4k.XV;8n.Sbl5NNU.\|U22

C:\Users\user\AppData\Local\Temp\ultraradicalism

Download File

Process:	C:\Users\user\Desktop\H75MnQEha8.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	143378
Entropy (8bit):	2.7943744560265937
Encrypted:	false
SSDEEP:	192:mNxyGyDZFuiaxIUUfMMVQc3GkcVoudfSq5+vLk4ksDWMA/qb35mwBgZiXsJahYVs:V
MD5:	F53B35C5CC8B307A543D501E3EAA2F15
SHA1:	DD07AEF58BE0463FC0C9118ACD5167EB175A3A54
SHA-256:	1FA9A6D4B51CDFDD5251299D5E02098EC63BC3F9164D10466FD6CEEAD93001D7
SHA-512:	54A6E40FCB9A0014D36B907A96068F9253C4ECBA24D0FC9C2E44CF8585000C5019E2346E7AFB443D5D8E56D529C45FC0D5586FAFF755F2FEC610D785B3C6DD57
Malicious:	false
Reputation:	low
Preview:	2d0w02d0wx2d0w52d0w52d0w82d0wb2d0we2d0wc2d0w82d0w12d0we2d0wc2d0wc2d0wc2d0w02d0w22d0w02d0w02d0w02d0w02d0w52d0w62d0w52d0w72d0wb2d0w82d0w62d0wb2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0w42d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0w62d0wb2d0wa2d0w72d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0w82d0wb2d0w82d0w62d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0wa2d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0wc2d0wb2d0wa2d0w62d0wc2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0we2d0wb2d0w82d0w32d0w32d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w92d0w02d0wb2d0w92d0w32d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w92d0w22d0wb2d0wa2d0w22d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w92d0w42d0wb2d0w82d0w62d0w42d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w9

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.8350662488901675
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	H75MnQEha8.exe
File size:	959'488 bytes
MD5:	bf5080dcb84740587bfad2ff84979627
SHA1:	07d35a6a2d2a400b9244ee8188c5c830b2a246b3
SHA256:	cc1bc30840dba38a500b470843d0b4b4921dad024861dd8fd10e445b77f23ea6
SHA512:	f5eb37af15109cc4c0ee7f4ca5a3b01656dda3c7a76e9f32537136cf7901029526ca2842868d6711b99729c48b516f5de5029286dd1eb44adf44f58063d848d5
SSDEEP:	24576:Au6J33O0c+JY5UZ+XC0kGso6FaNAK6/EWY:qu0c++OCvkGs9FaNKY
TLSH:	7C15AD2273DDC360CB669173BF6AB7016EBF3C614630B85B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756FB52 [Mon Dec 9 14:14:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F067CDDE2DAh
jmp 00007F067CDD10A4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F067CDD122Ah
cmp edi, eax
jc 00007F067CDD158Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F067CDD1229h
rep movsb
jmp 00007F067CDD153Ch
cmp ecx, 00000080h
jc 00007F067CDD13F4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F067CDD1230h
bt dword ptr [004BE324h], 01h
jc 00007F067CDD1700h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F067CDD13CDh
test edi, 00000003h
jne 00007F067CDD13DEh
test esi, 00000003h
jne 00007F067CDD13BDh
bt edi, 02h
jnc 00007F067CDD122Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F067CDD1233h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F067CDD1285h
bt esi, 03h
jnc 00007F067CDD12D8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x21a9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe9000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x21a9c	0x21c00	6f12157fe38defab331dea9593c7bf28	False	0.8040075231481482	data	7.5488455219786665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe9000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x18d62	data			1.000403027622137
RT_GROUP_ICON	0xe851c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xe8594	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xe85a8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xe85bc	0x14	data	English	Great Britain	1.25
RT_VERSION	0xe85d0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xe86ac	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T23:59:32.730263+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49700	132.226.8.169	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:59:31.565675974 CET	49700	80	192.168.2.7	132.226.8.169
Jan 10, 2025 23:59:31.570754051 CET	80	49700	132.226.8.169	192.168.2.7
Jan 10, 2025 23:59:31.570841074 CET	49700	80	192.168.2.7	132.226.8.169
Jan 10, 2025 23:59:31.571116924 CET	49700	80	192.168.2.7	132.226.8.169
Jan 10, 2025 23:59:31.577090979 CET	80	49700	132.226.8.169	192.168.2.7
Jan 10, 2025 23:59:32.402988911 CET	80	49700	132.226.8.169	192.168.2.7
Jan 10, 2025 23:59:32.407227039 CET	49700	80	192.168.2.7	132.226.8.169
Jan 10, 2025 23:59:32.412338972 CET	80	49700	132.226.8.169	192.168.2.7
Jan 10, 2025 23:59:32.683630943 CET	80	49700	132.226.8.169	192.168.2.7
Jan 10, 2025 23:59:32.693903923 CET	49701	443	192.168.2.7	104.21.112.1
Jan 10, 2025 23:59:32.693958044 CET	443	49701	104.21.112.1	192.168.2.7
Jan 10, 2025 23:59:32.694034100 CET	49701	443	192.168.2.7	104.21.112.1
Jan 10, 2025 23:59:32.701459885 CET	49701	443	192.168.2.7	104.21.112.1
Jan 10, 2025 23:59:32.701484919 CET	443	49701	104.21.112.1	192.168.2.7
Jan 10, 2025 23:59:32.730262995 CET	49700	80	192.168.2.7	132.226.8.169
Jan 10, 2025 23:59:33.203417063 CET	443	49701	104.21.112.1	192.168.2.7
Jan 10, 2025 23:59:33.203491926 CET	49701	443	192.168.2.7	104.21.112.1
Jan 10, 2025 23:59:33.209752083 CET	49701	443	192.168.2.7	104.21.112.1
Jan 10, 2025 23:59:33.209785938 CET	443	49701	104.21.112.1	192.168.2.7
Jan 10, 2025 23:59:33.210170984 CET	443	49701	104.21.112.1	192.168.2.7
Jan 10, 2025 23:59:33.261288881 CET	49701	443	192.168.2.7	104.21.112.1
Jan 10, 2025 23:59:33.271704912 CET	49701	443	192.168.2.7	104.21.112.1
Jan 10, 2025 23:59:33.315372944 CET	443	49701	104.21.112.1	192.168.2.7
Jan 10, 2025 23:59:33.389574051 CET	443	49701	104.21.112.1	192.168.2.7
Jan 10, 2025 23:59:33.389650106 CET	443	49701	104.21.112.1	192.168.2.7
Jan 10, 2025 23:59:33.389695883 CET	49701	443	192.168.2.7	104.21.112.1
Jan 10, 2025 23:59:33.395806074 CET	49701	443	192.168.2.7	104.21.112.1
Jan 11, 2025 00:00:37.688020945 CET	80	49700	132.226.8.169	192.168.2.7
Jan 11, 2025 00:00:37.688164949 CET	49700	80	192.168.2.7	132.226.8.169
Jan 11, 2025 00:01:12.699440002 CET	49700	80	192.168.2.7	132.226.8.169
Jan 11, 2025 00:01:12.704329967 CET	80	49700	132.226.8.169	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 23:59:31.551729918 CET	58870	53	192.168.2.7	1.1.1.1
Jan 10, 2025 23:59:31.559349060 CET	53	58870	1.1.1.1	192.168.2.7
Jan 10, 2025 23:59:32.685230017 CET	50035	53	192.168.2.7	1.1.1.1
Jan 10, 2025 23:59:32.693242073 CET	53	50035	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 23:59:31.551729918 CET	192.168.2.7	1.1.1.1	0xe847	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:32.685230017 CET	192.168.2.7	1.1.1.1	0xcb05	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 23:59:31.559349060 CET	1.1.1.1	192.168.2.7	0xe847	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 23:59:31.559349060 CET	1.1.1.1	192.168.2.7	0xe847	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:31.559349060 CET	1.1.1.1	192.168.2.7	0xe847	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:31.559349060 CET	1.1.1.1	192.168.2.7	0xe847	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:31.559349060 CET	1.1.1.1	192.168.2.7	0xe847	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:31.559349060 CET	1.1.1.1	192.168.2.7	0xe847	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:32.693242073 CET	1.1.1.1	192.168.2.7	0xcb05	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:32.693242073 CET	1.1.1.1	192.168.2.7	0xcb05	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:32.693242073 CET	1.1.1.1	192.168.2.7	0xcb05	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:32.693242073 CET	1.1.1.1	192.168.2.7	0xcb05	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:32.693242073 CET	1.1.1.1	192.168.2.7	0xcb05	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:32.693242073 CET	1.1.1.1	192.168.2.7	0xcb05	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 23:59:32.693242073 CET	1.1.1.1	192.168.2.7	0xcb05	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	132.226.8.169	80	7116	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 23:59:31.571116924 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 10, 2025 23:59:32.402988911 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:59:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 10, 2025 23:59:32.407227039 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 10, 2025 23:59:32.683630943 CET	273	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:59:32 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	104.21.112.1	443	7116	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 22:59:33 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-10 22:59:33 UTC	855	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 22:59:33 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1864762 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9O%2BUM61Pi8kRe6uJwN6kcqUXRrP6E9Wz0zUznextjrQYp3HzSEXhWF086v6a%2B8M3h7T7UDWq7mb12OmXdgvczA0RYppSW80URomZP1ik1Pp4%2BoleXek9ciuUkI9mgtvsfAJdHASe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900047354a2043b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1547&min_rtt=1539&rtt_var=593&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1821584&cwnd=203&unsent_bytes=0&cid=a6c8c25fb9ee95a4&ts=203&x=0"
2025-01-10 22:59:33 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	1
Start time:	17:59:28
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\H75MnQEha8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H75MnQEha8.exe"
Imagebase:	0x220000
File size:	959'488 bytes
MD5 hash:	BF5080DCB84740587BFAD2FF84979627
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000001.00000002.1289041266.0000000001810000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:59:29
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\H75MnQEha8.exe"
Imagebase:	0x230000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2523457522.0000000000602000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2524827918.0000000002696000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	6.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	172

Executed Functions

Function 00223B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00223B68
IsDebuggerPresent.KERNEL32 ref: 00223B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,002E52F8,002E52E0,?,?), ref: 00223BEB

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

Part of subcall function 0023092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00223C14,002E52F8,?,?,?), ref: 0023096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00223C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,002D7770,00000010), ref: 0025D281
SetCurrentDirectoryW.KERNEL32(?,002E52F8,?,?,?), ref: 0025D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002D4260,002E52F8,?,?,?), ref: 0025D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0025D346

Part of subcall function 00223A46: GetSysColorBrush.USER32(0000000F), ref: 00223A50
Part of subcall function 00223A46: LoadCursorW.USER32(00000000,00007F00), ref: 00223A5F
Part of subcall function 00223A46: LoadIconW.USER32(00000063), ref: 00223A76
Part of subcall function 00223A46: LoadIconW.USER32(000000A4), ref: 00223A88
Part of subcall function 00223A46: LoadIconW.USER32(000000A2), ref: 00223A9A
Part of subcall function 00223A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00223AC0
Part of subcall function 00223A46: RegisterClassExW.USER32(?), ref: 00223B16

Part of subcall function 002239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00223A03
Part of subcall function 002239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00223A24
Part of subcall function 002239D5: ShowWindow.USER32(00000000,?,?), ref: 00223A38
Part of subcall function 002239D5: ShowWindow.USER32(00000000,?,?), ref: 00223A41

Part of subcall function 0022434A: _memset.LIBCMT ref: 00224370
Part of subcall function 0022434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00224415

Strings

%+, xrefs: 00223C44
runas, xrefs: 0025D33A
This is a third-party compiled AutoIt script., xrefs: 0025D279

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%+
API String ID: 529118366-83704245
Opcode ID: 8181e36dbef9bfd38ef5bfb886d177e5f33ae9c1f15318584315e231fc5ac261
Instruction ID: 3c1c809320539c9afe359a38452316fd0196c2a658cba222599234e16806f353
Opcode Fuzzy Hash: 8181e36dbef9bfd38ef5bfb886d177e5f33ae9c1f15318584315e231fc5ac261
Instruction Fuzzy Hash: 10510630D781A9BACF11EFF4FC49AED7B78AB45704F4040A6FD11A6162DA744A65CF20

Function 002249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 002249CD

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

GetCurrentProcess.KERNEL32(?,002AFAEC,00000000,00000000,?), ref: 00224A9A
IsWow64Process.KERNEL32(00000000), ref: 00224AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00224AE7
FreeLibrary.KERNEL32(00000000), ref: 00224AF2
GetSystemInfo.KERNEL32(00000000), ref: 00224B23
GetSystemInfo.KERNEL32(00000000), ref: 00224B2F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 4dceeb94869aaabf8dc084d7646b47242a3469f30af479c905cfe3e9fbfc2a0e
Instruction ID: f9b27e595bbbfc319f34f386e7338a3ca77df9fbca6ece6e30d83b4601bbf43a
Opcode Fuzzy Hash: 4dceeb94869aaabf8dc084d7646b47242a3469f30af479c905cfe3e9fbfc2a0e
Instruction Fuzzy Hash: 3591F4319A97D1EEC731DBB8A5641AAFFF4AF2A300B0449ADD4CB83A01D270A518C75D

Function 00224E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00224D8E,?,?,00000000,00000000), ref: 00224E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00224D8E,?,?,00000000,00000000), ref: 00224EB0
LoadResource.KERNEL32(?,00000000,?,?,00224D8E,?,?,00000000,00000000,?,?,?,?,?,?,00224E2F), ref: 0025D937
SizeofResource.KERNEL32(?,00000000,?,?,00224D8E,?,?,00000000,00000000,?,?,?,?,?,?,00224E2F), ref: 0025D94C
LockResource.KERNEL32(00224D8E,?,?,00224D8E,?,?,00000000,00000000,?,?,?,?,?,?,00224E2F,00000000), ref: 0025D95F

Strings

SCRIPT, xrefs: 00224EA6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 025faa39da5724e824c5aa7676293266a8d0d4747cfa4ce94b15f6a8afdf9354
Instruction ID: 076a54f5485646306b45020759c05938480cd58678854d69ba1b1241c1771229
Opcode Fuzzy Hash: 025faa39da5724e824c5aa7676293266a8d0d4747cfa4ce94b15f6a8afdf9354
Instruction Fuzzy Hash: 70115A75250701BFE7229FA5FD48F677BBAFBC6B11F214268F80686250DB71ED108A60

Function 0028445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0025E398), ref: 0028446A
FindFirstFileW.KERNELBASE(?,?), ref: 0028447B
FindClose.KERNEL32(00000000), ref: 0028448B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: f1b39e15d03dddf018ca10747bc0882d2325292eee58a99b64d7e1711ddffe94
Instruction ID: 92de380e783dae83cc080ee570c15e3b882bd0434c2af416151ee9d9fb7f7032
Opcode Fuzzy Hash: f1b39e15d03dddf018ca10747bc0882d2325292eee58a99b64d7e1711ddffe94
Instruction Fuzzy Hash: C8E0D8364215026742107B78FC0D5E97B9CAE06335F100715FC35C10E0EBB85D109695

Function 002309D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00230A5B
timeGetTime.WINMM ref: 00230D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00230E53
Sleep.KERNEL32(0000000A), ref: 00230E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00230EFA
DestroyWindow.USER32 ref: 00230F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00230F20
Sleep.KERNEL32(0000000A,?,?), ref: 00264E83
TranslateMessage.USER32(?), ref: 00265C60
DispatchMessageW.USER32(?), ref: 00265C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00265C82

Strings

@GUI_CTRLID, xrefs: 00264F3A
@COM_EVENTOBJ, xrefs: 002654F0
pb., xrefs: 00264FAE
@GUI_CTRLHANDLE, xrefs: 00264FE4
@GUI_WINHANDLE, xrefs: 00264F8F
pb., xrefs: 002657B4
@TRAY_ID, xrefs: 0026578F
pb., xrefs: 00265003
pb., xrefs: 00264F59

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb.$pb.$pb.$pb.
API String ID: 4212290369-486499698
Opcode ID: 7561142d553e52af0ae327a1eea8106ba3fdd45c4e84009bc2a49a379b22e9db
Instruction ID: 4b1bbabc72dbe26e9cdf7b754cb315841c2f71627af3abf28232d51f8fa2945a
Opcode Fuzzy Hash: 7561142d553e52af0ae327a1eea8106ba3fdd45c4e84009bc2a49a379b22e9db
Instruction Fuzzy Hash: 4EB2F370628752DFD728DF64C894BAAB7E4BF85304F14491DF589872A1CB70E8A4CF92

Function 00289155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00288F5F: __time64.LIBCMT ref: 00288F69

Part of subcall function 00224EE5: _fseek.LIBCMT ref: 00224EFD

__wsplitpath.LIBCMT ref: 00289234

Part of subcall function 002440FB: __wsplitpath_helper.LIBCMT ref: 0024413B

_wcscpy.LIBCMT ref: 00289247
_wcscat.LIBCMT ref: 0028925A
__wsplitpath.LIBCMT ref: 0028927F
_wcscat.LIBCMT ref: 00289295
_wcscat.LIBCMT ref: 002892A8

Part of subcall function 00288FA5: _memmove.LIBCMT ref: 00288FDE
Part of subcall function 00288FA5: _memmove.LIBCMT ref: 00288FED

_wcscmp.LIBCMT ref: 002891EF

Part of subcall function 00289734: _wcscmp.LIBCMT ref: 00289824
Part of subcall function 00289734: _wcscmp.LIBCMT ref: 00289837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00289452
_wcsncpy.LIBCMT ref: 002894C5
DeleteFileW.KERNEL32(?,?), ref: 002894FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00289511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00289522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00289534

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: cbdd63190ecb252e0ed11ee88ba2228d6e47fd8b8a9af3c31acbcca1febcda43
Instruction ID: 83083abf72554eff5af80552bdb62b1c4e5e9168c3c98de74b594d8bcf5f92b4
Opcode Fuzzy Hash: cbdd63190ecb252e0ed11ee88ba2228d6e47fd8b8a9af3c31acbcca1febcda43
Instruction Fuzzy Hash: B6C16EB1D11129ABDF21EF95CC85AEEB7BCEF45300F0040A6F609E7181EB709A948F65

Function 00223015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00223074
RegisterClassExW.USER32(00000030), ref: 0022309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002230AF
InitCommonControlsEx.COMCTL32(?), ref: 002230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002230DC
LoadIconW.USER32(000000A9), ref: 002230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00223101

Strings

AutoIt v3 GUI, xrefs: 00223090
0, xrefs: 00223056
+, xrefs: 0022305D
TaskbarCreated, xrefs: 002230A4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 396252f81cbcaac768fd3dba1958c1529abcc249eb5c8b0dcb871dbe173f9f37
Instruction ID: c5578498cc1c12465d4d1ab2222c91770beb24d1d6b84e5af365f2641ae0ea2c
Opcode Fuzzy Hash: 396252f81cbcaac768fd3dba1958c1529abcc249eb5c8b0dcb871dbe173f9f37
Instruction Fuzzy Hash: AE3129B1850355EFDB50CFE4ED89A89BBF0FB0A314F14452AE580EA2A1E7B90585CF51

Function 00223041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00223074
RegisterClassExW.USER32(00000030), ref: 0022309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002230AF
InitCommonControlsEx.COMCTL32(?), ref: 002230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002230DC
LoadIconW.USER32(000000A9), ref: 002230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00223101

Strings

AutoIt v3 GUI, xrefs: 00223090
0, xrefs: 00223056
+, xrefs: 0022305D
TaskbarCreated, xrefs: 002230A4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cb972e38c0dd281265d25758d12d03812cbfe2373c3d12ff9e4d69b4812c2197
Instruction ID: 44021bd185e973fe538cab0e820c95fe0733b719d5b1fec3e66c6ee34d412d2a
Opcode Fuzzy Hash: cb972e38c0dd281265d25758d12d03812cbfe2373c3d12ff9e4d69b4812c2197
Instruction Fuzzy Hash: EA21E8B1950268AFDB40DFE4FD8CB9DBBF4FB09704F00412AFA10AA2A0DBB545448F91

Function 0022708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00224706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002E52F8,?,002237AE,?), ref: 00224724

Part of subcall function 0024050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00227165), ref: 0024052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0025E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0025E909
RegCloseKey.ADVAPI32(?), ref: 0025E947
_wcscat.LIBCMT ref: 0025E9A0

Strings

\Include\, xrefs: 00227165
\, xrefs: 0025E9C3
Software\AutoIt v3\AutoIt, xrefs: 0022719E
Include, xrefs: 0025E8BF, 0025E900

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 95edc8a7e37e899b43b27338015010aa4ba9a2d0635012c29fb887e5a2aff720
Instruction ID: 54625932f22f96276e0d164a5bc9cc5c5f13a882a9b2406d5e0a325793c9b7ab
Opcode Fuzzy Hash: 95edc8a7e37e899b43b27338015010aa4ba9a2d0635012c29fb887e5a2aff720
Instruction Fuzzy Hash: 3971F331568352AEC704DF65FC899ABB7E8FF55350F40052EF9448B1A0DB309958CF92

Function 00223633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 002236D2
KillTimer.USER32(?,00000001), ref: 002236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0022371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0022372A
CreatePopupMenu.USER32 ref: 0022373E
PostQuitMessage.USER32(00000000), ref: 0022374D

Strings

%+, xrefs: 0025D081, 0025D0CF
TaskbarCreated, xrefs: 00223725

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%+
API String ID: 129472671-3833644150
Opcode ID: 24c4265555efab29228491765404c019c0f5c5743544846cf43f108c668868a2
Instruction ID: 3fddc1bd61b6a5311a63659043ae2770046db8933cd9732089ec70d3c1a75ba9
Opcode Fuzzy Hash: 24c4265555efab29228491765404c019c0f5c5743544846cf43f108c668868a2
Instruction Fuzzy Hash: 4F4145B1270566BBDF24EFE4FC4DB79765CEB00300F500025FA028A2B1CAB999759B29

Function 00223A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00223A50
LoadCursorW.USER32(00000000,00007F00), ref: 00223A5F
LoadIconW.USER32(00000063), ref: 00223A76
LoadIconW.USER32(000000A4), ref: 00223A88
LoadIconW.USER32(000000A2), ref: 00223A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00223AC0
RegisterClassExW.USER32(?), ref: 00223B16

Part of subcall function 00223041: GetSysColorBrush.USER32(0000000F), ref: 00223074
Part of subcall function 00223041: RegisterClassExW.USER32(00000030), ref: 0022309E
Part of subcall function 00223041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002230AF
Part of subcall function 00223041: InitCommonControlsEx.COMCTL32(?), ref: 002230CC
Part of subcall function 00223041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002230DC
Part of subcall function 00223041: LoadIconW.USER32(000000A9), ref: 002230F2
Part of subcall function 00223041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00223101

Strings

#, xrefs: 00223AFB
AutoIt v3, xrefs: 00223B05
0, xrefs: 00223AF4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2f4351b4a075f08403bcc4b19557585f6e897f74febd3e21e9586560cb15e672
Instruction ID: 2ae417a6f5868f1b14ff94233d665a351e374c17c04aa22a834a90974233955b
Opcode Fuzzy Hash: 2f4351b4a075f08403bcc4b19557585f6e897f74febd3e21e9586560cb15e672
Instruction Fuzzy Hash: 4E214F70DA0364AFDB10DFA4FD8DB9DBBB4FB08715F000119EA04AA2A1D7B555508F94

Function 00223766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3OutputDebug, xrefs: 00223892
CMDLINE, xrefs: 00223822
/AutoIt3ExecuteLine, xrefs: 002238A7
R., xrefs: 0025D213
CMDLINERAW, xrefs: 002237FB
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 002237AE
/ErrorStdOut, xrefs: 0022387D
/AutoIt3ExecuteScript, xrefs: 002238BC

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R.
API String ID: 1825951767-1225404995
Opcode ID: 58222ea76838311d6a3e224c26846fec8b52090f211fa8389f292fd96a52111b
Instruction ID: 624ea7b8588d9f900d5a1999e1a2a097aa2f709796614c9be1c3b853336ba0f1
Opcode Fuzzy Hash: 58222ea76838311d6a3e224c26846fec8b52090f211fa8389f292fd96a52111b
Instruction Fuzzy Hash: 15A13E7193023DAACB15EBE0EC95AEEB778BF15300F440429F915A6191DF749A68CF60

Function 0022F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00240162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00240193
Part of subcall function 00240162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0024019B
Part of subcall function 00240162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002401A6
Part of subcall function 00240162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002401B1
Part of subcall function 00240162: MapVirtualKeyW.USER32(00000011,00000000), ref: 002401B9
Part of subcall function 00240162: MapVirtualKeyW.USER32(00000012,00000000), ref: 002401C1

Part of subcall function 002360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0022F930), ref: 00236154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0022F9CD
OleInitialize.OLE32(00000000), ref: 0022FA4A
CloseHandle.KERNEL32(00000000), ref: 002645C8

Strings

%+, xrefs: 0022F796, 0022F7A8, 0022F96E, 0022FA51
S., xrefs: 0022F7EB
\T., xrefs: 0022F7F7
<W., xrefs: 0022F930

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W.$\T.$%+$S.
API String ID: 1986988660-2360567740
Opcode ID: b981486dd95957c3b575d4a048b140b0e146499c285d6d1a81a3bc9a1bdbd93f
Instruction ID: 47b87a16e005fe85827971d70e334a7efcd87a8cd1772f628822ab8cd10240e4
Opcode Fuzzy Hash: b981486dd95957c3b575d4a048b140b0e146499c285d6d1a81a3bc9a1bdbd93f
Instruction Fuzzy Hash: 0781C3B09B1AE1CFC384DF69B9C86597BE5FB4830E790816AD108CF2A1E77444A4CF21

Function 01884B08 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01884BD9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01884DFF

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: d526136b535eca01b4c0875d67feda1815218adc9dd89ec96d91e9578dff07a9
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 42A12875E0020AEBEB14DFA8C894BEEBBB5FF48304F208559E611BB281D7759A41CF50

Function 002239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00223A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00223A24
ShowWindow.USER32(00000000,?,?), ref: 00223A38
ShowWindow.USER32(00000000,?,?), ref: 00223A41

Strings

AutoIt v3, xrefs: 002239FB, 00223A00, 00223A01
edit, xrefs: 00223A1E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b9d4d0a938408137b1d0ca56a82f957519accdabc4c30115c55708377b28502f
Instruction ID: 52fa859590dc739c203082681a69543507491b09776fa4ed664afdd87161fe13
Opcode Fuzzy Hash: b9d4d0a938408137b1d0ca56a82f957519accdabc4c30115c55708377b28502f
Instruction Fuzzy Hash: 9EF017706A02E07AEA605763BC8CE6B6E7DD7C7F54F00002ABE00AA171C6650850CAB0

Function 018848A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01884798: Sleep.KERNELBASE(000001F4), ref: 018847A9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018849FA

Strings

SJ55NHU90U24TBZMF0CRXV18DR, xrefs: 01884A5D, 01884A60

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID: CreateFileSleep
String ID: SJ55NHU90U24TBZMF0CRXV18DR
API String ID: 2694422964-1603180444
Opcode ID: 5dfaee550b5cda52c72b192ec2d019e7679177eb182a38208b196aa9da9b6088
Instruction ID: 82c1c0eba66e143f4bacd638f5f9bfb61f1eb5e0e63ebff3fe8810bbe4d7e579
Opcode Fuzzy Hash: 5dfaee550b5cda52c72b192ec2d019e7679177eb182a38208b196aa9da9b6088
Instruction Fuzzy Hash: 8861C531D0428DDAEF11DBB8C854BEEBBB4AF15304F044199E654BB2C1D7B90B49CB66

Function 0022407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0025D3D7

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

_memset.LIBCMT ref: 002240FC
_wcscpy.LIBCMT ref: 00224150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00224160

Strings

Line: , xrefs: 0025D400

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 02928fe8f59976db10d7aa87ff372d8ed425831e981ef57d8f69a0478a1ce5fc
Instruction ID: 707b6caf9e34ef17eab85c77404acb417f7c0b92a3abe5238fcdf21ea07c6f03
Opcode Fuzzy Hash: 02928fe8f59976db10d7aa87ff372d8ed425831e981ef57d8f69a0478a1ce5fc
Instruction Fuzzy Hash: EB31E171028365BFD724EFA0FC4AFDB77D8AF44304F10491AF685960A1DB74A668CB82

Function 0024541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0024547B
_memcpy_s.LIBCMT ref: 002454ED
__read_nolock.LIBCMT ref: 0024554B
__filbuf.LIBCMT ref: 0024556E
_memset.LIBCMT ref: 002455B2

Part of subcall function 00248B28: __getptd_noexit.LIBCMT ref: 00248B28

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 609104908377802aefe86adc343346fa7f5f660dcf589f35f50c6379776efbfa
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 5251EC70A20B16DBCB2C9F65D84067E77B6AF40321F648729F8B59A2D2D7709D748F40

Function 0022686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00224DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00224E0F

_free.LIBCMT ref: 0025E263
_free.LIBCMT ref: 0025E2AA

Part of subcall function 00226A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00226BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0025E039
Bad directive syntax error, xrefs: 0025E292

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: fffaadfde08528a218370a5c22538a30e6d8e2d6980f90c64897399886fa7cdf
Instruction ID: 149b787400039bdaa48be06d9d98762b8c0830aa8d95aac45aab6be088e297ac
Opcode Fuzzy Hash: fffaadfde08528a218370a5c22538a30e6d8e2d6980f90c64897399886fa7cdf
Instruction Fuzzy Hash: DF916F71924229EFCF08EFA4D8819EDB7B4FF09310F114469F815AB2A1DB709A69CF54

Function 002235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002235A1,SwapMouseButtons,00000004,?), ref: 002235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002235A1,SwapMouseButtons,00000004,?,?,?,?,00222754), ref: 002235F5
RegCloseKey.KERNELBASE(00000000,?,?,002235A1,SwapMouseButtons,00000004,?,?,?,?,00222754), ref: 00223617

Strings

Control Panel\Mouse, xrefs: 002235D2

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 79f9b7d9781d01abd13049095802be0f7e82a1ae0b651b0d772968485a22f6c5
Instruction ID: 091167efe512af708ae90a718484e962e2b90b1530e629862a7864ed57c1ff6f
Opcode Fuzzy Hash: 79f9b7d9781d01abd13049095802be0f7e82a1ae0b651b0d772968485a22f6c5
Instruction Fuzzy Hash: 87114871A20228BFDB20CFA4EC44ABEB7BCEF05740F014469E805D7210E6B59E649B68

Function 01883798 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01883FC5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01883FE9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0188400B

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: daf838755fc582d792cf1ea5cb2daff504450c9078c3e7da704effcd4c9569cb
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: 7862FA30A14219DBEB24DFA4C840BDEB772FF58704F1091A9D20DEB291E7769E81CB59

Function 0028955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00224EE5: _fseek.LIBCMT ref: 00224EFD

Part of subcall function 00289734: _wcscmp.LIBCMT ref: 00289824
Part of subcall function 00289734: _wcscmp.LIBCMT ref: 00289837

_free.LIBCMT ref: 002896A2
_free.LIBCMT ref: 002896A9
_free.LIBCMT ref: 00289714

Part of subcall function 00242D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00249A24), ref: 00242D69
Part of subcall function 00242D55: GetLastError.KERNEL32(00000000,?,00249A24), ref: 00242D7B

_free.LIBCMT ref: 0028971C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 72f5e9131d1d70e1c06f0e60867a4c02327c0a95796a76f0d3393ec042713e27
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 7A5162B5D14218AFDF25AFA4DC81AAEBB79FF48300F14049EF209A3241DB715A90CF58

Function 0024470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002447A0
__flush.LIBCMT ref: 002447C0
__write.LIBCMT ref: 002447F3
__flsbuf.LIBCMT ref: 00244821

Part of subcall function 00248B28: __getptd_noexit.LIBCMT ref: 00248B28

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 687e1625ef330983306f6a5bb656054644ebf067153330a9dc4e2cbe36965268
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 0E41E674B207469BDB1CEF69CC80BAEB7A6EF45364B24813DE815C7640EB70DD628B40

Function 00224C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00224CBA

Strings

EA06, xrefs: 0025D8CC
AU3!P/+, xrefs: 00224CB4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/+$EA06
API String ID: 4104443479-925092189
Opcode ID: a43d2a40310b88c6a7d9fd712e7652589e93371890ad5475969d567fac52f30b
Instruction ID: 0cc51d355fa14f8caf45966db065de99e18af4484b91e17e71d7e2f64e851c8d
Opcode Fuzzy Hash: a43d2a40310b88c6a7d9fd712e7652589e93371890ad5475969d567fac52f30b
Instruction Fuzzy Hash: 71418C21A3017877DF22BFE4F8517BE7BA29B45300F684065EC829B286D6709D748BA1

Function 00227285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0025EA39
GetOpenFileNameW.COMDLG32(?), ref: 0025EA83

Part of subcall function 00224750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00224743,?,?,002237AE,?), ref: 00224770

Part of subcall function 00240791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002407B0

Strings

X, xrefs: 0025EA51

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: b1dd1c15f23babb505745e098d2d3609e892d0559d924dc674bd418ab2eff2e9
Instruction ID: 107013f3c7c1308a6be6269d8ba42df910f99edbe4b0a87f13694f02a88ed254
Opcode Fuzzy Hash: b1dd1c15f23babb505745e098d2d3609e892d0559d924dc674bd418ab2eff2e9
Instruction Fuzzy Hash: C621C631A24258ABDF419FD4D845BDE7BF8AF49314F00405AE908A7241DBF4599D8F91

Function 00288D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00288DAC
__fread_nolock.LIBCMT ref: 00288DC1

Strings

EA06, xrefs: 00288DF3

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 3cd38c1c555f76cae5b325268db91ce3aca139c7ef96dca2c3161e4a967465e8
Instruction ID: 3d3695c36563ac0b0898e86da519c5c391be92fd2815c311b11aad8719905485
Opcode Fuzzy Hash: 3cd38c1c555f76cae5b325268db91ce3aca139c7ef96dca2c3161e4a967465e8
Instruction Fuzzy Hash: A601F9719142187FDB18DBA8C856EFE7BF8DB15301F00419BF592D22C1E874A6148B60

Function 002898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 002898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0028990F

Strings

aut, xrefs: 00289909

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: df95ec6805b0298bc4b066e2c5c3a54afb70f9855e5f5962868cd7437f0a5298
Instruction ID: 033efb13e7c00bd356facf277d2eead42cb7e9d90b6bc28b7f5d91764516a15b
Opcode Fuzzy Hash: df95ec6805b0298bc4b066e2c5c3a54afb70f9855e5f5962868cd7437f0a5298
Instruction Fuzzy Hash: 8BD05E7954030DABDB909BE0EC0EFDA773CE705701F0002B1BE94D11A1EEB499A88B91

Function 0029CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a73fc8e79884afc339e0e3991d59a9b59a407f445d3f09381583274c35b2da6d
Instruction ID: 9ea66fe3f2852a79b822245919b514ee1224c92bb7b194b6e0383613c3230c01
Opcode Fuzzy Hash: a73fc8e79884afc339e0e3991d59a9b59a407f445d3f09381583274c35b2da6d
Instruction Fuzzy Hash: FFF169716183019FCB14DF28C480A6ABBE5FF89314F64892EF8999B352D730E955CF82

Function 0022434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00224370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00224415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00224432

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 77e86193e59dbc0dc254ecc6d6308a38e3a9799a071fcd00824af392450ceb3f
Instruction ID: 9b3e0a18ee35999f4f71b1b63f06906592f07836532082efb691390f4a0734b4
Opcode Fuzzy Hash: 77e86193e59dbc0dc254ecc6d6308a38e3a9799a071fcd00824af392450ceb3f
Instruction Fuzzy Hash: D031B670524721DFD720EF74E88469BBBF8FB48309F10092EFA9A87251D774A954CB52

Function 0024571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00245733

Part of subcall function 0024A16B: __NMSG_WRITE.LIBCMT ref: 0024A192
Part of subcall function 0024A16B: __NMSG_WRITE.LIBCMT ref: 0024A19C

__NMSG_WRITE.LIBCMT ref: 0024573A

Part of subcall function 0024A1C8: GetModuleFileNameW.KERNEL32(00000000,002E33BA,00000104,?,00000001,00000000), ref: 0024A25A
Part of subcall function 0024A1C8: ___crtMessageBoxW.LIBCMT ref: 0024A308

Part of subcall function 0024309F: ___crtCorExitProcess.LIBCMT ref: 002430A5
Part of subcall function 0024309F: ExitProcess.KERNEL32 ref: 002430AE

Part of subcall function 00248B28: __getptd_noexit.LIBCMT ref: 00248B28

RtlAllocateHeap.NTDLL(01830000,00000000,00000001,00000000,?,?,?,00240DD3,?), ref: 0024575F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 444e60ae8f5f0870666a5bd4602f5cb6a236ecd5f36661cfafba490d2d479d42
Instruction ID: 0b57b8aca730b131547c912a84632335c34813927b4ed5d26efbbc9b2c6b64f2
Opcode Fuzzy Hash: 444e60ae8f5f0870666a5bd4602f5cb6a236ecd5f36661cfafba490d2d479d42
Instruction Fuzzy Hash: E2019635270A22DFE61C6B74AC8AA2DB7489F42762F100535F599DB182DEB49C205A61

Function 002898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00289548,?,?,?,?,?,00000004), ref: 002898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00289548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002898D1
CloseHandle.KERNEL32(00000000,?,00289548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002898D8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: e198912be961b5a694c05a97a6cfd5c3a740e4062b84c2335a452b6bdcaf4466
Instruction ID: 185effc314260b65267b13ebc2cbafbe16ea85b0c171a470364276295d9b4f19
Opcode Fuzzy Hash: e198912be961b5a694c05a97a6cfd5c3a740e4062b84c2335a452b6bdcaf4466
Instruction Fuzzy Hash: D1E08632241214BBDB312F94FD0DFDA7B19AB07760F144121FB54690E08BB525219798

Function 00288D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00288D1B

Part of subcall function 00242D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00249A24), ref: 00242D69
Part of subcall function 00242D55: GetLastError.KERNEL32(00000000,?,00249A24), ref: 00242D7B

_free.LIBCMT ref: 00288D2C
_free.LIBCMT ref: 00288D3E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 9a564fa305e35fd8e8e37c4f55ef5edb755db71f450bc977935766c36679ffd8
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 89E012A1A22602C6CB28B979A940A9313DC4F58392F94091DB40DD71C6DE64F8A68624

Function 0022A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0025FC01

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 4bf2febd31b83d497227b88ea96cca7375ae9009d955ef5241698a6e9f61105e
Instruction ID: 4a430f808408255a6c210dbc7de1db5c3e05ab5cdb0a6a7633a0db8c587d2590
Opcode Fuzzy Hash: 4bf2febd31b83d497227b88ea96cca7375ae9009d955ef5241698a6e9f61105e
Instruction Fuzzy Hash: C2226870528321EFC724DF54D594A2AB7E1BF48304F14896DE88A8B762D771ECA5CF82

Function 002247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00224834

Part of subcall function 0024336C: __lock.LIBCMT ref: 00243372
Part of subcall function 0024336C: DecodePointer.KERNEL32(00000001,?,00224849,00277C74), ref: 0024337E
Part of subcall function 0024336C: EncodePointer.KERNEL32(?,?,00224849,00277C74), ref: 00243389

Part of subcall function 002248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00224915
Part of subcall function 002248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0022492A

Part of subcall function 00223B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00223B68
Part of subcall function 00223B3A: IsDebuggerPresent.KERNEL32 ref: 00223B7A
Part of subcall function 00223B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,002E52F8,002E52E0,?,?), ref: 00223BEB
Part of subcall function 00223B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00223C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00224874

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 9f9543420fca5790589cf24e9d5239cb80dd4bd271bd8f41b43693b4e6e6754d
Instruction ID: 3cc1fd738b941f38a3d499a075c83ebd6fdddf230e1ae94f9251c93a0f4c2e14
Opcode Fuzzy Hash: 9f9543420fca5790589cf24e9d5239cb80dd4bd271bd8f41b43693b4e6e6754d
Instruction Fuzzy Hash: A911C071824361ABC710EFA8FC4980ABFE8EF95754F10451EF5448B2B1DB708554CF82

Function 00225C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00225821,?,?,?,?), ref: 00225CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00225821,?,?,?,?), ref: 0025DD73

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dbb801f731f07b4c6c76799f45f7f5fea9069a7464259295cec1644c210d0d49
Instruction ID: facfe9a3c5deada06b791af797114207d30af1c8a54069feec7e93a648eb6812
Opcode Fuzzy Hash: dbb801f731f07b4c6c76799f45f7f5fea9069a7464259295cec1644c210d0d49
Instruction Fuzzy Hash: 9201D271250329BEF3300E64DC8AF723BDCAB01729F10C329BAE49A1E0D6B40C58CB14

Function 00240DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0024571C: __FF_MSGBANNER.LIBCMT ref: 00245733
Part of subcall function 0024571C: __NMSG_WRITE.LIBCMT ref: 0024573A
Part of subcall function 0024571C: RtlAllocateHeap.NTDLL(01830000,00000000,00000001,00000000,?,?,?,00240DD3,?), ref: 0024575F

std::exception::exception.LIBCMT ref: 00240DEC
__CxxThrowException@8.LIBCMT ref: 00240E01

Part of subcall function 0024859B: RaiseException.KERNEL32(?,?,?,002D9E78,00000000,?,?,?,?,00240E06,?,002D9E78,?,00000001), ref: 002485F0

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 8c36a2fa81de6db362b94efb2808d54b5b2726919fa12743074c532220d30167
Instruction ID: 9d00333431c657c9ce852ba8e9b03956af689048c3b694a31606dd1bd2948715
Opcode Fuzzy Hash: 8c36a2fa81de6db362b94efb2808d54b5b2726919fa12743074c532220d30167
Instruction Fuzzy Hash: 21F0A93193031AA6CB18BE94EC415DE7BACDF05351F10046AFA04A6251DF719AB485D1

Function 002455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0024562C
__lock_file.LIBCMT ref: 0024564D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 56424f0ae144f082392defc4c48249c6eacf349a544242ad8b68f7ec58d921ca
Instruction ID: 39240a086624f6d38df3d4e31d3f8f88d1f77b4e5cef42a954150bba8546b06b
Opcode Fuzzy Hash: 56424f0ae144f082392defc4c48249c6eacf349a544242ad8b68f7ec58d921ca
Instruction Fuzzy Hash: 38012B71C31A19EBCF16AFA4CC0689E7B65EF52321F414115F8641B292DB318A31DF92

Function 002453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00248B28: __getptd_noexit.LIBCMT ref: 00248B28

__lock_file.LIBCMT ref: 002453EB

Part of subcall function 00246C11: __lock.LIBCMT ref: 00246C34

__fclose_nolock.LIBCMT ref: 002453F6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f30cd925876ccad38245c9272c7f45a4f90b6dc42bfd4a31edb6fbdae1bfba7a
Instruction ID: db899e1a78b25417e4b28b156bfc3e4a6f7cf01c0da4f5e2827dcac21eb4b85a
Opcode Fuzzy Hash: f30cd925876ccad38245c9272c7f45a4f90b6dc42bfd4a31edb6fbdae1bfba7a
Instruction Fuzzy Hash: 77F0F631830A109BD7196F7488057AD6AA06F41374F208145E4A0AB1C2CBFC49219F52

Function 00228061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0022542F,?,?,?,?,?), ref: 0022807A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0022542F,?,?,?,?,?), ref: 002280AD

Part of subcall function 0022774D: _memmove.LIBCMT ref: 00227789

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 1115319956ce434ecda9840acea86f2cc689bd3638506d0cb922f53ac2a508e3
Instruction ID: 864225e693ee6ee7c03a4052af94b7e55a35bf518416c5f39332fc50c7b45f54
Opcode Fuzzy Hash: 1115319956ce434ecda9840acea86f2cc689bd3638506d0cb922f53ac2a508e3
Instruction Fuzzy Hash: DE01A231215114BFEB246A71ED4AF7B3B6DEF85760F108029FA05CE190DE70D8108A61

Function 01883795 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01883FC5
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01883FE9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0188400B

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 004079b94eab9e153a2603bf2a17496f7964477125c6a9a23b4acc332259b916
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: 3212BD24E24658C6EB24DF64D8507DEB232FF68300F1091E9910DEB7A5E77A4F81CB5A

Function 00231FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e34cc6875bdbb9a2bbe610c16ae1e065660d37c14fc1150e410cda8348f730
Instruction ID: 76087aa009e90323062f5d38128473f118b88d1c44cc09975f4571cc36781907
Opcode Fuzzy Hash: a2e34cc6875bdbb9a2bbe610c16ae1e065660d37c14fc1150e410cda8348f730
Instruction Fuzzy Hash: 8F51B371620614EFCF14EFA4D995E6E77A6AF45310F148068F806AB392DB30ED64CF51

Function 00225AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00225B96

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: cf566462cf15b5ba76e76cd5cbeb48bd15ff226fc906b0485f3b5d1d0e064ec9
Instruction ID: dc52c98187b6963aadad380ccb8e64991201325547f5bdf13bb87f6bf8fb3cf4
Opcode Fuzzy Hash: cf566462cf15b5ba76e76cd5cbeb48bd15ff226fc906b0485f3b5d1d0e064ec9
Instruction Fuzzy Hash: BE315C71A20A26BFCB18CFACD484AADB7B5FF44314F14C629D81997714D770A9A0CB90

Function 00240C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00240CB7

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 8b34ba861c97cbfaa29f6dc8f267be07a4f34f2e13d29b597eeb20af2c6eb3b5
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0D31C070A20106DBC718DF58D4C4A69F7B6FB99300B6486A6E90ACB351DA71EDE1DBC0

Function 0025FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0025FCB7

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4f23251ed2dd2ed3d4fc24e4402880c415b8f874f9b91a0d7c7217d945974b37
Instruction ID: b2a73319f7697d001096e0db03f8ddd08597aa54337beb9d8bf347de05a4662f
Opcode Fuzzy Hash: 4f23251ed2dd2ed3d4fc24e4402880c415b8f874f9b91a0d7c7217d945974b37
Instruction Fuzzy Hash: B2414A746243519FDB25CF64C484B1ABBE0BF49314F0988ACE9998B762C731ECA5CF52

Function 00224DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00224BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00224BEF

Part of subcall function 0024525B: __wfsopen.LIBCMT ref: 00245266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00224E0F

Part of subcall function 00224B6A: FreeLibrary.KERNEL32(00000000), ref: 00224BA4

Part of subcall function 00224C70: _memmove.LIBCMT ref: 00224CBA

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 45efcdc92ed4fd5bef0cf71e9e4967bf18483451317e6841ae75f1f272fdd426
Instruction ID: f8c980cd284f63397d01ebe7738dc6c7f22996ff53788a89aa21d08f0a4fa6b3
Opcode Fuzzy Hash: 45efcdc92ed4fd5bef0cf71e9e4967bf18483451317e6841ae75f1f272fdd426
Instruction Fuzzy Hash: 8B11E731620216BBDF25FFF0D816FAD77A8AF44714F108829F941A7181DEB19A259F50

Function 0025FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0025FD91

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a16256ca82e0812ea3b282f1a2b8e69ed5d16606758e807c431621d54ec92ce4
Instruction ID: b81ec76292283573977387c613ac3c8899b8fe2bf48fee604f1dddbe4066afd6
Opcode Fuzzy Hash: a16256ca82e0812ea3b282f1a2b8e69ed5d16606758e807c431621d54ec92ce4
Instruction Fuzzy Hash: DE212674528311DFCB24DF64D444A1ABBE1BF88314F04886CF9894B721C731E865CF92

Function 00225BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,002256A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00225C16

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f6fd458cf9c1816ced0d1d8027d23b8d59ed0c940f3025fada1641cce8594734
Instruction ID: 25ac80efa1f56304ea89711b5d91c71ee8e4be2672d303b2e2afb17c8ba0d68e
Opcode Fuzzy Hash: f6fd458cf9c1816ced0d1d8027d23b8d59ed0c940f3025fada1641cce8594734
Instruction Fuzzy Hash: 06113A71210B25AFD3208F59E880B66B7E8EF44764F10C92EE99A86A51D7B0E855CB60

Function 00244863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 002448A6

Part of subcall function 00248B28: __getptd_noexit.LIBCMT ref: 00248B28

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 9fd521c66b01d1a78dcecc6967203e0a64a41096ac36e6f45b7e82405767e0c3
Instruction ID: 8747078aa18e6ba006aa04a3fab37e8e0fc65a15ef21f2a963ad06343764b1d6
Opcode Fuzzy Hash: 9fd521c66b01d1a78dcecc6967203e0a64a41096ac36e6f45b7e82405767e0c3
Instruction Fuzzy Hash: 6CF0C231931609EBDF19BFB4CC0A7EE36A0EF01325F158414F424AA292CBB88971DF52

Function 00224E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,002E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00224E7E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 25618e525a58574f370f405ec6a3832430e174c0cd41edae0799c82125b957bf
Instruction ID: f822e5eccd84bde5d14b7497a301fd02bc4d24195962cdbca02b71f805f3ac99
Opcode Fuzzy Hash: 25618e525a58574f370f405ec6a3832430e174c0cd41edae0799c82125b957bf
Instruction Fuzzy Hash: 7AF03071521722DFDB34AFA4F494852BBE1BF14325311897EE2D682611C7719850DF40

Function 00240791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002407B0

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: e755eadfb5f0e79e21237866473f21b726bbe725b511778e9ccbd7ae2f41a4ff
Instruction ID: 397f53028a14106310631792c7af32d6a0ef49945aca61ea2b2a3d893f410898
Opcode Fuzzy Hash: e755eadfb5f0e79e21237866473f21b726bbe725b511778e9ccbd7ae2f41a4ff
Instruction Fuzzy Hash: 09E0CD369051285BC720D698AC06FEA77DDDFC97A1F0441B5FC0CD7218DD749C908AD0

Function 00288E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00288EC1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: a0e5e1c7bd5dfad08e43f0bbd3ac34e33cacb6c42327a7425a56686f95273ff9
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 1EE092B0114B045BD7389F24D840BA373E1AB05304F00081DF2AA93242EB6278518B59

Function 00225C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0025DD42,?,?,00000000), ref: 00225C5F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ee2551f4ce8c8cf9f09d18d3f751f87c17423634fc847409a6c75d6c3821ec52
Instruction ID: 49f594e097e7f9221bf290710910778a399fabc755b9d9739933ed871ebc9010
Opcode Fuzzy Hash: ee2551f4ce8c8cf9f09d18d3f751f87c17423634fc847409a6c75d6c3821ec52
Instruction Fuzzy Hash: 4CD0C77564030CBFE710DB80DC46FA9777CD705710F100194FD0456290D6B27D508795

Function 0024525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00245266

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: d1d523d7b845963dabea5786601fdceb7a4f81a80a8fb19aa3404696d8846d2d
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 9CB0927644060C77CE016A82EC02A493B199B41764F408021FF0C18162A6B3A6749A89

Function 0028D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0028D1FF

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 80dc0b11e5db06c6ce8c6422cf59da73d498cef16293112fe2d9bf27a4ae8604
Instruction ID: 609ce7fa4c699d2cfe872d34c97cdaa7e622b14aa21833924a77d6569bda51a1
Opcode Fuzzy Hash: 80dc0b11e5db06c6ce8c6422cf59da73d498cef16293112fe2d9bf27a4ae8604
Instruction Fuzzy Hash: 277182346253129FC704EF64D491A6EB7E0AF89314F04492DF8969B3E2DB30E969CF52

Function 01884794 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 018847A9

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: ab1290c184f602af077bc6043258b1fe8905f82e36532914bb3d83a58048fa40
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 3EE0BF7594010EEFDB00EFA4D5496DD7BB4EF04701F1006A1FD05D7680DB309E549A62

Function 01884798 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 018847A9

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 812f2a192564b38f949ff645a576956caffe1aa4dfd50ef2ee14bba8d2aa3a70
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A7E0E67594010EEFDB00EFB4D54969D7BB4EF04701F100261FD01D2280D6309E509A62

Non-executed Functions

Function 002ACABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002ACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002ACB95
GetWindowLongW.USER32(?,000000F0), ref: 002ACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002ACC00
SendMessageW.USER32 ref: 002ACC29
_wcsncpy.LIBCMT ref: 002ACC95
GetKeyState.USER32(00000011), ref: 002ACCB6
GetKeyState.USER32(00000009), ref: 002ACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002ACCD9
GetKeyState.USER32(00000010), ref: 002ACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002ACD0C
SendMessageW.USER32 ref: 002ACD33
SendMessageW.USER32(?,00001030,?,002AB348), ref: 002ACE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002ACE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002ACE60
SetCapture.USER32(?), ref: 002ACE69
ClientToScreen.USER32(?,?), ref: 002ACECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002ACEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002ACEF5
ReleaseCapture.USER32 ref: 002ACF00
GetCursorPos.USER32(?), ref: 002ACF3A
ScreenToClient.USER32(?,?), ref: 002ACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 002ACFA3
SendMessageW.USER32 ref: 002ACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 002AD00E
SendMessageW.USER32 ref: 002AD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002AD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 002AD06D
GetCursorPos.USER32(?), ref: 002AD08D
ScreenToClient.USER32(?,?), ref: 002AD09A
GetParent.USER32(?), ref: 002AD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 002AD123
SendMessageW.USER32 ref: 002AD154
ClientToScreen.USER32(?,?), ref: 002AD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002AD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 002AD20C
SendMessageW.USER32 ref: 002AD22F
ClientToScreen.USER32(?,?), ref: 002AD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002AD2B5

Part of subcall function 002225DB: GetWindowLongW.USER32(?,000000EB), ref: 002225EC

GetWindowLongW.USER32(?,000000F0), ref: 002AD351

Strings

@GUI_DRAGID, xrefs: 002ACE9C
pb., xrefs: 002ACEAF
F, xrefs: 002AD235

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb.
API String ID: 3977979337-3736991238
Opcode ID: 0f485035acde67bc5e1daacb34f49bdcc222f284512f9bc292c1f5f6298b0043
Instruction ID: f5eff8dd224b1df1a5c6a645423dfc01ae8773bfbf02bed63ebef6572420bee4
Opcode Fuzzy Hash: 0f485035acde67bc5e1daacb34f49bdcc222f284512f9bc292c1f5f6298b0043
Instruction Fuzzy Hash: 8542C174124241EFD724CF64D888EAABBE9FF4A714F240919F565872B0CB72D860DFA1

Function 00236F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002371C3
_memset.LIBCMT ref: 00237539
_memmove.LIBCMT ref: 002376AC

Strings

3c#, xrefs: 002723A0
_#, xrefs: 002723CB
DEFINE, xrefs: 00272103
P\-, xrefs: 00271AB8
\b(?=\w), xrefs: 00273769
Q\E, xrefs: 00237FCB
[:<:]], xrefs: 00237479
[:>:]], xrefs: 00237492
\b(?<=\w), xrefs: 00273773
]-, xrefs: 00271A22

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]-$3c#$DEFINE$P\-$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_#
API String ID: 1357608183-2530788613
Opcode ID: e77a7029694150f9de248ab8a2442127a247e5355bdbe489a9a7e1a1ae841081
Instruction ID: 41e4e607b1f9b352d61c087f2f8f962e0efe27deb184dda5532ecab4cea6876b
Opcode Fuzzy Hash: e77a7029694150f9de248ab8a2442127a247e5355bdbe489a9a7e1a1ae841081
Instruction Fuzzy Hash: 3D939471E2421ADFDF24CF58C881BADB7B1FF48710F25816AE949AB281E7709D91DB40

Function 002248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 002248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0025D665
IsIconic.USER32(?), ref: 0025D66E
ShowWindow.USER32(?,00000009), ref: 0025D67B
SetForegroundWindow.USER32(?), ref: 0025D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0025D69B
GetCurrentThreadId.KERNEL32 ref: 0025D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0025D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0025D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0025D6CF
SetForegroundWindow.USER32(?), ref: 0025D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025D6E7
keybd_event.USER32(00000012,00000000), ref: 0025D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025D6FC
keybd_event.USER32(00000012,00000000), ref: 0025D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025D70A
keybd_event.USER32(00000012,00000000), ref: 0025D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0025D719
keybd_event.USER32(00000012,00000000), ref: 0025D71E
SetForegroundWindow.USER32(?), ref: 0025D721
AttachThreadInput.USER32(?,?,00000000), ref: 0025D748

Strings

Shell_TrayWnd, xrefs: 0025D660

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7299c5d22ac99abc558fd0d82384cbd53a89c7e653d0dd62899ea905b42f6cdc
Instruction ID: 8b476249ecb4ce7f1eae1503da3d898d66eb9bee3b6f64e45670b5463d1e015b
Opcode Fuzzy Hash: 7299c5d22ac99abc558fd0d82384cbd53a89c7e653d0dd62899ea905b42f6cdc
Instruction Fuzzy Hash: 7031B571A903187BEB306FA1AC49F7F7F6CEB45B51F104025FA04EA1D0CAB45C11ABA5

Function 00278310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 002787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027882B
Part of subcall function 002787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00278858
Part of subcall function 002787E1: GetLastError.KERNEL32 ref: 00278865

_memset.LIBCMT ref: 00278353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002783A5
CloseHandle.KERNEL32(?), ref: 002783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002783CD
GetProcessWindowStation.USER32 ref: 002783E6
SetProcessWindowStation.USER32(00000000), ref: 002783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0027840A

Part of subcall function 002781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00278309), ref: 002781E0
Part of subcall function 002781CB: CloseHandle.KERNEL32(?,?,00278309), ref: 002781F2

Strings

winsta0, xrefs: 002783C8
, xrefs: 00278362
default, xrefs: 00278405

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 82f25b2232faa8a574dc3dcb4ed068a61f3041dfc657e2a7e3562a587271bbc1
Instruction ID: 6f2c48ded11988f3e18e2be13d3df24240fc58f99105f2b3250c9954505b45ac
Opcode Fuzzy Hash: 82f25b2232faa8a574dc3dcb4ed068a61f3041dfc657e2a7e3562a587271bbc1
Instruction Fuzzy Hash: C981A17196020AAFDF11DFA4DD49AEEBB78FF04304F148169F918B6261DB358E24DB20

Function 0028C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028C78D
FindClose.KERNEL32(00000000), ref: 0028C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0028C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0028C844
__swprintf.LIBCMT ref: 0028C890
__swprintf.LIBCMT ref: 0028C8D3

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

__swprintf.LIBCMT ref: 0028C927

Part of subcall function 00243698: __woutput_l.LIBCMT ref: 002436F1

__swprintf.LIBCMT ref: 0028C975

Part of subcall function 00243698: __flsbuf.LIBCMT ref: 00243713
Part of subcall function 00243698: __flsbuf.LIBCMT ref: 0024372B

__swprintf.LIBCMT ref: 0028C9C4
__swprintf.LIBCMT ref: 0028CA13
__swprintf.LIBCMT ref: 0028CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0028C88A
%02d, xrefs: 0028C91B, 0028C925, 0028C973, 0028C9C2, 0028CA11, 0028CA60
%4d, xrefs: 0028C8CD

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: eb18ecd88181c41078f352b42d5ec6726a9dd9717e9193d06bb0a7b821649677
Instruction ID: 11ce8f757dcbc1fe9326ad18ae03e7a6f5e2822f8c2a7da97ce3b553648903c3
Opcode Fuzzy Hash: eb18ecd88181c41078f352b42d5ec6726a9dd9717e9193d06bb0a7b821649677
Instruction Fuzzy Hash: 9DA14BB2429315BBC704EFA4D886DAFB7ECBF85700F404929F58586191EB34DA58CF62

Function 0028EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0028EFB6
_wcscmp.LIBCMT ref: 0028EFCB
_wcscmp.LIBCMT ref: 0028EFE2
GetFileAttributesW.KERNEL32(?), ref: 0028EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0028F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0028F026
FindClose.KERNEL32(00000000), ref: 0028F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0028F04D
_wcscmp.LIBCMT ref: 0028F074
_wcscmp.LIBCMT ref: 0028F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0028F09D
SetCurrentDirectoryW.KERNEL32(002D8920), ref: 0028F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0028F0C5
FindClose.KERNEL32(00000000), ref: 0028F0D2
FindClose.KERNEL32(00000000), ref: 0028F0E4

Strings

*.*, xrefs: 0028F048

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 4561dfa4de78a2eb49af671e77b110a0d6b4edb2344d92434980382653c44625
Instruction ID: 482726026948386ffae6ecfd3b54812d823a7582adfed56ca9a4bd0bf58fa165
Opcode Fuzzy Hash: 4561dfa4de78a2eb49af671e77b110a0d6b4edb2344d92434980382653c44625
Instruction Fuzzy Hash: 7031DF365122096FCB54AFA0ED48BEE77AC9F4A320F104162E800E2191EB74DA64CB61

Function 002A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,002AF910,00000000,?,00000000,?,?), ref: 002A09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002A0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002A0A92
RegCloseKey.ADVAPI32(?), ref: 002A0DB2
RegCloseKey.ADVAPI32(00000000), ref: 002A0DBF

Strings

REG_QWORD, xrefs: 002A0D00
REG_SZ, xrefs: 002A0AD0
REG_EXPAND_SZ, xrefs: 002A0A2F
REG_DWORD, xrefs: 002A0C83
REG_BINARY, xrefs: 002A0D4D
REG_MULTI_SZ, xrefs: 002A0B7A

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 3c6e575909a22d8931efed600eb7d0a1d017e40caeaf847a7afe85016db105f3
Instruction ID: 929a8ef733bf3b4d9af9859d56def4fa50d171149f9891976ecf25c7d3f2b576
Opcode Fuzzy Hash: 3c6e575909a22d8931efed600eb7d0a1d017e40caeaf847a7afe85016db105f3
Instruction Fuzzy Hash: 99025B75620611AFCB14EF54D885E2AB7E5EF8A310F04845DF8899B362CB30EC65CF81

Function 002366E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

_#, xrefs: 00271465, 0027150C, 002715B4
LF), xrefs: 002712A4
BSR_UNICODE), xrefs: 00271338
UTF), xrefs: 002710FA
LIMIT_MATCH=, xrefs: 00271170
UCP), xrefs: 0027110D
NO_START_OPT), xrefs: 0027114F
0E,, xrefs: 0023673D
NO_AUTO_POSSESS), xrefs: 0027112E
0D,, xrefs: 00236733
3c#, xrefs: 002368FF
ANYCRLF), xrefs: 002712FB
ANY), xrefs: 002712DE
BSR_ANYCRLF), xrefs: 0027131E
CRLF), xrefs: 002712C1
LIMIT_RECURSION=, xrefs: 002711FC
CR), xrefs: 00271287
0F,, xrefs: 00236747
pG,, xrefs: 00236751
UTF16), xrefs: 002710CF

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID: 0D,$0E,$0F,$3c#$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG,$_#
API String ID: 0-1869211329
Opcode ID: e54aced355b2f2a5fd13c96387842eb50504bf276b8cc9a00da23ecfb4a65dcd
Instruction ID: 64ea8c665cff379d18e4a3cf2e23135de38761918b0a75a01094f98c12c98d78
Opcode Fuzzy Hash: e54aced355b2f2a5fd13c96387842eb50504bf276b8cc9a00da23ecfb4a65dcd
Instruction Fuzzy Hash: 447261B1E2021A9BDB14CF58C8847AEB7B5FF44710F14C16AE949EB291DB709DA1CF90

Function 0028F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0028F113
_wcscmp.LIBCMT ref: 0028F128
_wcscmp.LIBCMT ref: 0028F13F

Part of subcall function 00284385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002843A0

FindNextFileW.KERNEL32(00000000,?), ref: 0028F16E
FindClose.KERNEL32(00000000), ref: 0028F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0028F195
_wcscmp.LIBCMT ref: 0028F1BC
_wcscmp.LIBCMT ref: 0028F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0028F1E5
SetCurrentDirectoryW.KERNEL32(002D8920), ref: 0028F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0028F20D
FindClose.KERNEL32(00000000), ref: 0028F21A
FindClose.KERNEL32(00000000), ref: 0028F22C

Strings

*.*, xrefs: 0028F190

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: b496b77e61b8a0752171b030b849f886b74ba45fc9128f02157d99e18b2083a9
Instruction ID: e9424581d0ec754fe9900c5e1477f691cb03c96ca998bf49542b8ab39c9df2cd
Opcode Fuzzy Hash: b496b77e61b8a0752171b030b849f886b74ba45fc9128f02157d99e18b2083a9
Instruction Fuzzy Hash: 5F31C43A51121A6BCB54AFA4ED59BEE77AC9F4A360F100171E804A21E0DB34DE65CF64

Function 0028A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0028A20F
__swprintf.LIBCMT ref: 0028A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0028A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0028A293
_memset.LIBCMT ref: 0028A2B2
_wcsncpy.LIBCMT ref: 0028A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0028A323
CloseHandle.KERNEL32(00000000), ref: 0028A32E
RemoveDirectoryW.KERNEL32(?), ref: 0028A337
CloseHandle.KERNEL32(00000000), ref: 0028A341

Strings

:, xrefs: 0028A252
\, xrefs: 0028A247
\??\%s, xrefs: 0028A22B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: cda9b5b40e3126fdc48c1fbbb06a0298d38925754d357682fa7ff58cc87008f6
Instruction ID: 981d6c402073c5a40885697f6bb5b284cb79688a6cd06fe1987d448d72f01f85
Opcode Fuzzy Hash: cda9b5b40e3126fdc48c1fbbb06a0298d38925754d357682fa7ff58cc87008f6
Instruction Fuzzy Hash: 9731E6B591010AABDB21DFA0DC49FEB77BCEF89700F1040B6F908D21A0EB7496548B25

Function 0028001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00280097
SetKeyboardState.USER32(?), ref: 00280102
GetAsyncKeyState.USER32(000000A0), ref: 00280122
GetKeyState.USER32(000000A0), ref: 00280139
GetAsyncKeyState.USER32(000000A1), ref: 00280168
GetKeyState.USER32(000000A1), ref: 00280179
GetAsyncKeyState.USER32(00000011), ref: 002801A5
GetKeyState.USER32(00000011), ref: 002801B3
GetAsyncKeyState.USER32(00000012), ref: 002801DC
GetKeyState.USER32(00000012), ref: 002801EA
GetAsyncKeyState.USER32(0000005B), ref: 00280213
GetKeyState.USER32(0000005B), ref: 00280221

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 7b2824453aeb716dc79e98da3c5e6cdd63eb9cdf02ab1fcfdbc675ddd03e0522
Instruction ID: b0f01afd1cfd8b65b18299ed43dc00725c9713107feff7d776ab8acb080c0d8c
Opcode Fuzzy Hash: 7b2824453aeb716dc79e98da3c5e6cdd63eb9cdf02ab1fcfdbc675ddd03e0522
Instruction Fuzzy Hash: 38513C289167891DFB70FFA088957EABFB48F01380F08459EC9C5561C3DAA49B9CCB61

Function 002A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 002A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029FDAD,?,?), ref: 002A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A04AC

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002A054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002A05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002A0822
RegCloseKey.ADVAPI32(00000000), ref: 002A082F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: f02455f02e6ca3263139e4ac6fe490d1e3234363cd28633793ccd6fe4c336bbd
Instruction ID: bac645e27b4d5e75e3622ee904db94894e6ea4f5439f7106983bf7ec9f7f5e0e
Opcode Fuzzy Hash: f02455f02e6ca3263139e4ac6fe490d1e3234363cd28633793ccd6fe4c336bbd
Instruction Fuzzy Hash: A0E17E71614211AFCB14DF64D885E2ABBE8FF8A314F04856DF849DB261DA30EC55CF92

Function 002983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

CoInitialize.OLE32 ref: 00298403
CoUninitialize.OLE32 ref: 0029840E
CoCreateInstance.OLE32(?,00000000,00000017,002B2BEC,?), ref: 0029846E
IIDFromString.OLE32(?,?), ref: 002984E1
VariantInit.OLEAUT32(?), ref: 0029857B
VariantClear.OLEAUT32(?), ref: 002985DC

Strings

NULL Pointer assignment, xrefs: 002984B3
Failed to create object, xrefs: 00298479, 0029852F
Invalid parameter, xrefs: 002984FA

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 6129f1fe53c6f2f9f697a557014d2115789449abe3163fed179aa7b51f8f5bd0
Instruction ID: 3ec81924857c6fb9de3a0d84d35c037ed90b9f70aaefdce083d56adfd273a97a
Opcode Fuzzy Hash: 6129f1fe53c6f2f9f697a557014d2115789449abe3163fed179aa7b51f8f5bd0
Instruction Fuzzy Hash: 7561F070628312AFCB10DF64D848F6EB7E8AF4A714F49441DF9859B291CB70ED58CB92

Function 00294164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0029418B
EmptyClipboard.USER32 ref: 00294191
GlobalAlloc.KERNEL32(00000002,?), ref: 002941A6
CloseClipboard.USER32 ref: 00294245

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: a3c6101341d6dda31bf493e3e86b4c095142d93c6d7f62ebae13ac7616be460f
Instruction ID: 826c5d4bd6a8cac747529552cd4d4dcaa254d619bc5d9a8b29062ac82df04fb2
Opcode Fuzzy Hash: a3c6101341d6dda31bf493e3e86b4c095142d93c6d7f62ebae13ac7616be460f
Instruction Fuzzy Hash: C121BC35610610AFDB14AFA0FD0DF6A7BA8FF05710F04802AF94A9B2A1DB74AC52CF45

Function 002837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00224750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00224743,?,?,002237AE,?), ref: 00224770

Part of subcall function 00284A31: GetFileAttributesW.KERNEL32(?,0028370B), ref: 00284A32

FindFirstFileW.KERNEL32(?,?), ref: 002838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0028394B
MoveFileW.KERNEL32(?,?), ref: 0028395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0028397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0028399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 002839B9

Strings

\*.*, xrefs: 0028384E, 00283857, 0028386C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 0e9d3221f5c69742a2bbaf6e578e7635304dfccea5386eb0d75ea3eb25f7a869
Instruction ID: c855ed6cc9402b43f941636b008667f0f726dcd217d040ef57e7eaee2bf43f68
Opcode Fuzzy Hash: 0e9d3221f5c69742a2bbaf6e578e7635304dfccea5386eb0d75ea3eb25f7a869
Instruction Fuzzy Hash: CC518D3582615DAACF05FFE0EA929EDB778AF15300F604069E80276191EF756F29CF60

Function 0028F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0028F440
Sleep.KERNEL32(0000000A), ref: 0028F470
_wcscmp.LIBCMT ref: 0028F484
_wcscmp.LIBCMT ref: 0028F49F
FindNextFileW.KERNEL32(?,?), ref: 0028F53D
FindClose.KERNEL32(00000000), ref: 0028F553

Strings

*.*, xrefs: 0028F425

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 9a931f217049185855a8f11228d2df475115c2eb6630b1224c1dbcdbf81a85f6
Instruction ID: 1800eaad2ad002ae7c9fbad3b699a072634e30f1db0f149a8f28198dbf2c6e2d
Opcode Fuzzy Hash: 9a931f217049185855a8f11228d2df475115c2eb6630b1224c1dbcdbf81a85f6
Instruction Fuzzy Hash: 9341B27582121AAFCF54EFA4DD48AEEBBB4FF05310F544066E814A3190DB349E64CF90

Function 00233030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c#, xrefs: 00233225
_#, xrefs: 00233322

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c#$_#
API String ID: 674341424-1894676648
Opcode ID: f83eeb8f7e81f56a2f7d672f9b8d6c9f1ecdb9984c9d67945943e90d6c7aecf6
Instruction ID: 7af9c046a9f5014b591c1586c6196ef80d1cf7e9c87b5453f2f53532fa58028e
Opcode Fuzzy Hash: f83eeb8f7e81f56a2f7d672f9b8d6c9f1ecdb9984c9d67945943e90d6c7aecf6
Instruction Fuzzy Hash: 7522ACB16283119FC724DF64D881B6EB7E4BF84310F04491DF98A97291DB71EAA4CF92

Function 00235760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002358A5
_memmove.LIBCMT ref: 002358F5
_memmove.LIBCMT ref: 0023595B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 873af4bda69106d6743448b6f3828241a452ac5f2636244bc09cf395380d57f6
Instruction ID: b63e3373a2d55db81b52ed8fa5043c76ca5bbd358179b1014ddeffdce6021776
Opcode Fuzzy Hash: 873af4bda69106d6743448b6f3828241a452ac5f2636244bc09cf395380d57f6
Instruction Fuzzy Hash: C2129EB0A20619EFDF04DFA5D981AAEB7F5FF48300F108529E40AE7250EB75AD64CB51

Function 00283B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00224750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00224743,?,?,002237AE,?), ref: 00224770

Part of subcall function 00284A31: GetFileAttributesW.KERNEL32(?,0028370B), ref: 00284A32

FindFirstFileW.KERNEL32(?,?), ref: 00283B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00283BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00283BEA
FindClose.KERNEL32(00000000), ref: 00283C01
FindClose.KERNEL32(00000000), ref: 00283C0A

Strings

\*.*, xrefs: 00283B5B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 5ad045fe7d196d12bb7c1c58271fdeffc526bd2da1d651609db42a5612de0a99
Instruction ID: 8bb155b7954302988118d13344c6e0fc2149fd8d0076d9cf0d5ab94ef2987c2e
Opcode Fuzzy Hash: 5ad045fe7d196d12bb7c1c58271fdeffc526bd2da1d651609db42a5612de0a99
Instruction Fuzzy Hash: C631A43502D395ABC300FFA4E8959AFB7E8AE52314F404D1EF4D592191EB34DA28CB93

Function 002851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 002787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027882B
Part of subcall function 002787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00278858
Part of subcall function 002787E1: GetLastError.KERNEL32 ref: 00278865

ExitWindowsEx.USER32(?,00000000), ref: 002851F9

Strings

@, xrefs: 002851EC
SeShutdownPrivilege, xrefs: 002851C9
, xrefs: 002851E7

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1467fdb02f83ac632c0b0f6f91424d41b475ea91be2c4ca75ecc38e3e14f55f0
Instruction ID: 90f0c107e4e2e2fea601bfe09f7b795db69f0d1755d7975da4db2ce4275fd241
Opcode Fuzzy Hash: 1467fdb02f83ac632c0b0f6f91424d41b475ea91be2c4ca75ecc38e3e14f55f0
Instruction Fuzzy Hash: 7801FC3D6B36226BF7287664AC8EFB6B258AB05740F540421FD57D20D9DD911C204790

Function 00296283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002962DC
WSAGetLastError.WSOCK32(00000000), ref: 002962EB
bind.WSOCK32(00000000,?,00000010), ref: 00296307
listen.WSOCK32(00000000,00000005), ref: 00296316
WSAGetLastError.WSOCK32(00000000), ref: 00296330
closesocket.WSOCK32(00000000,00000000), ref: 00296344

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 5302935bfa1733fa439c8aba0cb19633d214a0f32ec9a3918e2a7814a68c4cf7
Instruction ID: 8caaf009091f3be37475d2a83b62703126f53f9a46b5215cab8d1fa1dbcc6fec
Opcode Fuzzy Hash: 5302935bfa1733fa439c8aba0cb19633d214a0f32ec9a3918e2a7814a68c4cf7
Instruction Fuzzy Hash: 1B21D031610210AFCF10EFA4DD89A6EB7E9EF49B20F148259E856A7391CB74AC51CB51

Function 00235520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00240DB6: std::exception::exception.LIBCMT ref: 00240DEC
Part of subcall function 00240DB6: __CxxThrowException@8.LIBCMT ref: 00240E01

_memmove.LIBCMT ref: 00270258
_memmove.LIBCMT ref: 0027036D
_memmove.LIBCMT ref: 00270414

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 05362ba728d675f5cbf807004cb940ee76f582d3a7f74a730c0d703b5cdfb17c
Instruction ID: a32555596a07219c5ee38909fa9e45ef0f321904f5bfe563702d370355ae4d2b
Opcode Fuzzy Hash: 05362ba728d675f5cbf807004cb940ee76f582d3a7f74a730c0d703b5cdfb17c
Instruction Fuzzy Hash: 1E02A1B0E20215DBCF04DF64D981AAEBBB5EF44300F54C069E80ADB255EB75DD64CB91

Function 00221287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

DefDlgProcW.USER32(?,?,?,?,?), ref: 002219FA
GetSysColor.USER32(0000000F), ref: 00221A4E
SetBkColor.GDI32(?,00000000), ref: 00221A61

Part of subcall function 00221290: DefDlgProcW.USER32(?,00000020,?), ref: 002212D8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: e3d5160b95c1f2542e2d2e08b3025aa66aa0eaa705d155959f74c983d3b05d86
Instruction ID: 49a154e94d56c47020bf921a9379718dafeed107e8b3ee570ed52602ee72ff9d
Opcode Fuzzy Hash: e3d5160b95c1f2542e2d2e08b3025aa66aa0eaa705d155959f74c983d3b05d86
Instruction Fuzzy Hash: 81A19A701325B6BBE739AEA87C48E7F255CDF66346B240109F802D5192CE768D70CAB5

Function 00296747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00297D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00297DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0029679E
WSAGetLastError.WSOCK32(00000000), ref: 002967C7
bind.WSOCK32(00000000,?,00000010), ref: 00296800
WSAGetLastError.WSOCK32(00000000), ref: 0029680D
closesocket.WSOCK32(00000000,00000000), ref: 00296821

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 57cff9def3b6da210b3c5bbbfc78daea434b3cd4007a4c9cba82eeb6bd232513
Instruction ID: d41d2e5827c4a5c13d113f729cd36586bd3e1dd25a3e825a267ef9ead36ccbbc
Opcode Fuzzy Hash: 57cff9def3b6da210b3c5bbbfc78daea434b3cd4007a4c9cba82eeb6bd232513
Instruction Fuzzy Hash: A3410471A10220BFDB10AFA4AC86F6E77E8EF05710F448458F905AB3C2CA749D508B92

Function 002A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 002A53C5
IsWindowEnabled.USER32 ref: 002A53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 002A53E0
IsIconic.USER32 ref: 002A53EE
IsZoomed.USER32 ref: 002A53FC

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b1e8d358604d02d0e0d282338d7c87a592dacc9deca5f6b5669abeb3c91ee6b2
Instruction ID: 94215ff78ee23dc83b8619f0fe6fdd61920c05dec6a86bf33964dddd3c71380e
Opcode Fuzzy Hash: b1e8d358604d02d0e0d282338d7c87a592dacc9deca5f6b5669abeb3c91ee6b2
Instruction Fuzzy Hash: 121108327209316FDB215F66AC48A1FBB9CFF867A1B404068F845D3241CFB4DC11CA90

Function 002780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002780D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002780F6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a10b6e6417f096d7e903a890d52eda0190988f3522bd984f586b381cbe59528e
Instruction ID: cd0fbab304e88b40256dd47d13a391cc25cfa75c49e87bf1666de65fd5bd5238
Opcode Fuzzy Hash: a10b6e6417f096d7e903a890d52eda0190988f3522bd984f586b381cbe59528e
Instruction Fuzzy Hash: ECF0CD30290205AFEB600FA4ED8CE6B3BACEF8A755B404029F90DD2150CFB49C12DA60

Function 0022E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00263E62
Dd., xrefs: 00263B2E
Dd., xrefs: 0022EAC1
Dd., xrefs: 0022EABA
Dd., xrefs: 00263AF5

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID: Dd.$Dd.$Dd.$Dd.$Variable must be of type 'Object'.
API String ID: 0-4147315530
Opcode ID: e66b80cf317bdb8be3ec9e809c12ee8f7c0444259e37ed2bb83014c509f405fe
Instruction ID: 0464c5ac2166eb0f78b704e99ece5d6a176ebed9545c559d3b50052c8394ff93
Opcode Fuzzy Hash: e66b80cf317bdb8be3ec9e809c12ee8f7c0444259e37ed2bb83014c509f405fe
Instruction Fuzzy Hash: 20A2C174A20226EFCF24CF94E480AADB7B1FF59310F668069E8059B351D774EDA1DB90

Function 00224B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00224AD0), ref: 00224B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00224B57

Strings

kernel32.dll, xrefs: 00224B40
GetNativeSystemInfo, xrefs: 00224B51

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 31ee7560bfccaf83bdbcc55cb0b5eb13e14a66d0f289c8bc817623b89d5c1fa9
Instruction ID: 3c9588d4111afa931f6e95103e811a68a33f02338db94e9e03eacff348b1dea4
Opcode Fuzzy Hash: 31ee7560bfccaf83bdbcc55cb0b5eb13e14a66d0f289c8bc817623b89d5c1fa9
Instruction Fuzzy Hash: F7D0C230A20323DFC720AFB1F918B0272E4AF07344B108C39D486C2150DA78D490CA24

Function 0029EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0029EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0029EE4B

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Process32NextW.KERNEL32(00000000,?), ref: 0029EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0029EF1A

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 94865ded69a9d2ef86d3e020097d280263890d6a7aa2810245bf79e38a03c6d7
Instruction ID: f49a5ab5ed7363073d7fbad0a526ed58c7eb2757a71978e7538988473ce4d8c5
Opcode Fuzzy Hash: 94865ded69a9d2ef86d3e020097d280263890d6a7aa2810245bf79e38a03c6d7
Instruction Fuzzy Hash: 5251BE71118321AFD710EF60EC85E6BB7E8EF94710F50482DF495972A1EB70E958CB92

Function 0027E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0027E628

Strings

|, xrefs: 0027E658
(, xrefs: 0027E66E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: dfa43eaab9e21c5380332d0de2213c11e5410388b322119e82a7d93e6567784f
Instruction ID: 29f222245247d8aac5a400ee2740d59f579f2e58e7f093352b080dab324e6b72
Opcode Fuzzy Hash: dfa43eaab9e21c5380332d0de2213c11e5410388b322119e82a7d93e6567784f
Instruction Fuzzy Hash: A5322575A107059FDB28CF29C48196AB7F1FF48310B16C4AEE89ADB3A1E770E951CB50

Function 002922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0029180A,00000000), ref: 002923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00292418

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 33fe39cb64cf667ff83f9db727d50a31724b4645781c290e509c474991297889
Instruction ID: c1caa56ff94d1cbd19d41c4f764bb7de29f95be34b2d0895e953afcda2323c66
Opcode Fuzzy Hash: 33fe39cb64cf667ff83f9db727d50a31724b4645781c290e509c474991297889
Instruction Fuzzy Hash: CF41177192030AFFEF10DE95DC85EBBB7BCEB40314F10406EFA40A6140DAB49E699A54

Function 0028B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0028B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0028B3EA

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c7fd168e888f46d6d455b548f4e50137e0d85781b9f668d8dc0caa9eba3d4088
Instruction ID: 08230906ea2f838b01614536e9f0cf98529df2e251164c5c5fe1c050cc97cf69
Opcode Fuzzy Hash: c7fd168e888f46d6d455b548f4e50137e0d85781b9f668d8dc0caa9eba3d4088
Instruction Fuzzy Hash: AD217435A10518EFCB00EFA5E885AEDBBB8FF49310F1480A9E905AB351CB319955CF51

Function 002787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00240DB6: std::exception::exception.LIBCMT ref: 00240DEC
Part of subcall function 00240DB6: __CxxThrowException@8.LIBCMT ref: 00240E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0027882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00278858
GetLastError.KERNEL32 ref: 00278865

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: dfab5bef8c91f5c5e754cd021f87cea596926affd5a46066953b54c98c0a306d
Instruction ID: 597f425b223b6749e20bcd7986b1658ce135d8b8b04f02100e5bd7e697447eda
Opcode Fuzzy Hash: dfab5bef8c91f5c5e754cd021f87cea596926affd5a46066953b54c98c0a306d
Instruction Fuzzy Hash: D51190B1824205AFD718DFA4EC89D2BB7F8EB05310B10852EE45987201DA30AC508B60

Function 0027874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00278774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0027878B
FreeSid.ADVAPI32(?), ref: 0027879B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3353e599f8b4f716250c2ddff0943970c9d6ba13be2a1f59d324ba91470cd9f6
Instruction ID: 62bd2f2ce2fba2fdfb7e717e73fd029d1407b57005b7dd820df975942e1cb042
Opcode Fuzzy Hash: 3353e599f8b4f716250c2ddff0943970c9d6ba13be2a1f59d324ba91470cd9f6
Instruction Fuzzy Hash: D2F0627595130DBFDF04DFF4DD89ABEB7BCEF08201F104469A501E2181E7755A048B50

Function 00288889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0028889B

Part of subcall function 0024520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00288F6E,00000000,?,?,?,?,0028911F,00000000,?), ref: 00245213
Part of subcall function 0024520A: __aulldiv.LIBCMT ref: 00245233

Strings

0e., xrefs: 00288892

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e.
API String ID: 2893107130-527871663
Opcode ID: 7c80e81577d8330ca02d62a5d754f65d8fed1cbe437d645d3196f0bca08e3bd9
Instruction ID: c9698e2674de0550e39bed20df39b1debcbd620b7a206a9c76dbac3505c96a90
Opcode Fuzzy Hash: 7c80e81577d8330ca02d62a5d754f65d8fed1cbe437d645d3196f0bca08e3bd9
Instruction Fuzzy Hash: 9421B4366356108BC729CF25E885A52B3E1EFA5311BA88E6CD1F5CF2C0CA74B915CF54

Function 0028C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0028C6FB
FindClose.KERNEL32(00000000), ref: 0028C72B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 898349b6dc857eb0838db32873dae0ad47e3c0016eaaa47428e0e85e79f8b121
Instruction ID: d3fe7add580160cb9454eafb3b28222aa68c943e8584daa90e3c5bb9160c79bf
Opcode Fuzzy Hash: 898349b6dc857eb0838db32873dae0ad47e3c0016eaaa47428e0e85e79f8b121
Instruction Fuzzy Hash: 8411A1766106009FDB10EF69D849A2AF7E8FF85320F14851DF8A9C7290DB30AC11CF91

Function 0028A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00299468,?,002AFB84,?), ref: 0028A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00299468,?,002AFB84,?), ref: 0028A0A9

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0326189ae0d62a22354df866b97d5a5cb4d1ff4b2ddbb858ee275f22e4b1686c
Instruction ID: 4af482460479b97b2fc9c854788d72437a1342917055a47160723d1dbd8709f2
Opcode Fuzzy Hash: 0326189ae0d62a22354df866b97d5a5cb4d1ff4b2ddbb858ee275f22e4b1686c
Instruction Fuzzy Hash: A2F0E23511522DBBDB20AFA4DC48FEA736CBF09362F004166F809D2180CA70A920CBA1

Function 002781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00278309), ref: 002781E0
CloseHandle.KERNEL32(?,?,00278309), ref: 002781F2

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 695488e107d72d7aea8762a53882d2a5b68c372cef9ca335d9ba05afdaf5106f
Instruction ID: 701cb91db2e446edb7f289d4ad03d4960e90f687f862c9cfc610ad786f4dff84
Opcode Fuzzy Hash: 695488e107d72d7aea8762a53882d2a5b68c372cef9ca335d9ba05afdaf5106f
Instruction Fuzzy Hash: B2E08C32020610AFEB252B61FC08D737BEAEF04310710886DF9AA84430CB72ACB0DB10

Function 0024A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00248D57,?,?,?,00000001), ref: 0024A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0024A163

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b22de4b31e5334e4d80095ff8a45bd4739bf92b68c9e3cd3f5afbc837c6c8822
Instruction ID: b7cc874f780bd806d4d3aac185dfec545841f66a461a3e9601a05e19b8b1bcf4
Opcode Fuzzy Hash: b22de4b31e5334e4d80095ff8a45bd4739bf92b68c9e3cd3f5afbc837c6c8822
Instruction Fuzzy Hash: CBB09231054248ABCF802BD1FD5DB883F68EB46AA2F4040A0FE0D84060CFA654508A91

Function 0024F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee84a043ae0dc89b2d39d9f8b43855d8d57259d0146dc125ccf710a08fc13e63
Instruction ID: 8bc1bb40cd08ef033aabab3dd293a49ed3f0571a26ae21386df336b05f7f3595
Opcode Fuzzy Hash: ee84a043ae0dc89b2d39d9f8b43855d8d57259d0146dc125ccf710a08fc13e63
Instruction Fuzzy Hash: F532E131D39F414DDB679A34D976326A288AFF73C8F15D737E81AB59A6EB28C4834100

Function 0025242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 187b8e62ddd248ae54e50e8553184895a9b6ff8e2f0ed9dd75667e67d747c46e
Instruction ID: c2bdec097a2999f03ea3f27dbf8e61f46e6a538a2a6e90c21cc058c41dcfc215
Opcode Fuzzy Hash: 187b8e62ddd248ae54e50e8553184895a9b6ff8e2f0ed9dd75667e67d747c46e
Instruction Fuzzy Hash: 66B10030E2AF414DD32396399839336BA9CAFBB2C5F51D71BFC2670D62EB2185834141

Function 00284C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00284C4A

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e421be53b1239378d2012da915e13d3b24015b1b1f96ab2716f367fac27c6686
Instruction ID: 1ea71d2475019988c9bae8977b3a2a762ee6f3991f30921f4632d144e160dd59
Opcode Fuzzy Hash: e421be53b1239378d2012da915e13d3b24015b1b1f96ab2716f367fac27c6686
Instruction Fuzzy Hash: 54D017A917720B2BEC1C3B209A0FF7A020CE30078AFD4814A75018A0C2ADC45C605230

Function 002787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00278389), ref: 002787D1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a171f091d7f0dc157497327be9c8746790c00852295ebd717306679e9a7b4313
Instruction ID: 02cd9f60955bdb8cebf36a94d580f3c453d99ed19d558e3b2546c681b8267b1e
Opcode Fuzzy Hash: a171f091d7f0dc157497327be9c8746790c00852295ebd717306679e9a7b4313
Instruction Fuzzy Hash: 68D05E322A050EABEF018EA4ED05EAE3B69EB04B01F408111FE15C50A1C775D835AB60

Function 0024A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0024A12A

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 05cf3e9e2f18522e0a08a53bc517562030564026c753fc19834728f37967e3b8
Instruction ID: a261f84168f0aacd18aae51c3e6d5212deb44b0a8f83587bfa15c66fd7a32f68
Opcode Fuzzy Hash: 05cf3e9e2f18522e0a08a53bc517562030564026c753fc19834728f37967e3b8
Instruction Fuzzy Hash: 5BA0113000020CAB8F002B82FC08888BFACEA022A0B0080A0FC0C800228B32A8208A80

Function 00238808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e47f46a7fe77a5bb029368aadb4c5c87ea47028b6cf26b2986d9226e0303939
Instruction ID: 192cdb55b3702fb3d0f6b389c3a4ee6b350704c22554f6acdf6cf5a234812b56
Opcode Fuzzy Hash: 5e47f46a7fe77a5bb029368aadb4c5c87ea47028b6cf26b2986d9226e0303939
Instruction Fuzzy Hash: 1C22047093476B8BDF288E24C494B7CB7B1BB01344F68846BF94A8F592DBB09DB1C651

Function 002421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 3fd8ec4c2dd76c9dbb42e1bc150cd9195ae767af4e3364ac72ba1af1810776e4
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 30C1AB7222515389DF2D8E3AC43413EFBA15EA27B135A076DE8B3DB1D4EE10C979D620

Function 002425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 08dedfba146beed0b796dfbbf0304ab44b87bcaa4391bffa7928228687a45fb8
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 8BC1B67222519389DF2D4A3AC43403EFBA15EA27F135A076DE4B3DB1D4EE10C978D620

Function 00241978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 26a632d94538e4e8b0f15a43ab6789bdcef7f64b0d6927f24659f064a5261894
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 95C1957266519349DF2D4A39C47413EFBA15EA2BB131A076DD4B3CB1C4FE20C9B5D620

Function 01885B28 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 89d65d2eb3d792fa25c49c9bdb2597386039b1839492c57518a00b0369667ab8
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 5141D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01885A18 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 244b5cb242abbd7d0bd5abe32ab97f09002449c921036c24f785487469a07aa0
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: D6018078A00209EFCB44EF98C5909AEF7B5FB48310F208599D819A7301D730AE41DB80

Function 018859B8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 342b274d634237b0fca7f2d455222174721316d3ca72ee2a5aa9af0232a9ce28
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 90018078A10209EFCB44EF98D5909AEF7B5FB48310F208599D809E7301D730AE41DB80

Function 01884368 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1289259835.0000000001882000.00000040.00000020.00020000.00000000.sdmp, Offset: 01882000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1882000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00297806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0029785B
DeleteObject.GDI32(00000000), ref: 0029786D
DestroyWindow.USER32 ref: 0029787B
GetDesktopWindow.USER32 ref: 00297895
GetWindowRect.USER32(00000000), ref: 0029789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297A35
GetClientRect.USER32(00000000,?), ref: 00297A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00297A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297ABB
GlobalLock.KERNEL32(00000000), ref: 00297AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297AD3
GlobalUnlock.KERNEL32(00000000), ref: 00297ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297AE3
GlobalFree.KERNEL32(00000000), ref: 00297AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002B2CAC,00000000), ref: 00297B16
GlobalFree.KERNEL32(00000000), ref: 00297B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00297B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00297B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00297D7A

Strings

DISPLAY, xrefs: 00297BDD
AutoIt v3, xrefs: 00297A2D
static, xrefs: 00297A75, 00297BCC
, xrefs: 00297D00

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 551474564b46ccf0a53d694cedccd2a10dd192d60e50b1c5f26dce1c354ac86b
Instruction ID: e735ab301e840c6a8947d9f8d2d96e8b4f4fdd11076b1d201533fe32b225fbb6
Opcode Fuzzy Hash: 551474564b46ccf0a53d694cedccd2a10dd192d60e50b1c5f26dce1c354ac86b
Instruction Fuzzy Hash: 4E029971920115EFDF14DFA4ED88EAE7BB9EF49314F008158F915AB2A1CB34AD51CB60

Function 002A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,002AF910), ref: 002A3627
IsWindowVisible.USER32(?), ref: 002A364B

Strings

CHECK, xrefs: 002A386D
GETLINE, xrefs: 002A399B
ADDSTRING, xrefs: 002A3716
GETSELECTED, xrefs: 002A38A3
GETCURRENTSELECTION, xrefs: 002A37E3
SENDCOMMANDID, xrefs: 002A39DA
SHOWDROPDOWN, xrefs: 002A36E0
ISENABLED, xrefs: 002A366B
TABRIGHT, xrefs: 002A369D
HIDEDROPDOWN, xrefs: 002A3700
GETCURRENTCOL, xrefs: 002A3928
SETCURRENTSELECTION, xrefs: 002A37B6
TABLEFT, xrefs: 002A3687
ISVISIBLE, xrefs: 002A3637
GETLINECOUNT, xrefs: 002A38C6
FINDSTRING, xrefs: 002A3776
EDITPASTE, xrefs: 002A395F
CURRENTTAB, xrefs: 002A36BD
DELSTRING, xrefs: 002A3749
ISCHECKED, xrefs: 002A3839
SELECTSTRING, xrefs: 002A3806
UNCHECK, xrefs: 002A3883
GETCURRENTLINE, xrefs: 002A38ED

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: f017c8fcb4a8ebca2980b412b8016482561b6c258da5b0a956c39dc394026996
Instruction ID: c44dd8cf2330aa5e506f2a74afcf9e51f70a5b23ed8f96c14eeb5edff3d89711
Opcode Fuzzy Hash: f017c8fcb4a8ebca2980b412b8016482561b6c258da5b0a956c39dc394026996
Instruction Fuzzy Hash: 98D1A1702343119FCB04EF10C455A6EB7A5AF96744F144469F98A5B3A2CF31EEAACF81

Function 002AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 002AA630
GetSysColorBrush.USER32(0000000F), ref: 002AA661
GetSysColor.USER32(0000000F), ref: 002AA66D
SetBkColor.GDI32(?,000000FF), ref: 002AA687
SelectObject.GDI32(?,00000000), ref: 002AA696
InflateRect.USER32(?,000000FF,000000FF), ref: 002AA6C1
GetSysColor.USER32(00000010), ref: 002AA6C9
CreateSolidBrush.GDI32(00000000), ref: 002AA6D0
FrameRect.USER32(?,?,00000000), ref: 002AA6DF
DeleteObject.GDI32(00000000), ref: 002AA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 002AA731
FillRect.USER32(?,?,00000000), ref: 002AA763
GetWindowLongW.USER32(?,000000F0), ref: 002AA78E

Part of subcall function 002AA8CA: GetSysColor.USER32(00000012), ref: 002AA903
Part of subcall function 002AA8CA: SetTextColor.GDI32(?,?), ref: 002AA907
Part of subcall function 002AA8CA: GetSysColorBrush.USER32(0000000F), ref: 002AA91D
Part of subcall function 002AA8CA: GetSysColor.USER32(0000000F), ref: 002AA928
Part of subcall function 002AA8CA: GetSysColor.USER32(00000011), ref: 002AA945
Part of subcall function 002AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002AA953
Part of subcall function 002AA8CA: SelectObject.GDI32(?,00000000), ref: 002AA964
Part of subcall function 002AA8CA: SetBkColor.GDI32(?,00000000), ref: 002AA96D
Part of subcall function 002AA8CA: SelectObject.GDI32(?,?), ref: 002AA97A
Part of subcall function 002AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 002AA999
Part of subcall function 002AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002AA9B0
Part of subcall function 002AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 002AA9C5
Part of subcall function 002AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002AA9ED

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 48177af8d8f0bc43eab28f24ec778ce10cb9d30d329233876e7bcb2da460daec
Instruction ID: ed9f574926bb2dfd215b7ca87d55d93690bf1a166ebcccff0740bcddd3133eb9
Opcode Fuzzy Hash: 48177af8d8f0bc43eab28f24ec778ce10cb9d30d329233876e7bcb2da460daec
Instruction Fuzzy Hash: BE918F71418301EFC7509FA4ED0CA5BBBA9FF4A321F100B29F5A2961A0DB75D944CF52

Function 00222C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00222CA2
DeleteObject.GDI32(00000000), ref: 00222CE8
DeleteObject.GDI32(00000000), ref: 00222CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00222CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00222D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0025C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0025C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0025C89D

Part of subcall function 00221B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00222036,?,00000000,?,?,?,?,002216CB,00000000,?), ref: 00221B9A

SendMessageW.USER32(?,00001053), ref: 0025C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0025C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0025C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0025C912

Strings

0, xrefs: 0025C731

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: f99f5f6816c0b05fa3cbad0af714a792866cd8c5261642c88ab71a652e3b45be
Instruction ID: f482a226418f46751a7c2d3806b3cba0668df229c3736f040f7199705acb7151
Opcode Fuzzy Hash: f99f5f6816c0b05fa3cbad0af714a792866cd8c5261642c88ab71a652e3b45be
Instruction Fuzzy Hash: 8B12CE30524212EFCB11CF64D888BA9B7E5BF09311F64416AF895DB262DB31E869CF90

Function 002974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 002974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0029759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00297633
GetClientRect.USER32(00000000,?), ref: 0029763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00297683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00297692
GetStockObject.GDI32(00000011), ref: 002976A2
SelectObject.GDI32(00000000,00000000), ref: 002976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002976BF
DeleteDC.GDI32(00000000), ref: 002976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0029770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00297746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0029775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0029776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0029779B
GetStockObject.GDI32(00000011), ref: 002977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002977BB

Strings

DISPLAY, xrefs: 00297688
AutoIt v3, xrefs: 0029762B
static, xrefs: 0029767D, 00297795
msctls_progress32, xrefs: 0029773C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ef42704755c95bfbb437f83eaab8941a724114a3b5519f89501223e1c8920e36
Instruction ID: a0510728abce3695856d3a14515be1ca84c1855f069db892b44ad925848ac016
Opcode Fuzzy Hash: ef42704755c95bfbb437f83eaab8941a724114a3b5519f89501223e1c8920e36
Instruction Fuzzy Hash: 4EA19271A60615BFEB14DFA4ED4AFAE7BB9EB05714F004114FA14AB2E0CB74AD10CB64

Function 0028AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028AD1E
GetDriveTypeW.KERNEL32(?,002AFAC0,?,\\.\,002AF910), ref: 0028ADFB
SetErrorMode.KERNEL32(00000000,002AFAC0,?,\\.\,002AF910), ref: 0028AF59

Strings

MMC, xrefs: 0028AF1A
ATAPI, xrefs: 0028AECD
SATA, xrefs: 0028AF0C
USB, xrefs: 0028AEF0
Virtual, xrefs: 0028AF21
CDROM, xrefs: 0028AE2F
Fibre, xrefs: 0028AEE9
SSD, xrefs: 0028AE86
RAID, xrefs: 0028AEF7
Fixed, xrefs: 0028AE43
SCSI, xrefs: 0028AEC6
SAS, xrefs: 0028AF05
Network, xrefs: 0028AE39
\\.\, xrefs: 0028AD70
Unknown, xrefs: 0028AE1B, 0028AEBF
SSA, xrefs: 0028AEE2
PhysicalDrive, xrefs: 0028ADA7
ATA, xrefs: 0028AED4
Removable, xrefs: 0028AE4D
RAMDisk, xrefs: 0028AE25
iSCSI, xrefs: 0028AEFE
1394, xrefs: 0028AEDB
FileBackedVirtual, xrefs: 0028AF28

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e2af4d1191c09512b27cf00c8c43abcbe8ba364a9aef253c637730a481e09793
Instruction ID: 4a5b525ac719ba20b314908b4eaf46d6c7fabbd47637fad8604e36fdf11e6400
Opcode Fuzzy Hash: e2af4d1191c09512b27cf00c8c43abcbe8ba364a9aef253c637730a481e09793
Instruction Fuzzy Hash: 7351A5B867A205AB9B10FF50C942C7D7360EB1A704B208467E506A76D1DEB29D71DB83

Function 002268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00226931
__wcsnicmp.LIBCMT ref: 00226949
__wcsnicmp.LIBCMT ref: 00226961
__wcsnicmp.LIBCMT ref: 00226979
__wcsnicmp.LIBCMT ref: 00226991
__wcsnicmp.LIBCMT ref: 002269A9
__wcsnicmp.LIBCMT ref: 002269C1
__wcsnicmp.LIBCMT ref: 002269D5
__wcsnicmp.LIBCMT ref: 00226A16
__wcsnicmp.LIBCMT ref: 00226A2A
__wcsnicmp.LIBCMT ref: 00226A3E
__wcsnicmp.LIBCMT ref: 00226A52

Strings

Cannot parse #include, xrefs: 0025E3F0
#comments-end, xrefs: 00226A38
#requireadmin, xrefs: 0022695B
#comments-start, xrefs: 002269BB, 00226A10
#include, xrefs: 002269A3
#include-once, xrefs: 0022698B
Bad directive syntax error, xrefs: 0025E31A
Unterminated group of comments, xrefs: 0025E403
#notrayicon, xrefs: 00226943
#OnAutoItStartRegister, xrefs: 00226973
#cs, xrefs: 002269CF, 00226A24
#ce, xrefs: 00226A4C
#pragma compile, xrefs: 0022692B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: bda8dcc6c36ade34a312df28daa6f7b7c14909321392ec552892c01dccc38c02
Instruction ID: 14ff01e85111255f4669eb453f333115f51d0f1d23a3b984343641a45c2f4569
Opcode Fuzzy Hash: bda8dcc6c36ade34a312df28daa6f7b7c14909321392ec552892c01dccc38c02
Instruction Fuzzy Hash: 1A814C72630216BADF19AEA0EC46FBE7768AF05700F004025FC456A191EB71DE75C654

Function 002A9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 002A9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 002A9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 002A9BA7

Strings

0, xrefs: 002A9BE4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: eed47ea0432b9eceef8488e9fa8514ac6db268c36f9478fef7115b4b40b43770
Instruction ID: d7449b6406d55db5cfc9f9c1a0207b48f221a9957e13bc0017889f6733cb45e8
Opcode Fuzzy Hash: eed47ea0432b9eceef8488e9fa8514ac6db268c36f9478fef7115b4b40b43770
Instruction Fuzzy Hash: B202F130124302AFDB25CF16C948BAABBE5FF8B314F04852DF995D62A1CB74D8A4CB51

Function 002AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 002AA903
SetTextColor.GDI32(?,?), ref: 002AA907
GetSysColorBrush.USER32(0000000F), ref: 002AA91D
GetSysColor.USER32(0000000F), ref: 002AA928
CreateSolidBrush.GDI32(?), ref: 002AA92D
GetSysColor.USER32(00000011), ref: 002AA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 002AA953
SelectObject.GDI32(?,00000000), ref: 002AA964
SetBkColor.GDI32(?,00000000), ref: 002AA96D
SelectObject.GDI32(?,?), ref: 002AA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 002AA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002AA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 002AA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002AA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002AAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 002AAA32
DrawFocusRect.USER32(?,?), ref: 002AAA3D
GetSysColor.USER32(00000011), ref: 002AAA4B
SetTextColor.GDI32(?,00000000), ref: 002AAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002AAA67
SelectObject.GDI32(?,002AA5FA), ref: 002AAA7E
DeleteObject.GDI32(?), ref: 002AAA89
SelectObject.GDI32(?,?), ref: 002AAA8F
DeleteObject.GDI32(?), ref: 002AAA94
SetTextColor.GDI32(?,?), ref: 002AAA9A
SetBkColor.GDI32(?,?), ref: 002AAAA4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 664a774750bd26a1fa2198739458de57c04cd44946419f0f313d83898ff2bb59
Instruction ID: 1d0b4438db02853341d7189f626885abd248f7c80e60256c843818294eb6533e
Opcode Fuzzy Hash: 664a774750bd26a1fa2198739458de57c04cd44946419f0f313d83898ff2bb59
Instruction Fuzzy Hash: 99517F71900209FFDF109FA4ED48EAEBBB9EF09320F114225F915AB2A1DB759950CF90

Function 002A89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002A8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A8AD2
CharNextW.USER32(0000014E), ref: 002A8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002A8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002A8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002A8B86
SetWindowTextW.USER32(?,0000014E), ref: 002A8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002A8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A8C1F
_memset.LIBCMT ref: 002A8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002A8C8D
_memset.LIBCMT ref: 002A8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 002A8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 002A8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 002A8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 002A8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002A8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002A8EB4
DrawMenuBar.USER32(?), ref: 002A8EC3
SetWindowTextW.USER32(?,0000014E), ref: 002A8EEB

Strings

0, xrefs: 002A8E55

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: decbeef95899233a84a0a10d604a9bbdd151e98554f8bf6c56d06e7b1ca446f9
Instruction ID: 85481e4ef23744766deb6604275ca616195b2949d6996a9534c968b8482493ac
Opcode Fuzzy Hash: decbeef95899233a84a0a10d604a9bbdd151e98554f8bf6c56d06e7b1ca446f9
Instruction Fuzzy Hash: A3E18070920219AFDF20DF60DC88EEE7BB9EF0A710F108156F915AA191DF7489A4DF60

Function 002A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002A49CA
GetDesktopWindow.USER32 ref: 002A49DF
GetWindowRect.USER32(00000000), ref: 002A49E6
GetWindowLongW.USER32(?,000000F0), ref: 002A4A48
DestroyWindow.USER32(?), ref: 002A4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002A4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002A4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002A4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 002A4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002A4B09
IsWindowVisible.USER32(?), ref: 002A4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002A4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002A4B58
GetWindowRect.USER32(?,?), ref: 002A4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 002A4B96
GetMonitorInfoW.USER32(00000000,?), ref: 002A4BB0
CopyRect.USER32(?,?), ref: 002A4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 002A4C32

Strings

(, xrefs: 002A4BA3
tooltips_class32, xrefs: 002A4A96
0, xrefs: 002A4975

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 4762b697882fded60afc69cfb23d6074e5ca8285c4e2dcd6398806217eff5130
Instruction ID: 66981e39a622208951fa5df79cb87185cb02b8f137383bf2023b4a6b2b892e6c
Opcode Fuzzy Hash: 4762b697882fded60afc69cfb23d6074e5ca8285c4e2dcd6398806217eff5130
Instruction Fuzzy Hash: 59B1BC70614351AFDB04EFA4D848B5BBBE4BF8A304F00891DF5999B291DBB0EC54CB95

Function 0028449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 002844AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002844D2
_wcscpy.LIBCMT ref: 00284500
_wcscmp.LIBCMT ref: 0028450B
_wcscat.LIBCMT ref: 00284521
_wcsstr.LIBCMT ref: 0028452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00284548
_wcscat.LIBCMT ref: 00284591
_wcscat.LIBCMT ref: 00284598
_wcsncpy.LIBCMT ref: 002845C3

Strings

StringFileInfo\, xrefs: 0028451B
\VarFileInfo\Translation, xrefs: 00284540
DefaultLangCodepage, xrefs: 002845AB
04090000, xrefs: 0028457E
%u.%u.%u.%u, xrefs: 00284626

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 58386e5105891f061cdb8a8d59e0cb926acc4494f57b0497da8c0b295f35200d
Instruction ID: 17d427605ccae35d0be58a507b01cdfd8a5b679f945b641da259b3dcc08a6fa2
Opcode Fuzzy Hash: 58386e5105891f061cdb8a8d59e0cb926acc4494f57b0497da8c0b295f35200d
Instruction Fuzzy Hash: A6410675A20201BBDB18FAB19C47EBF776CDF46710F40006AF905E6182EA349A318AA5

Function 002227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002228BC
GetSystemMetrics.USER32(00000007), ref: 002228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002228EF
GetSystemMetrics.USER32(00000008), ref: 002228F7
GetSystemMetrics.USER32(00000004), ref: 0022291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00222939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00222949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0022297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00222990
GetClientRect.USER32(00000000,000000FF), ref: 002229AE
GetStockObject.GDI32(00000011), ref: 002229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 002229D5

Part of subcall function 00222344: GetCursorPos.USER32(?), ref: 00222357
Part of subcall function 00222344: ScreenToClient.USER32(002E57B0,?), ref: 00222374
Part of subcall function 00222344: GetAsyncKeyState.USER32(00000001), ref: 00222399
Part of subcall function 00222344: GetAsyncKeyState.USER32(00000002), ref: 002223A7

SetTimer.USER32(00000000,00000000,00000028,00221256), ref: 002229FC

Strings

AutoIt v3 GUI, xrefs: 00222974

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: af4abf57415ccdbe4898a1659db27c7370c1fd7c87aa54db71739394b2ca0efa
Instruction ID: a55873ef06f5e804c2c8ad64ba7c52bc2961ffa1e2900622029dfeff6dffe0dd
Opcode Fuzzy Hash: af4abf57415ccdbe4898a1659db27c7370c1fd7c87aa54db71739394b2ca0efa
Instruction Fuzzy Hash: FFB1B170A2021AEFDB14DFA8ED49BAD77B4FB08315F104229FA15A7290DB74D864CF50

Function 0027A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0027A47A
__swprintf.LIBCMT ref: 0027A51B
_wcscmp.LIBCMT ref: 0027A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0027A583
_wcscmp.LIBCMT ref: 0027A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0027A5F6
GetDlgCtrlID.USER32(?), ref: 0027A648
GetWindowRect.USER32(?,?), ref: 0027A67E
GetParent.USER32(?), ref: 0027A69C
ScreenToClient.USER32(00000000), ref: 0027A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0027A71D
_wcscmp.LIBCMT ref: 0027A731
GetWindowTextW.USER32(?,?,00000400), ref: 0027A757
_wcscmp.LIBCMT ref: 0027A76B

Part of subcall function 0024362C: _iswctype.LIBCMT ref: 00243634

Strings

%s%u, xrefs: 0027A515

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: c6014c853e26f21d213dbedb3bd8f8bcaf362aba0c478b46251312821501ec4c
Instruction ID: 7531e8f95fa0a23b37e81597012fc4caaf2dbe96428828ac6535c3a4d88615aa
Opcode Fuzzy Hash: c6014c853e26f21d213dbedb3bd8f8bcaf362aba0c478b46251312821501ec4c
Instruction Fuzzy Hash: 64A1A471224207ABD718DF64C884BAEF7E8FF84325F008529F99DD2190DB34E965CB92

Function 0027AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0027AF18
_wcscmp.LIBCMT ref: 0027AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0027AF51
CharUpperBuffW.USER32(?,00000000), ref: 0027AF6E
_wcscmp.LIBCMT ref: 0027AF8C
_wcsstr.LIBCMT ref: 0027AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0027AFD5
_wcscmp.LIBCMT ref: 0027AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0027B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0027B055
_wcscmp.LIBCMT ref: 0027B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0027B08D
GetWindowRect.USER32(00000004,?), ref: 0027B0F6

Strings

@, xrefs: 0027AEF9
ThumbnailClass, xrefs: 0027AFE0, 0027B060

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 9d7a6d5fa48fd1ef0093ec9e9812898a97e83dcbc1fb10e5f4ce1a51d5ecd216
Instruction ID: 634b25f768734a2fa2f24b11170b3a0e4944e5056b780555e04ee380d7c9de26
Opcode Fuzzy Hash: 9d7a6d5fa48fd1ef0093ec9e9812898a97e83dcbc1fb10e5f4ce1a51d5ecd216
Instruction Fuzzy Hash: 6381C1711282069FDB05DF10C885FAAB7E8EF84714F04C46AFD8D8A095DB34DD69CBA2

Function 002AC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

DragQueryPoint.SHELL32(?,?), ref: 002AC627

Part of subcall function 002AAB37: ClientToScreen.USER32(?,?), ref: 002AAB60
Part of subcall function 002AAB37: GetWindowRect.USER32(?,?), ref: 002AABD6
Part of subcall function 002AAB37: PtInRect.USER32(?,?,002AC014), ref: 002AABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 002AC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002AC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002AC6BE
_wcscat.LIBCMT ref: 002AC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 002AC705
SendMessageW.USER32(?,000000B0,?,?), ref: 002AC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 002AC735
SendMessageW.USER32(?,000000B1,?,?), ref: 002AC757
DragFinish.SHELL32(?), ref: 002AC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002AC851

Strings

@GUI_DRAGID, xrefs: 002AC7C9
@GUI_DROPID, xrefs: 002AC77E
pb., xrefs: 002AC79B
@GUI_DRAGFILE, xrefs: 002AC800

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb.
API String ID: 169749273-1174233046
Opcode ID: 65185eb548960db78d537d3380f21dd4856ca76824d62e279a1c19139ac879f9
Instruction ID: 8bd2fdf9f5f1b701552de5db9a0a3f7b1088514aa3c4b663b4dcf7619df984bc
Opcode Fuzzy Hash: 65185eb548960db78d537d3380f21dd4856ca76824d62e279a1c19139ac879f9
Instruction Fuzzy Hash: DB618E71118310AFC701EFA4DD89D9FBBE8EF8A710F00092EF595962A1DB709959CF92

Function 0027ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0027AC33

Strings

HANDLE=, xrefs: 0027AC2C
LAST, xrefs: 0027ABF8
[ACTIVE, xrefs: 0027AC20
ACTIVE, xrefs: 0027AC0E
CLASSNAME=, xrefs: 0027AC70
[LAST, xrefs: 0027ACE0
[CLASS:, xrefs: 0027AC83
[ALL, xrefs: 0027ACD9
[HANDLE:, xrefs: 0027AC3F
ALL, xrefs: 0027ACC7
[REGEXPTITLE:, xrefs: 0027AC5B
REGEXP=, xrefs: 0027AC48

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 937d1d2ae1040df3cc3d6a914b29100cc55bb91831f0c94a993c12e502bc07f9
Instruction ID: 664d073fd6144cd2fabeb3f367578201df672452f645ee2d71f07168b2bedc0a
Opcode Fuzzy Hash: 937d1d2ae1040df3cc3d6a914b29100cc55bb91831f0c94a993c12e502bc07f9
Instruction Fuzzy Hash: A431A43167C216BADA15EA90ED03EAE7764AF11720F60401AF446711D1FF756F348A52

Function 00294FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00295013
LoadCursorW.USER32(00000000,00007F00), ref: 0029501E
LoadCursorW.USER32(00000000,00007F03), ref: 00295029
LoadCursorW.USER32(00000000,00007F8B), ref: 00295034
LoadCursorW.USER32(00000000,00007F01), ref: 0029503F
LoadCursorW.USER32(00000000,00007F81), ref: 0029504A
LoadCursorW.USER32(00000000,00007F88), ref: 00295055
LoadCursorW.USER32(00000000,00007F80), ref: 00295060
LoadCursorW.USER32(00000000,00007F86), ref: 0029506B
LoadCursorW.USER32(00000000,00007F83), ref: 00295076
LoadCursorW.USER32(00000000,00007F85), ref: 00295081
LoadCursorW.USER32(00000000,00007F82), ref: 0029508C
LoadCursorW.USER32(00000000,00007F84), ref: 00295097
LoadCursorW.USER32(00000000,00007F04), ref: 002950A2
LoadCursorW.USER32(00000000,00007F02), ref: 002950AD
LoadCursorW.USER32(00000000,00007F89), ref: 002950B8
GetCursorInfo.USER32(?), ref: 002950C8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: fd365cabebda6196aefd73055e675953f12e0d858f059efc0a9435b2b329d1a6
Instruction ID: ecc638d8b2e025bcb1d986027bc090ab62ff8044d776d5a6fff999448647e315
Opcode Fuzzy Hash: fd365cabebda6196aefd73055e675953f12e0d858f059efc0a9435b2b329d1a6
Instruction Fuzzy Hash: 6C31F4B1E5831A6ADF109FB69C8995EBFE8FF08750F50453AE50DE7280DA786500CF91

Function 002AA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002AA259
DestroyWindow.USER32(?,?), ref: 002AA2D3

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002AA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002AA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002AA382
DestroyWindow.USER32(00000000), ref: 002AA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00220000,00000000), ref: 002AA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002AA3F4
GetDesktopWindow.USER32 ref: 002AA40D
GetWindowRect.USER32(00000000), ref: 002AA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002AA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002AA444

Part of subcall function 002225DB: GetWindowLongW.USER32(?,000000EB), ref: 002225EC

Strings

tooltips_class32, xrefs: 002AA346, 002AA3D4
0, xrefs: 002AA26F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: d304ddb8dfa6fa5cd3d1c3429c738435b6b6658f45e4f9e1e536a4dbacf6b0dc
Instruction ID: 6e56a3bce6d1df6d7e6b979fccc46169849e4b8141eee0f31f0b337d0826f7f3
Opcode Fuzzy Hash: d304ddb8dfa6fa5cd3d1c3429c738435b6b6658f45e4f9e1e536a4dbacf6b0dc
Instruction Fuzzy Hash: 9071CF70160245AFD725CF28DC48F6A7BE9FF8A704F04452DF9858B2A0DB74E962CB52

Function 002A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 002A4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A446F

Strings

COLLAPSE, xrefs: 002A44B5
CHECK, xrefs: 002A448F
SELECT, xrefs: 002A4620
GETTEXT, xrefs: 002A45C2
GETSELECTED, xrefs: 002A457F
GETTOTALCOUNT, xrefs: 002A4456
EXISTS, xrefs: 002A44D8
ISCHECKED, xrefs: 002A45F2
EXPAND, xrefs: 002A4521
UNCHECK, xrefs: 002A464B
GETITEMCOUNT, xrefs: 002A4551

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 44d0444843a971948a9f2c8d59936f95a1b39209ac1739e16542545ef5b49a83
Instruction ID: 43d10169edbab9faff21befbf0cfff075ddc6b8efd759fcd2e03818ac0da0046
Opcode Fuzzy Hash: 44d0444843a971948a9f2c8d59936f95a1b39209ac1739e16542545ef5b49a83
Instruction Fuzzy Hash: EA919F712243119FCB08EF10C451A6EB7E5AF96750F048869F8965B3A2CF70EDA9CF81

Function 002AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002AB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002A91C2), ref: 002AB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002AB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002AB9C3
FreeLibrary.KERNEL32(?), ref: 002AB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002AB9DF
DestroyIcon.USER32(?,?,?,?,?,002A91C2), ref: 002AB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002ABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002ABA17

Part of subcall function 00242EFD: __wcsicmp_l.LIBCMT ref: 00242F86

Strings

.exe, xrefs: 002AB84A
.icl, xrefs: 002AB82A
.dll, xrefs: 002AB86D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 68127742f2efe9121c1b1bbff5094b03e7bb088af8fa4e5a0d7442e6bd5fcc79
Instruction ID: da0a22cb1ae683369cb07038e4b60b709a232dd0ef3d5b05375707d1909117d9
Opcode Fuzzy Hash: 68127742f2efe9121c1b1bbff5094b03e7bb088af8fa4e5a0d7442e6bd5fcc79
Instruction Fuzzy Hash: 1B610E71920216BFEB15CF64DC45BBE77A8EB0A711F104116FA15D61C2DB74A9A0CBA0

Function 00289C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00289C7F

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00289CA0
__swprintf.LIBCMT ref: 00289CF9
__swprintf.LIBCMT ref: 00289D12
_wprintf.LIBCMT ref: 00289DB9
_wprintf.LIBCMT ref: 00289DD7

Strings

Incorrect parameters to object property !, xrefs: 00289D5B
"%s" (%d) : ==> %s:%s%s, xrefs: 00289DB4
^ ERROR , xrefs: 00289D4E
Line %d (File "%s"):, xrefs: 00289CF3, 00289D0C
"%s" (%d) : ==> %s:, xrefs: 00289DD2
Error: , xrefs: 00289D81

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: ad1734c6408fea2e318d98dbb7ad2738e564e8845ddf8c7a96c6340611a289dd
Instruction ID: da16b1c7bf76521fc784ada6dcdf0b96c535a7e2a80fc2163bb20ca8618ffae8
Opcode Fuzzy Hash: ad1734c6408fea2e318d98dbb7ad2738e564e8845ddf8c7a96c6340611a289dd
Instruction Fuzzy Hash: D151923192552ABACF14FBE0ED46EEEB778AF15300F104066B509721A1DB352FA8DF50

Function 0028A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

CharLowerBuffW.USER32(?,?), ref: 0028A3CB
GetDriveTypeW.KERNEL32 ref: 0028A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0028A4C5

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

Strings

wait, xrefs: 0028A482
closed, xrefs: 0028A3DF, 0028A3E8
close, xrefs: 0028A3D1
open , xrefs: 0028A427
open, xrefs: 0028A3F2
type cdaudio alias cd wait, xrefs: 0028A443
close cd wait, xrefs: 0028A4B0
set cd door , xrefs: 0028A466

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: d8d53ce46b1f22d1b3467b571ea3ea96c7fc0e0d6d61f4a75bd00345476178b8
Instruction ID: 9023928de9229016729700d9dc8646e6b2e6ab034d2ebae26cb8bf4765a66800
Opcode Fuzzy Hash: d8d53ce46b1f22d1b3467b571ea3ea96c7fc0e0d6d61f4a75bd00345476178b8
Instruction Fuzzy Hash: 2C518075128315AFC700EF50D89196AB3E4EF85718F10886EF889572A1DB31ED2ACF92

Function 0027F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0025E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0027F8DF
LoadStringW.USER32(00000000,?,0025E029,00000001), ref: 0027F8E8

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0025E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0027F90A
LoadStringW.USER32(00000000,?,0025E029,00000001), ref: 0027F90D
__swprintf.LIBCMT ref: 0027F95D
__swprintf.LIBCMT ref: 0027F96E
_wprintf.LIBCMT ref: 0027FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0027FA2E

Strings

Line %d:, xrefs: 0027F968
Line %d (File "%s"):, xrefs: 0027F957
^ ERROR, xrefs: 0027F9C3
Error: , xrefs: 0027F9E5
%s (%d) : ==> %s: %s %s, xrefs: 0027FA12

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 66a90510cb4d3741cdca2407f9d37a820d1b25a39e644eb2452dd990fd1f23a2
Instruction ID: 737318603b9828a9336b300a16171273cf372f0ab5aeeb1c4b2025693b86a7bc
Opcode Fuzzy Hash: 66a90510cb4d3741cdca2407f9d37a820d1b25a39e644eb2452dd990fd1f23a2
Instruction Fuzzy Hash: D4412D72818129BACF04FFE0EE8AEEE7778AF15300F104065B50976191EA756F69CF61

Function 002ABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002A9207,?,?), ref: 002ABA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002A9207,?,?,00000000,?), ref: 002ABA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002A9207,?,?,00000000,?), ref: 002ABA78
CloseHandle.KERNEL32(00000000,?,?,?,?,002A9207,?,?,00000000,?), ref: 002ABA85
GlobalLock.KERNEL32(00000000), ref: 002ABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002A9207,?,?,00000000,?), ref: 002ABA9D
GlobalUnlock.KERNEL32(00000000), ref: 002ABAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,002A9207,?,?,00000000,?), ref: 002ABAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002A9207,?,?,00000000,?), ref: 002ABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,002B2CAC,?), ref: 002ABAD7
GlobalFree.KERNEL32(00000000), ref: 002ABAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 002ABB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 002ABB36
DeleteObject.GDI32(00000000), ref: 002ABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002ABB74

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 536fe5a79b1db5a6fad0e9495dfa4cbe4462bae84c1879c946e01047bc60e2af
Instruction ID: bdf81c854361a5d501ea0906b57089b01a75ed6a78fd4680c8c3318db72b02f1
Opcode Fuzzy Hash: 536fe5a79b1db5a6fad0e9495dfa4cbe4462bae84c1879c946e01047bc60e2af
Instruction Fuzzy Hash: 65415975600205EFCB619FA5ED8CEAABBB8FB8A711F104068F909D7261DB749D11CB60

Function 0028D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0028DA10
_wcscat.LIBCMT ref: 0028DA28
_wcscat.LIBCMT ref: 0028DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0028DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0028DA63
GetFileAttributesW.KERNEL32(?), ref: 0028DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0028DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0028DAA7

Strings

*.*, xrefs: 0028DAE6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 53c69da4b8925d0aeff456a09faf07c33288b01505b18171bec8506c3c709780
Instruction ID: 654618fe95c440dc6f3a47a3bd4e0117e83b53945d4085e773e51d66192d1031
Opcode Fuzzy Hash: 53c69da4b8925d0aeff456a09faf07c33288b01505b18171bec8506c3c709780
Instruction Fuzzy Hash: 5981A275525341AFCB24FF64C844A6AB7E8BF89310F18482EF889C72D1E670DD69CB52

Function 002AC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002AC1FC
GetFocus.USER32 ref: 002AC20C
GetDlgCtrlID.USER32(00000000), ref: 002AC217
_memset.LIBCMT ref: 002AC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002AC36D
GetMenuItemCount.USER32(?), ref: 002AC38D
GetMenuItemID.USER32(?,00000000), ref: 002AC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002AC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002AC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002AC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002AC489

Strings

0, xrefs: 002AC33A

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 33a74a8b693968ee44e1644960e8e8112f16fffe0c654a1b6747d9dd50a3afc7
Instruction ID: de86f9e51eff07e5b6ccdf4fcd2fb31e55316e1dfb0af6a93c64c10d1a953b2d
Opcode Fuzzy Hash: 33a74a8b693968ee44e1644960e8e8112f16fffe0c654a1b6747d9dd50a3afc7
Instruction Fuzzy Hash: E581D270628312AFDB14DF14D894A7BBBE8FF8A314F10492EF99597251CB70D824CB52

Function 0029731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0029738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0029739B
CreateCompatibleDC.GDI32(?), ref: 002973A7
SelectObject.GDI32(00000000,?), ref: 002973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00297408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00297444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00297468
SelectObject.GDI32(00000006,?), ref: 00297470
DeleteObject.GDI32(?), ref: 00297479
DeleteDC.GDI32(00000006), ref: 00297480
ReleaseDC.USER32(00000000,?), ref: 0029748B

Strings

(, xrefs: 00297410

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8c2e43dea862073af0bf810fe47a28c72a44ce2ba7cd218cdda463d578926b7f
Instruction ID: 817482f250a508073c035e9cae09d9a22f5cb9817c05ea76a5c8f6c64c9c1662
Opcode Fuzzy Hash: 8c2e43dea862073af0bf810fe47a28c72a44ce2ba7cd218cdda463d578926b7f
Instruction Fuzzy Hash: 0E516A71914309EFCB14CFA8DC88EAEBBB9EF49310F14842DF99997211D775A850CB50

Function 00226A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00240957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00226B0C,?,00008000), ref: 00240973

Part of subcall function 00224750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00224743,?,?,002237AE,?), ref: 00224770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00226BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00226CFA

Part of subcall function 0022586D: _wcscpy.LIBCMT ref: 002258A5

Part of subcall function 0024363D: _iswctype.LIBCMT ref: 00243645

Strings

Unterminated string, xrefs: 0025E7E4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0025E421
AU3!, xrefs: 00226B61
>>>AUTOIT SCRIPT<<<, xrefs: 0025E496
EA06, xrefs: 0025E452
Bad directive syntax error, xrefs: 0025E79D
Error opening the file, xrefs: 0025E43D, 0025E4B8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 0d90c5696f44427b1c047502cb0d7282729c83c00d9eee9ccdd33b2c8e059f4e
Instruction ID: 2f32a4d709072f20d9f75f2469fc094cd97f7016be79e644ed680e52a66ae4ed
Opcode Fuzzy Hash: 0d90c5696f44427b1c047502cb0d7282729c83c00d9eee9ccdd33b2c8e059f4e
Instruction Fuzzy Hash: 1302D131128351AFCB14EF60D8819AFBBE5EF99314F10481DF889972A1DB70DA69CF52

Function 00282D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00282DDD
GetMenuItemCount.USER32(002E5890), ref: 00282E66
DeleteMenu.USER32(002E5890,00000005,00000000,000000F5,?,?), ref: 00282EF6
DeleteMenu.USER32(002E5890,00000004,00000000), ref: 00282EFE
DeleteMenu.USER32(002E5890,00000006,00000000), ref: 00282F06
DeleteMenu.USER32(002E5890,00000003,00000000), ref: 00282F0E
GetMenuItemCount.USER32(002E5890), ref: 00282F16
SetMenuItemInfoW.USER32(002E5890,00000004,00000000,00000030), ref: 00282F4C
GetCursorPos.USER32(?), ref: 00282F56
SetForegroundWindow.USER32(00000000), ref: 00282F5F
TrackPopupMenuEx.USER32(002E5890,00000000,?,00000000,00000000,00000000), ref: 00282F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00282F7E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: d81499e72a1d34c4b7755e2198cacadc09c910fb71c688175f8a09199221a672
Instruction ID: 40bb2086786e723c968467a5aed513dcbb57c56afe7ac1cf000393895655b240
Opcode Fuzzy Hash: d81499e72a1d34c4b7755e2198cacadc09c910fb71c688175f8a09199221a672
Instruction Fuzzy Hash: 78710674612216FBEB21AF54DC89FAABF64FF05314F100216F615A61E0C7B16C38CB94

Function 002988AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 002988D7
CoInitialize.OLE32(00000000), ref: 00298904
CoUninitialize.OLE32 ref: 0029890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00298A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00298B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,002B2C0C), ref: 00298B6F
CoGetObject.OLE32(?,00000000,002B2C0C,?), ref: 00298B92
SetErrorMode.KERNEL32(00000000), ref: 00298BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00298C25
VariantClear.OLEAUT32(?), ref: 00298C35

Strings

,,+, xrefs: 002988C1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,+
API String ID: 2395222682-1536947320
Opcode ID: ce4a81ecc7e21aa053a88026102d40f147ccaf85ed7d622e27e80b2b45b53180
Instruction ID: 96f24ea8adc76358563130ccc89d7cdae459cda5c966a4f2b6771fcd22257289
Opcode Fuzzy Hash: ce4a81ecc7e21aa053a88026102d40f147ccaf85ed7d622e27e80b2b45b53180
Instruction Fuzzy Hash: 8DC123B1228305AFDB00DF64C88492BB7E9BF8A348F04491DF98ADB251DB71ED55CB52

Function 002777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

_memset.LIBCMT ref: 0027786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00277902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0027792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00277935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0027793A

Strings

SOFTWARE\Classes\, xrefs: 0027780C
\IPC$, xrefs: 00277882
\CLSID, xrefs: 00277822

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 4f542183a40d6d989ef62d6b9ceb120182f228ad4fae9cf53e1252f38d97c330
Instruction ID: dd8ce15d2341af9f2cd375c7f653c8e0b827a2fa50bd8cdc55c88e2941111e4d
Opcode Fuzzy Hash: 4f542183a40d6d989ef62d6b9ceb120182f228ad4fae9cf53e1252f38d97c330
Instruction Fuzzy Hash: 3A41E872C24229ABDB11EFE4EC85DEDB778BF04710F40446AE905A3261EA349E25CF90

Function 002A0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029FDAD,?,?), ref: 002A0E31

Strings

HKEY_CURRENT_CONFIG, xrefs: 002A0EEE
HKU, xrefs: 002A0F43
HKEY_LOCAL_MACHINE, xrefs: 002A0E9A
HKCC, xrefs: 002A0EFF
HKEY_CURRENT_USER, xrefs: 002A0F10
HKCU, xrefs: 002A0F21
HKEY_USERS, xrefs: 002A0F32
HKEY_CLASSES_ROOT, xrefs: 002A0EC4
HKCR, xrefs: 002A0ED9
HKLM, xrefs: 002A0EAF

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: ab1730499b91ffdebc80c4ab2d0bc7f806d7c343a41659272e71a608abacdfa5
Instruction ID: 052040356bf83078c0b311d2d3414ac40f134727eb39153cb03913b417e205ce
Opcode Fuzzy Hash: ab1730499b91ffdebc80c4ab2d0bc7f806d7c343a41659272e71a608abacdfa5
Instruction Fuzzy Hash: 75418C3117025A9FCF14EF50E8A5AEE3364AF12300F140425FD956B692DF30ADBACBA0

Function 0027F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0025E2A0,00000010,?,Bad directive syntax error,002AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0027F7C2
LoadStringW.USER32(00000000,?,0025E2A0,00000010), ref: 0027F7C9

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

_wprintf.LIBCMT ref: 0027F7FC
__swprintf.LIBCMT ref: 0027F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0027F88D

Strings

Line %d:, xrefs: 0027F818
Line %d (File "%s"):, xrefs: 0027F833
%s (%d) : ==> %s.: %s %s, xrefs: 0027F7F7
Error: , xrefs: 0027F85B
., xrefs: 0027F873

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 54ad944560e88d56dfc72db3a56d9012adbfb18d603752ea63dd5461ee30ba48
Instruction ID: 34d1257baf60ed78eef614350ba228a131520b2ef24296d01bb7c1994993b11e
Opcode Fuzzy Hash: 54ad944560e88d56dfc72db3a56d9012adbfb18d603752ea63dd5461ee30ba48
Instruction Fuzzy Hash: 23218F3286422ABBCF15EFD0DC0AEEE7738BF15300F044466B519661A1EA719A38CF51

Function 002852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

Part of subcall function 00227924: _memmove.LIBCMT ref: 002279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00285330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00285346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00285357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00285369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0028537A

Strings

alias PlayMe, xrefs: 00285309
close PlayMe, xrefs: 00285341, 0028536E
open , xrefs: 002852DF
status PlayMe mode, xrefs: 0028532B
play PlayMe wait, xrefs: 00285364
play PlayMe, xrefs: 00285375

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b4b0588ec803ce6f19f0c4b4d22a858bac6fa01fb66a2c95d6c5eb788e42b667
Instruction ID: 05f300632047bd6a232f1eecd7ea831d7ce850e0727abef316563b24d8a085d9
Opcode Fuzzy Hash: b4b0588ec803ce6f19f0c4b4d22a858bac6fa01fb66a2c95d6c5eb788e42b667
Instruction Fuzzy Hash: AA11C835A7423979D720BBB1DC4ADFFBB7CEB92B40F00046A7401921D1DDA04D65CAA0

Function 002846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 002846D2
gethostname.WSOCK32(?,00000100), ref: 002846EC
gethostbyname.WSOCK32(?), ref: 002846F9
_wcscpy.LIBCMT ref: 00284721
_memmove.LIBCMT ref: 00284734
inet_ntoa.WSOCK32(?), ref: 0028473F
_strcat.LIBCMT ref: 0028474D
_wcscpy.LIBCMT ref: 00284764
WSACleanup.WSOCK32 ref: 00284772
_wcscpy.LIBCMT ref: 00284780

Strings

0.0.0.0, xrefs: 0028471B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: c669709fa9533b3970c35bfecd108d29330ebf31295d62306e6ef7a07a12a1d9
Instruction ID: c656f601206888582ccd8a8e8f01330164eda44e843cb674146ee8ef2315eda8
Opcode Fuzzy Hash: c669709fa9533b3970c35bfecd108d29330ebf31295d62306e6ef7a07a12a1d9
Instruction Fuzzy Hash: E6112735920116AFCB64BF70AC4AEEABBBCEF02711F0001B6F54596091FF748DA58B50

Function 00284F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00284F7A

Part of subcall function 0024049F: timeGetTime.WINMM(?,75A4B400,00230E7B), ref: 002404A3

Sleep.KERNEL32(0000000A), ref: 00284FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00284FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00284FEC
SetActiveWindow.USER32 ref: 0028500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00285019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00285038
Sleep.KERNEL32(000000FA), ref: 00285043
IsWindow.USER32 ref: 0028504F
EndDialog.USER32(00000000), ref: 00285060

Strings

BUTTON, xrefs: 00284FDE

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7cfa04f67e5ccc33efca02501e6980d505e02d1a4dc6aa2b109c47e7291924ed
Instruction ID: 50eeea5e600b42917dbaac2a401982333f7c6714f567c27e3be8a88c41bc8972
Opcode Fuzzy Hash: 7cfa04f67e5ccc33efca02501e6980d505e02d1a4dc6aa2b109c47e7291924ed
Instruction Fuzzy Hash: 0621B078651A52AFE7507F70FDCCA363BA9EB1A785B441028F606851F1CF654D208B71

Function 0028D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

CoInitialize.OLE32(00000000), ref: 0028D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0028D67D
SHGetDesktopFolder.SHELL32(?), ref: 0028D691
CoCreateInstance.OLE32(002B2D7C,00000000,00000001,002D8C1C,?), ref: 0028D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0028D74C
CoTaskMemFree.OLE32(?,?), ref: 0028D7A4
_memset.LIBCMT ref: 0028D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0028D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0028D840
CoTaskMemFree.OLE32(00000000), ref: 0028D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0028D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0028D880

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 2a3646db6040a2898a522ba5f39fe9f69333116d624e7d4a265f6fe5900ce3d2
Instruction ID: 42e0a61c24e3ab2ede2fcf4131291f4295b6158664d3454221fdc9f57ace6680
Opcode Fuzzy Hash: 2a3646db6040a2898a522ba5f39fe9f69333116d624e7d4a265f6fe5900ce3d2
Instruction Fuzzy Hash: 13B10B75A10119AFDB04EFA4D888DAEBBB9FF49304F048469E909DB2A1DB30ED55CF50

Function 0027C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0027C283
GetWindowRect.USER32(00000000,?), ref: 0027C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0027C2F3
GetDlgItem.USER32(?,00000002), ref: 0027C2FE
GetWindowRect.USER32(00000000,?), ref: 0027C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0027C364
GetDlgItem.USER32(?,000003E9), ref: 0027C372
GetWindowRect.USER32(00000000,?), ref: 0027C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0027C3C6
GetDlgItem.USER32(?,000003EA), ref: 0027C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0027C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0027C3FE

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: a1c097ec312420a0c1c72a92b4413872ab701c359ee2962865696127f1c6879d
Instruction ID: d7be35e92e6f9a438fb992f8414098f771f9bc7c879baa31491b758b8974b230
Opcode Fuzzy Hash: a1c097ec312420a0c1c72a92b4413872ab701c359ee2962865696127f1c6879d
Instruction Fuzzy Hash: 2A516571B10205AFDB18CFB9DD89A6EBBBAFB89710F14812DF519D7290DB709D048B10

Function 0022201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00221B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00222036,?,00000000,?,?,?,?,002216CB,00000000,?), ref: 00221B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002220D3
KillTimer.USER32(-00000001,?,?,?,?,002216CB,00000000,?,?,00221AE2,?,?), ref: 0022216E
DestroyAcceleratorTable.USER32(00000000), ref: 0025BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002216CB,00000000,?,?,00221AE2,?,?), ref: 0025BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002216CB,00000000,?,?,00221AE2,?,?), ref: 0025BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002216CB,00000000,?,?,00221AE2,?,?), ref: 0025BD0A
DeleteObject.GDI32(00000000), ref: 0025BD1C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d75803936670c4fc4144a9ad344d02c7fb8b5d0aa2616ec6663c5d80e06eb624
Instruction ID: 831f0f20e0c3536f365e4f03f3038faf8ee0c6d9829d4159b53aa491f13ae991
Opcode Fuzzy Hash: d75803936670c4fc4144a9ad344d02c7fb8b5d0aa2616ec6663c5d80e06eb624
Instruction Fuzzy Hash: 0D61CD30130A61FFCB369F54EA88B25B7F1FB11306F504428E9424A570CBB6A8B8DF50

Function 002221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 002225DB: GetWindowLongW.USER32(?,000000EB), ref: 002225EC

GetSysColor.USER32(0000000F), ref: 002221D3

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 799935484e1faa5c2e46353542c7cd1b4e4aa322a8d144c968d77954e5c98a4b
Instruction ID: fbcc4dc589cb06bef54326085cca1cf6ace87d8d2ac3d9cfcf6bd69e4a5d213e
Opcode Fuzzy Hash: 799935484e1faa5c2e46353542c7cd1b4e4aa322a8d144c968d77954e5c98a4b
Instruction Fuzzy Hash: 4841D030010160FBDB255FA8FC88BB93B65EB06321F584365FD659A1E2CB738C66DB21

Function 0028A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,002AF910), ref: 0028A90B
GetDriveTypeW.KERNEL32(00000061,002D89A0,00000061), ref: 0028A9D5
_wcscpy.LIBCMT ref: 0028A9FF

Strings

cdrom, xrefs: 0028A927
fixed, xrefs: 0028A953
ramdisk, xrefs: 0028A97F
unknown, xrefs: 0028A996
removable, xrefs: 0028A93D
network, xrefs: 0028A969
all, xrefs: 0028A911

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 1059b65d12a878cb6e47a93839bbba0c670eabd19a79f81922d2ba8aa45557e1
Instruction ID: c6fd00f587a61be752c83f36138524a74d55d9b78f056590e28c67352baec5ec
Opcode Fuzzy Hash: 1059b65d12a878cb6e47a93839bbba0c670eabd19a79f81922d2ba8aa45557e1
Instruction Fuzzy Hash: 7651AA35138311ABD304EF14D892AAEB7A5AF85300F04482AF59A572E2DB709D69CB93

Function 00229837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00229862
__swprintf.LIBCMT ref: 002298AC
__i64tow.LIBCMT ref: 0025F5E6

Strings

False, xrefs: 0025F5AE
True, xrefs: 0025F5A7
0x%p, xrefs: 0025F5C8
%.15g, xrefs: 002298A6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 70c9080fd9797b86383ec361a61385545d9cfa6678fbab4c47c52c950a4d282e
Instruction ID: 2935c7507ac7cd128aff6ff229dc3332b5eba6143990580811cd604da19a5a00
Opcode Fuzzy Hash: 70c9080fd9797b86383ec361a61385545d9cfa6678fbab4c47c52c950a4d282e
Instruction Fuzzy Hash: D9411771930206AFDB28DF74D942E7673E8FF06300F64447EE949D7281EA7199A58F11

Function 002A7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A716A
CreateMenu.USER32 ref: 002A7185
SetMenu.USER32(?,00000000), ref: 002A7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A7221
IsMenu.USER32(?), ref: 002A7237
CreatePopupMenu.USER32 ref: 002A7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A726E
DrawMenuBar.USER32 ref: 002A7276

Strings

F, xrefs: 002A7262
0, xrefs: 002A7160

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 00a705581a84074955baf689e90b22f18958d67644afd18713168f13ddec6aee
Instruction ID: 4399d012cfcc79307bc1bf6a0cbf80aa16956f7344c1fab80a4e2ed562fab653
Opcode Fuzzy Hash: 00a705581a84074955baf689e90b22f18958d67644afd18713168f13ddec6aee
Instruction Fuzzy Hash: 17413775A11205EFDB20DFA4E998F9ABBB5FF4A310F144028FD4597361DB31A920CB94

Function 002A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002A755E
CreateCompatibleDC.GDI32(00000000), ref: 002A7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002A7578
SelectObject.GDI32(00000000,00000000), ref: 002A7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 002A758B
DeleteDC.GDI32(00000000), ref: 002A7594
GetWindowLongW.USER32(?,000000EC), ref: 002A759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002A75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002A75BE

Strings

static, xrefs: 002A74F6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 0a163cc860d8ac64c5ac46b148d95df394cd7fd73ef3bf41a3d7041cef9042d2
Instruction ID: 16099471e0b4a9adc42732b1c34b64777b942ca3af547a55a6f25cbbe140cf5b
Opcode Fuzzy Hash: 0a163cc860d8ac64c5ac46b148d95df394cd7fd73ef3bf41a3d7041cef9042d2
Instruction Fuzzy Hash: 08318D72514215BBDF129FA4ED08FEB3B69FF0A720F110224FA55A60A0DB35D821DFA4

Function 00246E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00246E3E

Part of subcall function 00248B28: __getptd_noexit.LIBCMT ref: 00248B28

__gmtime64_s.LIBCMT ref: 00246ED7
__gmtime64_s.LIBCMT ref: 00246F0D
__gmtime64_s.LIBCMT ref: 00246F2A
__allrem.LIBCMT ref: 00246F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00246F9C
__allrem.LIBCMT ref: 00246FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00246FD1
__allrem.LIBCMT ref: 00246FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00247006
__invoke_watson.LIBCMT ref: 00247077

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 6b73926a0551c01f6558414b8fbe3a275de59ba82a384774bfe1f0d5883f8738
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 49713772A20B17ABD718EE78CC41B6AB3F8AF01764F104229F814DB281F770DD648B91

Function 00282527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282542
GetMenuItemInfoW.USER32(002E5890,000000FF,00000000,00000030), ref: 002825A3
SetMenuItemInfoW.USER32(002E5890,00000004,00000000,00000030), ref: 002825D9
Sleep.KERNEL32(000001F4), ref: 002825EB
GetMenuItemCount.USER32(?), ref: 0028262F
GetMenuItemID.USER32(?,00000000), ref: 0028264B
GetMenuItemID.USER32(?,-00000001), ref: 00282675
GetMenuItemID.USER32(?,?), ref: 002826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00282700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00282714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00282735

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: a53f6f1a6ba47c8887b9eda48f151d2b021b03b813f5784a24164776507a0b0c
Instruction ID: ade1f1b04a95df06cd47ae75d95a8ab1d5beeb1b6f70002032524b5bf43e83aa
Opcode Fuzzy Hash: a53f6f1a6ba47c8887b9eda48f151d2b021b03b813f5784a24164776507a0b0c
Instruction Fuzzy Hash: 1561D47892125AEFDF11EFA4DD88DBEBBBCEB01304F544059E841A7291D735AD29CB20

Function 002A6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002A6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002A6FA8
GetWindowLongW.USER32(?,000000F0), ref: 002A6FCC
_memset.LIBCMT ref: 002A6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002A7067

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 52989594b209810f046bc1abbc1c17c9e1731f6c2aad23a3757af2e824ac4f87
Instruction ID: 784d592393f37119f4e68670b0a57b655ec4996e141fa7c38ad2c139c6e9b39b
Opcode Fuzzy Hash: 52989594b209810f046bc1abbc1c17c9e1731f6c2aad23a3757af2e824ac4f87
Instruction Fuzzy Hash: C0618B74910248AFDB10DFA4CC85EEE77F8AB0A710F140169FA14EB2A1CB71AD51CF90

Function 00276B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00276BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00276C18
VariantInit.OLEAUT32(?), ref: 00276C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00276C4A
VariantCopy.OLEAUT32(?,?), ref: 00276C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00276CB1
VariantClear.OLEAUT32(?), ref: 00276CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00276CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00276CDC
VariantClear.OLEAUT32(?), ref: 00276CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00276CF9

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c696236b2d4cdef0eac14aff01b2eb3a5910e9dd9f0f2c7038e84da2f6a18773
Instruction ID: ce9ff56ded7209d7ed2c0e6d803b017bf46233cfd1b872e178469600c10dc212
Opcode Fuzzy Hash: c696236b2d4cdef0eac14aff01b2eb3a5910e9dd9f0f2c7038e84da2f6a18773
Instruction Fuzzy Hash: 7B415E31A10219AFDF00DFA8D94C9EEBBB9EF09354F00C069E955E7261DB34A955CF90

Function 00295732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00295793
inet_addr.WSOCK32(?,?,?), ref: 002957D8
gethostbyname.WSOCK32(?), ref: 002957E4
IcmpCreateFile.IPHLPAPI ref: 002957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00295862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00295878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 002958ED
WSACleanup.WSOCK32 ref: 002958F3

Strings

Ping, xrefs: 00295816

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 61e8bd735781b59cfe69395b96cb5758962ce6dfa144474fcbde4085cdc0222d
Instruction ID: 80b1a5ebc9dee62b08bdf695fada2e3ba4f0a8c683d979274e32c797504e54ee
Opcode Fuzzy Hash: 61e8bd735781b59cfe69395b96cb5758962ce6dfa144474fcbde4085cdc0222d
Instruction Fuzzy Hash: 82519F31620A21AFDB11EF64EC49B2AB7E4FF45710F048929F956DB2A1DB70E850DF41

Function 0028B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0028B546
GetLastError.KERNEL32 ref: 0028B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0028B5BD

Strings

READONLY, xrefs: 0028B588
READY, xrefs: 0028B596
NOTREADY, xrefs: 0028B57C
INVALID, xrefs: 0028B58F
UNKNOWN, xrefs: 0028B575

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 9aa0377ef7cab093690cbad31c29db21426513761dbef5183247a3f3e0397889
Instruction ID: d55bb60401659d33ed2a63eda2bab81128066e661989a36a55bb5cc47c10ad48
Opcode Fuzzy Hash: 9aa0377ef7cab093690cbad31c29db21426513761dbef5183247a3f3e0397889
Instruction Fuzzy Hash: 3331A139A20206AFCB11FFA8D845EAE77B4FF09305F50402AE505D72D1DB749A62CB91

Function 00278F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 0027AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0027AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00279014
GetDlgCtrlID.USER32 ref: 0027901F
GetParent.USER32 ref: 0027903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0027903E
GetDlgCtrlID.USER32(?), ref: 00279047
GetParent.USER32(?), ref: 00279063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00279066

Strings

ComboBox, xrefs: 00278F9C
ListBox, xrefs: 00278FD1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 8cf7a419c1f1dc5f682dc9bad0a2c7a1219ce4afd42f43896c2e1912e86c5b41
Instruction ID: 421d063161f552529d3dd0ab9eee4723f321e8cdfa803f3804a0b2e18e4e62e8
Opcode Fuzzy Hash: 8cf7a419c1f1dc5f682dc9bad0a2c7a1219ce4afd42f43896c2e1912e86c5b41
Instruction Fuzzy Hash: 9A21D670A10209BBDF04ABA0DC89EFEBB78EF46310F104155F925972A1DF795865DF60

Function 0027907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 0027AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0027AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002790FD
GetDlgCtrlID.USER32 ref: 00279108
GetParent.USER32 ref: 00279124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00279127
GetDlgCtrlID.USER32(?), ref: 00279130
GetParent.USER32(?), ref: 0027914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0027914F

Strings

ComboBox, xrefs: 00279087
ListBox, xrefs: 002790BC

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 5d5664c112871773279ffda5dc89fa951ecab908b4f848334922d393551c3498
Instruction ID: 23d5fe9aa11de400a3baddfe36c661c0e07e3e8c4ea10dd18ebe27303ee7b630
Opcode Fuzzy Hash: 5d5664c112871773279ffda5dc89fa951ecab908b4f848334922d393551c3498
Instruction Fuzzy Hash: B521F574A10219BBDF10ABE0DC89EFEBB78EF45300F008016B925972A1DB794865DF60

Function 00279163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0027916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00279184
_wcscmp.LIBCMT ref: 00279196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00279211

Strings

SHELLDLL_DefView, xrefs: 00279190
largeicons, xrefs: 002791A5
list, xrefs: 002791F3
details, xrefs: 002791BF
smallicons, xrefs: 002791D9

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 6ff175772ef73fb7b976473a4aa069abbce91112c0bb1ad639825135a360073e
Instruction ID: a84241a020047f755a03b8b4faa4b806a5cfc57e27361f0b7c567daae8e2dcc8
Opcode Fuzzy Hash: 6ff175772ef73fb7b976473a4aa069abbce91112c0bb1ad639825135a360073e
Instruction Fuzzy Hash: 56112B372B8307B6EA143628EC1ADA7379C9B16720F204026FD18E00D2FEB56CB15D84

Function 00287990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00287A6C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: c7f81a028e24a02b4408cad1bb79509486710111eedc845dbc18ace5fdf9e311
Instruction ID: 741cfd8661b7d544c57b8f2f1fdd18d78d5f4b92661120333e4bfb5df6c88e9c
Opcode Fuzzy Hash: c7f81a028e24a02b4408cad1bb79509486710111eedc845dbc18ace5fdf9e311
Instruction Fuzzy Hash: 83B1B17992521A9FDB00EFA4D884BBEB7B4FF09325F24402AE601E7281D774E951CF90

Function 002811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 002811F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00280268,?,00000001), ref: 00281204
GetWindowThreadProcessId.USER32(00000000), ref: 0028120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00280268,?,00000001), ref: 0028121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0028122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00280268,?,00000001), ref: 00281245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00280268,?,00000001), ref: 00281257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00280268,?,00000001), ref: 0028129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00280268,?,00000001), ref: 002812B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00280268,?,00000001), ref: 002812BC

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: e1720fb0580d79b803188563135378865e359d20893ac4f6a629051223254355
Instruction ID: 901a88951612196a5d104a152b59f9dd2548ef2c5f879b612dd0f328368b3350
Opcode Fuzzy Hash: e1720fb0580d79b803188563135378865e359d20893ac4f6a629051223254355
Instruction Fuzzy Hash: B4310E79651214FBDBA0AFA0FD8CFA937ACEB65351F104124FC01CA1E0DBB49D618B60

Function 0022FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0022FAA6
OleUninitialize.OLE32(?,00000000), ref: 0022FB45
UnregisterHotKey.USER32(?), ref: 0022FC9C
DestroyWindow.USER32(?), ref: 002645D6
FreeLibrary.KERNEL32(?), ref: 0026463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00264668

Strings

close all, xrefs: 0022FAA1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 087fe8d602e91a4185f7500ea171d6551bbc2381a45264e313848d8ea52e4737
Instruction ID: 39ac11122c9857690e40470e88c1154d2649e242becab5d8420f79fba6cc100a
Opcode Fuzzy Hash: 087fe8d602e91a4185f7500ea171d6551bbc2381a45264e313848d8ea52e4737
Instruction Fuzzy Hash: 39A18E30721222DFCB59EF54D694A69F364BF15704F5442BDE84AAB261CB30ACB2CF90

Function 00299113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00299167
VariantInit.OLEAUT32(?), ref: 00299238
VariantInit.OLEAUT32(?), ref: 00299339
VariantClear.OLEAUT32(?), ref: 00299343
VariantClear.OLEAUT32(?), ref: 002993A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 002991C8, 002992F6, 002993AE
,,+, xrefs: 002991E5
Incorrect Object type in FOR..IN loop, xrefs: 0029931C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,+$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-4011182307
Opcode ID: 88075caa263f97e384474cba38315fe3c238dc46ac4e4e94418791aead820c12
Instruction ID: 7015c43e126028788b5cb8ce7cc27bd45a4a80768ca7804e330c5fb700736235
Opcode Fuzzy Hash: 88075caa263f97e384474cba38315fe3c238dc46ac4e4e94418791aead820c12
Instruction Fuzzy Hash: C0917171E20216ABDF24DF99C848FAEB7B8EF45720F10815DF915AB280D7709995CFA0

Function 0027A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0027A439), ref: 0027A377

Strings

INSTANCE, xrefs: 0027A285
CLASS, xrefs: 0027A0F6
NAME, xrefs: 0027A1A9
REGEXPCLASS, xrefs: 0027A13C
CLASSNN, xrefs: 0027A119
TEXT, xrefs: 0027A2AE

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 330f7bef3452749ecf4700da7796d71c91f9b231552f8e8da62d4db177a5c857
Instruction ID: 27d5047295d49f87adcf89d183e0214ca33651e6a1b35cdbecdde3b408ec2c2b
Opcode Fuzzy Hash: 330f7bef3452749ecf4700da7796d71c91f9b231552f8e8da62d4db177a5c857
Instruction Fuzzy Hash: D291C231624616AACB08DFA0C492BEDFB74BF44320F54C11AE94DA7251DF3169B9CF91

Function 00222E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00222EAE

Part of subcall function 00221DB3: GetClientRect.USER32(?,?), ref: 00221DDC
Part of subcall function 00221DB3: GetWindowRect.USER32(?,?), ref: 00221E1D
Part of subcall function 00221DB3: ScreenToClient.USER32(?,?), ref: 00221E45

GetDC.USER32 ref: 0025CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0025CD45
SelectObject.GDI32(00000000,00000000), ref: 0025CD53
SelectObject.GDI32(00000000,00000000), ref: 0025CD68
ReleaseDC.USER32(?,00000000), ref: 0025CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0025CDFB

Strings

U, xrefs: 0025CCD0

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 74bc21b8a812613efd7da0f807113a04d14a18ffa949990f83584227d7ff8a48
Instruction ID: 5f059955bba0e5fd2a4849d32621addb1d4b8994d2754f8c65fe8b7b6b5d1bf3
Opcode Fuzzy Hash: 74bc21b8a812613efd7da0f807113a04d14a18ffa949990f83584227d7ff8a48
Instruction Fuzzy Hash: D9711530420306EFCF218FA4DC84AEA7BB5FF49316F24426AED559A265E7319868DF50

Function 00291A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00291A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00291A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00291ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00291AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00291AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00291B10
InternetCloseHandle.WININET(00000000), ref: 00291B57

Part of subcall function 00292483: GetLastError.KERNEL32(?,?,00291817,00000000,00000000,00000001), ref: 00292498
Part of subcall function 00292483: SetEvent.KERNEL32(?,?,00291817,00000000,00000000,00000001), ref: 002924AD

Strings

, xrefs: 00291B01

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: a7167963f38908db026bfad743d600395028b85a025e84c17dc77f8b0fe5b094
Instruction ID: dca77c05337c7b44df515e74a41a9eea15d66d5630e4aa9e94d67fffced3fb1a
Opcode Fuzzy Hash: a7167963f38908db026bfad743d600395028b85a025e84c17dc77f8b0fe5b094
Instruction Fuzzy Hash: 8C4192B151121ABFEF118F51CC99FBB77ADEF09354F004126FD059A181EB749E648BA0

Function 00298C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,002AF910), ref: 00298D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002AF910), ref: 00298D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00298ED6
SysFreeString.OLEAUT32(?), ref: 00298F00

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 43e9c1abfa4971999fd4bcb0eec569b5a53b0f40b8d44101e6b07e799f4ba440
Instruction ID: 6fe449c02c0ed6be1c5b58d6ecaeec627048ab7086d3f22b5b629e20bfa34898
Opcode Fuzzy Hash: 43e9c1abfa4971999fd4bcb0eec569b5a53b0f40b8d44101e6b07e799f4ba440
Instruction Fuzzy Hash: 22F16971A10209EFDF14DF98C888EAEB7B9FF49314F148458F915AB250DB31AE95CB60

Function 0029F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0029F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0029F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0029FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0029FA7C
CloseHandle.KERNEL32(?), ref: 0029FAAB
CloseHandle.KERNEL32(?), ref: 0029FB22

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 19978931bd10bbaaccaa685463e4a0ca5345957e222f2e7d38d1c4f19b99d9fa
Instruction ID: 92d303fa212b3c48db5908adf4283050f77445a681e3b1c3e3202e165cdde9a6
Opcode Fuzzy Hash: 19978931bd10bbaaccaa685463e4a0ca5345957e222f2e7d38d1c4f19b99d9fa
Instruction Fuzzy Hash: C2E1C231624301AFCB94EF64D981B6ABBE1EF85314F14886DF8958B2A1CB30DC65CF52

Function 00284CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0028466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00283697,?), ref: 0028468B

Part of subcall function 0028466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00283697,?), ref: 002846A4

Part of subcall function 00284A31: GetFileAttributesW.KERNEL32(?,0028370B), ref: 00284A32

lstrcmpiW.KERNEL32(?,?), ref: 00284D40
_wcscmp.LIBCMT ref: 00284D5A
MoveFileW.KERNEL32(?,?), ref: 00284D75

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 87717e17a1d9b71b9d7ad3cd05115466b41d64cb91b91aa89689dfd43b6778f5
Instruction ID: 4a7158bb413f2f8d8b02333a393a5f30ffcc369ac46bf4e96a3384d69691ae5a
Opcode Fuzzy Hash: 87717e17a1d9b71b9d7ad3cd05115466b41d64cb91b91aa89689dfd43b6778f5
Instruction Fuzzy Hash: 095184B64183469BC724FFA0D8819DFB3ECAF85310F40092EB689D3191EF74A198CB56

Function 002A8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002A86FF

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3c629123a9b28b1f9d3d31772de45f1399e7fd3387f5d3e3cd0a1f49fe2a1874
Instruction ID: 7d27b3e704ec87fcd1bdc5a0839d102c13bd701e361624ef4ed3cfdd759028cf
Opcode Fuzzy Hash: 3c629123a9b28b1f9d3d31772de45f1399e7fd3387f5d3e3cd0a1f49fe2a1874
Instruction Fuzzy Hash: 7851D334530255BFEB249F64DC89FAD7BA9EB07714F600221F950E61A0DFB6A9B0CB40

Function 00222B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0025C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0025C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0025C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0025C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0025C370
DestroyIcon.USER32(00000000), ref: 0025C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0025C39C
DestroyIcon.USER32(?), ref: 0025C3AB

Part of subcall function 002AA4AF: DeleteObject.GDI32(00000000), ref: 002AA4E8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 100978620417be5a50467835cdfebc846967dbeec27dfd6f9c8cf57ced04d93f
Instruction ID: 5c02a5e291fc4bd5599e4eaf397423aaf80768292af0b05236d7efe08557a3aa
Opcode Fuzzy Hash: 100978620417be5a50467835cdfebc846967dbeec27dfd6f9c8cf57ced04d93f
Instruction Fuzzy Hash: 1D517D70620319FFDB20DFA4EC45BAA77B5EB08315F104529F902972A0DBB5EDA4DB50

Function 0027966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0027A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0027A84C
Part of subcall function 0027A82C: GetCurrentThreadId.KERNEL32 ref: 0027A853
Part of subcall function 0027A82C: AttachThreadInput.USER32(00000000,?,00279683,?,00000001), ref: 0027A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0027968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 002796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 002796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002796FB

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 3f0bb487fd58c2d15001bda5746856b56295e6b3f3858c4d96ecebac37943028
Instruction ID: e887ad0abb01e2414e3b6b081123578f8e66db77c3d9fd4cf3d22e7509ccc6cf
Opcode Fuzzy Hash: 3f0bb487fd58c2d15001bda5746856b56295e6b3f3858c4d96ecebac37943028
Instruction Fuzzy Hash: 2311CEB1920618BFF6106FA0AC8DF6A3A2DEB4D760F100425F658AB0A0CDF25C51DEA4

Function 00278921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0027853C,00000B00,?,?), ref: 0027892A
HeapAlloc.KERNEL32(00000000,?,0027853C,00000B00,?,?), ref: 00278931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0027853C,00000B00,?,?), ref: 00278946
GetCurrentProcess.KERNEL32(?,00000000,?,0027853C,00000B00,?,?), ref: 0027894E
DuplicateHandle.KERNEL32(00000000,?,0027853C,00000B00,?,?), ref: 00278951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0027853C,00000B00,?,?), ref: 00278961
GetCurrentProcess.KERNEL32(0027853C,00000000,?,0027853C,00000B00,?,?), ref: 00278969
DuplicateHandle.KERNEL32(00000000,?,0027853C,00000B00,?,?), ref: 0027896C
CreateThread.KERNEL32(00000000,00000000,00278992,00000000,00000000,00000000), ref: 00278986

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 9b26490d754234de40a80b2c9335476a5bf054b1229df862029f314565736baf
Instruction ID: 7adc2ed1c5cffa323a175bad53318d0439c847f1049cd163bd007109fb3a5aa9
Opcode Fuzzy Hash: 9b26490d754234de40a80b2c9335476a5bf054b1229df862029f314565736baf
Instruction Fuzzy Hash: 3C01BF75240304FFE750ABA5ED4DF673B6CEB89711F418421FA09DB191DA749C00CB20

Function 00299B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00299BA4, 00299EC8
Not an Object type, xrefs: 00299B7B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: f9ee96f52b0f3adbe70d6fa9290306fa2cd7827418acd24c64386c84994101b5
Instruction ID: a51875eb4809bdde5de404a45a24ae60063856390009c0799f4ee3d6dbb97135
Opcode Fuzzy Hash: f9ee96f52b0f3adbe70d6fa9290306fa2cd7827418acd24c64386c84994101b5
Instruction Fuzzy Hash: 7BC19371A1020A9FDF10DF98D884BAEB7F5FF48324F14846EE945A7280E7709D94CB60

Function 0029975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0027710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?,?,?,00277455), ref: 00277127
Part of subcall function 0027710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?,?), ref: 00277142
Part of subcall function 0027710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?,?), ref: 00277150
Part of subcall function 0027710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?), ref: 00277160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00299806
_memset.LIBCMT ref: 00299813
_memset.LIBCMT ref: 00299956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00299982
CoTaskMemFree.OLE32(?), ref: 0029998D

Strings

NULL Pointer assignment, xrefs: 002999DB

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: c64c9a6e55b138c33c07b61697745b186dbbf98ed3e4aff8102cfd3bfd5681f1
Instruction ID: 0f9d495bdf23af4bd06289ca6d1ff0a8ae45e38e837179de1753336dc3aeb797
Opcode Fuzzy Hash: c64c9a6e55b138c33c07b61697745b186dbbf98ed3e4aff8102cfd3bfd5681f1
Instruction Fuzzy Hash: DA913671D10229EBDF10DFA5DC44ADEBBB9AF09320F20815AF419A7281DB719A54CFA0

Function 002A6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002A6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 002A6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002A6E52
_wcscat.LIBCMT ref: 002A6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 002A6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 002A6EF2

Strings

SysListView32, xrefs: 002A6DF6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a755aaca60462a55fec5d519ccc6bc80e1b827c1d9ddb24b78a832c1c2d9c17a
Instruction ID: ddb401cb5b0340af1758bfb461ec374062ba54c9913082da6373f8dce78e30d6
Opcode Fuzzy Hash: a755aaca60462a55fec5d519ccc6bc80e1b827c1d9ddb24b78a832c1c2d9c17a
Instruction Fuzzy Hash: 1141C370A10349EFDB219FA4CC89FEE77A8EF09750F14042AF545E7191DB719DA48B50

Function 0029E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00283C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00283C7A
Part of subcall function 00283C55: Process32FirstW.KERNEL32(00000000,?), ref: 00283C88
Part of subcall function 00283C55: CloseHandle.KERNEL32(00000000), ref: 00283D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029E9A4
GetLastError.KERNEL32 ref: 0029E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0029E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0029EA63
GetLastError.KERNEL32(00000000), ref: 0029EA6E
CloseHandle.KERNEL32(00000000), ref: 0029EAA3

Strings

SeDebugPrivilege, xrefs: 0029E9C2

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f611083e4296757879741168a712b731e4d72f09bf926c9680ac7027a5823000
Instruction ID: 4125cd2550ccc386bd719b9d61e6bdd11e951a6a4b8eb9ace60c8fcdb761d5d1
Opcode Fuzzy Hash: f611083e4296757879741168a712b731e4d72f09bf926c9680ac7027a5823000
Instruction Fuzzy Hash: AF41CA71220201AFDF14EF64DC99F6EB7A5AF41310F188458F9069B2D2CBB4A864CF92

Function 00282F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00283033

Strings

info, xrefs: 00282FD4
blank, xrefs: 00282FB5
warning, xrefs: 0028301C
stop, xrefs: 00283004
question, xrefs: 00282FEC

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 7c8b724747d81182309eeac45616b1b844de1b845fdd7746d30dbfb4e1a3201a
Instruction ID: 7afa02676b5fda7a9e7f93596da1b79257eed32d7fd46c1ec21b9d9a16377c6d
Opcode Fuzzy Hash: 7c8b724747d81182309eeac45616b1b844de1b845fdd7746d30dbfb4e1a3201a
Instruction Fuzzy Hash: D411083A36D347BAD714EA55EC42C6B679C9F16720F50002AFA00A62C1DAB0AF6457A4

Function 002842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00284312
LoadStringW.USER32(00000000), ref: 00284319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0028432F
LoadStringW.USER32(00000000), ref: 00284336
_wprintf.LIBCMT ref: 0028435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0028437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00284357

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 86bc3d44f4006928179356ce11cd989290eb46b38272dba1ced3ae65e35ed96a
Instruction ID: c40791d048d12ae71e3089d34a84350a0e9d39aef6be897bbfe9b4da7d563c9c
Opcode Fuzzy Hash: 86bc3d44f4006928179356ce11cd989290eb46b38272dba1ced3ae65e35ed96a
Instruction Fuzzy Hash: 230167F6940208BFD751A7D4EE8DEE7776CDB09700F0005A1B749E2051EE745E954B74

Function 002AD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

GetSystemMetrics.USER32(0000000F), ref: 002AD47C
GetSystemMetrics.USER32(0000000F), ref: 002AD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002AD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002AD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002AD716
ShowWindow.USER32(00000003,00000000), ref: 002AD735
InvalidateRect.USER32(?,00000000,00000001), ref: 002AD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 002AD77D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: baf388782c1361620e8d2325f5be44beb7b4a26a283eeb2c18a2ef6cb3eb2508
Instruction ID: 35a9c76a7c4c4a2da426e3e554adb0758936f27e223fdb4a20db4e630cd15097
Opcode Fuzzy Hash: baf388782c1361620e8d2325f5be44beb7b4a26a283eeb2c18a2ef6cb3eb2508
Instruction Fuzzy Hash: B6B1BD75910226EFDF18CF68C9C97AD7BB1BF05701F088069EC4A9F695DB34A960CB50

Function 00222A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0025C1C7,00000004,00000000,00000000,00000000), ref: 00222ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0025C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00222B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0025C1C7,00000004,00000000,00000000,00000000), ref: 0025C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0025C1C7,00000004,00000000,00000000,00000000), ref: 0025C286

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4956178312e0d9f3f57c0ae52e4a146ea6bacc73dc86b5b91ba4e7ab6eea35ae
Instruction ID: d1f439c32837372f8993ad65ec0725b0906cc8ab106ca89b004cb132c9b68918
Opcode Fuzzy Hash: 4956178312e0d9f3f57c0ae52e4a146ea6bacc73dc86b5b91ba4e7ab6eea35ae
Instruction Fuzzy Hash: 45414D30234791FFC7358FA8BD8C76A7BD1AB45304F24842DE48786960CAB698ADD710

Function 002870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 002870DD

Part of subcall function 00240DB6: std::exception::exception.LIBCMT ref: 00240DEC
Part of subcall function 00240DB6: __CxxThrowException@8.LIBCMT ref: 00240E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00287114
EnterCriticalSection.KERNEL32(?), ref: 00287130
_memmove.LIBCMT ref: 0028717E
_memmove.LIBCMT ref: 0028719B
LeaveCriticalSection.KERNEL32(?), ref: 002871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 002871DE

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: ea822efbac8f3e3f662e0dcb96f22f4192071ef1978bbd5034970bf8727f0418
Instruction ID: 2dd145b2b874d6945da1c1e6aa37fba5573c50e6f2947d3842bb34ce4db71326
Opcode Fuzzy Hash: ea822efbac8f3e3f662e0dcb96f22f4192071ef1978bbd5034970bf8727f0418
Instruction Fuzzy Hash: C7319035A10205EBDB50EFA4ED89AAEB778EF45310F1440B5FD04AB246DB74DE64CB60

Function 002A61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 002A61EB
GetDC.USER32(00000000), ref: 002A61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A61FE
ReleaseDC.USER32(00000000,00000000), ref: 002A620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002A6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002A6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002A902A,?,?,000000FF,00000000,?,000000FF,?), ref: 002A6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002A62B1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 73d77ec8f0bff358249f98c6631861bf05ee5b1780e82af2f7af665f1eee7108
Instruction ID: 82f0145304bdf8e9002079f6f31e7dbcf66c7c20ccaf6195d1cda68791c8e578
Opcode Fuzzy Hash: 73d77ec8f0bff358249f98c6631861bf05ee5b1780e82af2f7af665f1eee7108
Instruction Fuzzy Hash: BC317F72111210BFEB118F50DD8AFEB3BADEF4A765F084065FE089A291CB799C51CB64

Function 0027BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0027BBC4
_memcmp.LIBCMT ref: 0027BBE6
_memcmp.LIBCMT ref: 0027BBFE
_memcmp.LIBCMT ref: 0027BC11
_memcmp.LIBCMT ref: 0027BC2B
_memcmp.LIBCMT ref: 0027BC3E
_memcmp.LIBCMT ref: 0027BC56
_memcmp.LIBCMT ref: 0027BC71

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c64a2642f54afbbdb64ded991baadef9d421bedcb51ceacace65402a9a322514
Instruction ID: ca1e1c2f27d72315d37692806f42b3362a78b0ced533bd67549fdfb11603481b
Opcode Fuzzy Hash: c64a2642f54afbbdb64ded991baadef9d421bedcb51ceacace65402a9a322514
Instruction Fuzzy Hash: 1621C261631306BBA20A6A11DD42FFB775C9E1138CF08C026FD0896647EB74DE3586A1

Function 0028EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

Part of subcall function 0023FC86: _wcscpy.LIBCMT ref: 0023FCA9

_wcstok.LIBCMT ref: 0028EC94
_wcscpy.LIBCMT ref: 0028ED23
_memset.LIBCMT ref: 0028ED56

Strings

X, xrefs: 0028ED93

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 0b5ce7bd7fab814bdc1cc672b0201acb1abf23643c040ab89ecaac03e81ad045
Instruction ID: e942350a1c3f1304b3369417182f58baba7241b221b4a5a5b6fe4027adce006c
Opcode Fuzzy Hash: 0b5ce7bd7fab814bdc1cc672b0201acb1abf23643c040ab89ecaac03e81ad045
Instruction Fuzzy Hash: 44C1A135528311AFCB14EF64D881A5AB7E4FF85314F01492DF8999B2A2DB70EC65CF82

Function 00296B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00296C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00296C21
WSAGetLastError.WSOCK32(00000000), ref: 00296C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00296CEA
inet_ntoa.WSOCK32(?), ref: 00296CA7

Part of subcall function 0027A7E9: _strlen.LIBCMT ref: 0027A7F3
Part of subcall function 0027A7E9: _memmove.LIBCMT ref: 0027A815

_strlen.LIBCMT ref: 00296D44
_memmove.LIBCMT ref: 00296DAD

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 54b588d6f7a4d00af37d422a2451c2a5581deac18ccd7d0cd17749f73ca0cb35
Instruction ID: f7e0e45e66f28ee5fc38829f3293edb86c8e21a4d7f442bd59a7c677a87ba150
Opcode Fuzzy Hash: 54b588d6f7a4d00af37d422a2451c2a5581deac18ccd7d0cd17749f73ca0cb35
Instruction Fuzzy Hash: 2F81F171224310BBCB10EF64DC9AE6BB7E8AF84718F10491CF9559B2D2DA70DD64CBA1

Function 00221424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 438b21c06bc1d1560bf49af4c7f60be7d2314ecf85ac9c193b2628a54680692d
Instruction ID: 9e643ca3610333132ad9a073f89661d370fcc8ad7cd125c9b305332068a599a1
Opcode Fuzzy Hash: 438b21c06bc1d1560bf49af4c7f60be7d2314ecf85ac9c193b2628a54680692d
Instruction Fuzzy Hash: 21716831910119FFCB059F98DC48EAEBB79FF89310F108159F919AA291C734AA21CFA4

Function 002AB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01844C38), ref: 002AB3EB
IsWindowEnabled.USER32(01844C38), ref: 002AB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 002AB4DB
SendMessageW.USER32(01844C38,000000B0,?,?), ref: 002AB512
IsDlgButtonChecked.USER32(?,?), ref: 002AB54F
GetWindowLongW.USER32(01844C38,000000EC), ref: 002AB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002AB589

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 095ec0375b5a97ef3fcbcc17cab0dd7c82f2f0676f0569701a879bba0903a699
Instruction ID: 2392436df5abf2a99c356ed72efe8a40a4ff9bd5f086e525f9af1ec96cb9e302
Opcode Fuzzy Hash: 095ec0375b5a97ef3fcbcc17cab0dd7c82f2f0676f0569701a879bba0903a699
Instruction Fuzzy Hash: 5271A238620605EFDF229F54C8A4FBABBB9FF0B300F144059EA5597263CB75A860DB50

Function 0029F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029F448
_memset.LIBCMT ref: 0029F511
ShellExecuteExW.SHELL32(?), ref: 0029F556

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

Part of subcall function 0023FC86: _wcscpy.LIBCMT ref: 0023FCA9

GetProcessId.KERNEL32(00000000), ref: 0029F5CD
CloseHandle.KERNEL32(00000000), ref: 0029F5FC

Strings

@, xrefs: 0029F525

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 5a4a1978223e7b9cd37e8c6ac056c1a3afdf7d2ba9712f61c2d74d55ad0a807b
Instruction ID: af55a446c48d0a7c6f3e3afde3d3b3dd29b2b4a25efc840b3367957034b7cd3c
Opcode Fuzzy Hash: 5a4a1978223e7b9cd37e8c6ac056c1a3afdf7d2ba9712f61c2d74d55ad0a807b
Instruction Fuzzy Hash: 1B61AC75A106299FCF44DFA4D5819AEBBB4FF49310F148069E815AB351CB30ADA1CF80

Function 00280F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00280F8C
GetKeyboardState.USER32(?), ref: 00280FA1
SetKeyboardState.USER32(?), ref: 00281002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00281030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0028104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00281095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 002810B8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 661df2079bbbb681ab7085665afe60721c24e5d0d65f5e84b2a31749bb5183dd
Instruction ID: 92106e89563669fc6ef41ff8336c181c9ff25bd97b72da487f9260a6d3f803c1
Opcode Fuzzy Hash: 661df2079bbbb681ab7085665afe60721c24e5d0d65f5e84b2a31749bb5183dd
Instruction Fuzzy Hash: 7E5125645257D23DFB326A348C49BB6BFAD5B06300F088589E6D8858C3C6D8ECFAD751

Function 00280D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00280DA5
GetKeyboardState.USER32(?), ref: 00280DBA
SetKeyboardState.USER32(?), ref: 00280E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00280E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00280E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00280EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00280EC9

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 330ff6311d99f3d8d59cdf406526843bd429dfc1aa0c4e93488952d409d30dc3
Instruction ID: 758c2aafb28c0bc3ac0e694f532d38268b3e873488a86254fb1a81c44df95718
Opcode Fuzzy Hash: 330ff6311d99f3d8d59cdf406526843bd429dfc1aa0c4e93488952d409d30dc3
Instruction Fuzzy Hash: 3E5128A45267D63EFB726B748C85B7B7F999B06300F088889E1D4468C2C795ACBCD750

Function 002855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0028560A
_wcsncpy.LIBCMT ref: 0028563F
_wcsncpy.LIBCMT ref: 00285671
_wcsncpy.LIBCMT ref: 002856A4
_wcsncpy.LIBCMT ref: 002856E6
_wcsncpy.LIBCMT ref: 00285720
_wcsncpy.LIBCMT ref: 0028574F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: b2e901759f754a861baf5381f37cb8d1db01da6e96bee703ceb197e3618d9af3
Instruction ID: 89cd945460090553b29993289e94377cef6c3a30c16f06a1693a6db5b4543b4c
Opcode Fuzzy Hash: b2e901759f754a861baf5381f37cb8d1db01da6e96bee703ceb197e3618d9af3
Instruction Fuzzy Hash: D6419265C21614B6CB19FBF48846ACFB3BC9F04310F908956F509E3261FA34A775CBA6

Function 0027D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0027D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0027D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0027D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0027D69D

Strings

DllGetClassObject, xrefs: 0027D610
,,+, xrefs: 0027D578

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,+$DllGetClassObject
API String ID: 753597075-2070356415
Opcode ID: 3b18a4bfcac211cec4849657e2478fa98e8fd86ccba6bc0ec911aeddcf1548fd
Instruction ID: 3ce47a1b5f4719a39a365634518ee0668f16bad393d2ae772d46b2cb60b60085
Opcode Fuzzy Hash: 3b18a4bfcac211cec4849657e2478fa98e8fd86ccba6bc0ec911aeddcf1548fd
Instruction Fuzzy Hash: F541ACB1620205EFDB04DF64D884A9ABBB9EF84310F15C1ADAC0D9F205DBB0DD64CBA0

Function 00283671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0028466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00283697,?), ref: 0028468B

Part of subcall function 0028466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00283697,?), ref: 002846A4

lstrcmpiW.KERNEL32(?,?), ref: 002836B7
_wcscmp.LIBCMT ref: 002836D3
MoveFileW.KERNEL32(?,?), ref: 002836EB
_wcscat.LIBCMT ref: 00283733
SHFileOperationW.SHELL32(?), ref: 0028379F

Strings

\*.*, xrefs: 0028372D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: eef2719497be8fcf637f9819cae3f630fdda7c4415710527a4db45d4b0645e24
Instruction ID: 9b58d56c1f8bcfaa9257a768907a475295414d8f93db160079e69ba462f86349
Opcode Fuzzy Hash: eef2719497be8fcf637f9819cae3f630fdda7c4415710527a4db45d4b0645e24
Instruction Fuzzy Hash: FE41ED75119345AEC756FF64C441ADFB7ECAF89780F00082EF08AC3291EA34D2A9CB56

Function 002A7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002A72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002A7351
IsMenu.USER32(?), ref: 002A7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002A73B1
DrawMenuBar.USER32 ref: 002A73C4

Strings

0, xrefs: 002A729E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: d53bb2df44fc3dfe8576dc4147140afa2be2e1f7b784bed9f986adc7ceff6a39
Instruction ID: 5beb8f805d3c85b267d8e20bf7050a8900530d31bc54535929bca7085514ea3b
Opcode Fuzzy Hash: d53bb2df44fc3dfe8576dc4147140afa2be2e1f7b784bed9f986adc7ceff6a39
Instruction Fuzzy Hash: D4412575A14209EFDF20DF90E884AAABBB8FF06314F158469FD05AB250DB30AD64DF50

Function 002A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 002A0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A0FFE
FreeLibrary.KERNEL32(00000000), ref: 002A10B5

Part of subcall function 002A0FA5: RegCloseKey.ADVAPI32(?), ref: 002A101B
Part of subcall function 002A0FA5: FreeLibrary.KERNEL32(?), ref: 002A106D
Part of subcall function 002A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002A1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 002A1058

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 1d7cbaefbaa80d4ff1587a9138dc4eb58b1fc37dab1f3838b1cf911e651039c4
Instruction ID: e95b97feb6e71976e94bd78c2ea657600c581b281d64d5b44dd285685f8de771
Opcode Fuzzy Hash: 1d7cbaefbaa80d4ff1587a9138dc4eb58b1fc37dab1f3838b1cf911e651039c4
Instruction Fuzzy Hash: AF312D71910109BFDB15DF90ED89EFFB7BCEF09310F00016AE905E2151EE749E999AA0

Function 002A62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002A62EC
GetWindowLongW.USER32(01844C38,000000F0), ref: 002A631F
GetWindowLongW.USER32(01844C38,000000F0), ref: 002A6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002A6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002A63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 002A63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002A63DB

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8b3e7fdc47757bab45ccd7dbbb41350899323d876dabcf2b98295d66875e893c
Instruction ID: e50bca71f64cf38faf624131f28504ce44281fb263b63f0cce244e24e1bf359b
Opcode Fuzzy Hash: 8b3e7fdc47757bab45ccd7dbbb41350899323d876dabcf2b98295d66875e893c
Instruction Fuzzy Hash: 2A310F34660291EFDB20CF58EC88F5537E5FB4AB14F1901A4FA118F2B2CB61AC919B50

Function 0027DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0027DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0027DB54
SysAllocString.OLEAUT32(00000000), ref: 0027DB57
SysAllocString.OLEAUT32(?), ref: 0027DB75
SysFreeString.OLEAUT32(?), ref: 0027DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0027DBA3
SysAllocString.OLEAUT32(?), ref: 0027DBB1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c2d6707420958b951c129c83ea0327daf149448bf52024cd1cba81b8d4930d2b
Instruction ID: 5b0425cee8e76013fe29364ff2c7bc796dece0fa3bd2cb6682df3fbf0d4a5b46
Opcode Fuzzy Hash: c2d6707420958b951c129c83ea0327daf149448bf52024cd1cba81b8d4930d2b
Instruction Fuzzy Hash: BB219236610219AFDF10DFB8DC88CBB73BCEF09364B018525FA18DB250DA749C5587A4

Function 00296173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00297D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00297DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002961C6
WSAGetLastError.WSOCK32(00000000), ref: 002961D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0029620E
connect.WSOCK32(00000000,?,00000010), ref: 00296217
WSAGetLastError.WSOCK32 ref: 00296221
closesocket.WSOCK32(00000000), ref: 0029624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00296263

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 84b173151dcae845721e2ad7f6af2b29f3b5d5a31b6866d004fbf0aad2fb286c
Instruction ID: 04b963380de5b07eb78b63bfa96d19dc433f9d1b0b86a3f3df5e3ea1a7ce549d
Opcode Fuzzy Hash: 84b173151dcae845721e2ad7f6af2b29f3b5d5a31b6866d004fbf0aad2fb286c
Instruction Fuzzy Hash: EE31A131620118AFDF10AFA4DC89BBE77E9EB45750F044029FD09A7291DB74AC549BA1

Function 0027F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0027F671
__wcsnicmp.LIBCMT ref: 0027F692
__wcsnicmp.LIBCMT ref: 0027F6AC

Strings

#notrayicon, xrefs: 0027F669
#requireadmin, xrefs: 0027F68C
#OnAutoItStartRegister, xrefs: 0027F6A6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 94e1bbce738c3154d07348d89f7b3c41efb708a7533ef39e63fd405530d6fba8
Instruction ID: bdef814554d3803e08825ef2e4e02abd12d61d658e504ec968b0bd2dd341133f
Opcode Fuzzy Hash: 94e1bbce738c3154d07348d89f7b3c41efb708a7533ef39e63fd405530d6fba8
Instruction Fuzzy Hash: FC214C72238212A6D238EA34AE03EA7B3DCDF55340F10C439F55A87051EBB19D75D795

Function 0027DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0027DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0027DC2F
SysAllocString.OLEAUT32(00000000), ref: 0027DC32
SysAllocString.OLEAUT32 ref: 0027DC53
SysFreeString.OLEAUT32 ref: 0027DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0027DC76
SysAllocString.OLEAUT32(?), ref: 0027DC84

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ed6a24fba3f2c67c049a7a0cc9824402fd70abac5e4e903dd6d3afc8b2099446
Instruction ID: 3e7c152d758493247923c77fe6cd8e597d2ae3379a9173490d31ea44d4bcb01e
Opcode Fuzzy Hash: ed6a24fba3f2c67c049a7a0cc9824402fd70abac5e4e903dd6d3afc8b2099446
Instruction Fuzzy Hash: 8E213035614205AF9B109FF8DD89DAB77BCEF09360B10C12AFA18CB261DAB4DC51CB64

Function 002A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00221D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00221D73
Part of subcall function 00221D35: GetStockObject.GDI32(00000011), ref: 00221D87
Part of subcall function 00221D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00221D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002A7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002A763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002A764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002A7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002A7665

Strings

Msctls_Progress32, xrefs: 002A7603

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5f9ad7c62ac237aebf79e1d9159b570783211bc8c2fd127bfbcf7dca78934a67
Instruction ID: 456910cac094854fadc81fa4ca033086d84400182c39123d3c866b990ba6213b
Opcode Fuzzy Hash: 5f9ad7c62ac237aebf79e1d9159b570783211bc8c2fd127bfbcf7dca78934a67
Instruction Fuzzy Hash: 4711C4B2160219BFEF118F64CC85EE77F6DEF09798F014115BA04A60A0CB729C31DBA4

Function 00249AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00249AE6

Part of subcall function 00243187: EncodePointer.KERNEL32(00000000), ref: 0024318A
Part of subcall function 00243187: __initp_misc_winsig.LIBCMT ref: 002431A5
Part of subcall function 00243187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00249EA0
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00249EB4
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00249EC7
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00249EDA
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00249EED
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00249F00
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00249F13
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00249F26
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00249F39
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00249F4C
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00249F5F
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00249F72
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00249F85
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00249F98
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00249FAB
Part of subcall function 00243187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00249FBE

__mtinitlocks.LIBCMT ref: 00249AEB
__mtterm.LIBCMT ref: 00249AF4

Part of subcall function 00249B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00249AF9,00247CD0,002DA0B8,00000014), ref: 00249C56
Part of subcall function 00249B5C: _free.LIBCMT ref: 00249C5D
Part of subcall function 00249B5C: DeleteCriticalSection.KERNEL32(02.,?,?,00249AF9,00247CD0,002DA0B8,00000014), ref: 00249C7F

__calloc_crt.LIBCMT ref: 00249B19
__initptd.LIBCMT ref: 00249B3B
GetCurrentThreadId.KERNEL32 ref: 00249B42

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 6f0e51445a71efe5f41b3f6f3f03ee8bdf0bb60cc8994b6d11a8be9507561e3e
Instruction ID: 862b0bcc5e6aac6b34320d52c34e50b38daa96f9f080a4643bdbbf2f754f4b27
Opcode Fuzzy Hash: 6f0e51445a71efe5f41b3f6f3f03ee8bdf0bb60cc8994b6d11a8be9507561e3e
Instruction Fuzzy Hash: EFF0963293A7229AEB3CBB747C0768B27D4DF02738F20061AF464C50D2FF5088E149A0

Function 002AB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002AB644
_memset.LIBCMT ref: 002AB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002E6F20,002E6F64), ref: 002AB682
CloseHandle.KERNEL32 ref: 002AB694

Strings

o., xrefs: 002AB63E
do., xrefs: 002AB64D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o.$do.
API String ID: 3277943733-2344610618
Opcode ID: 082066e7a76a4053cf3ed0fdb0cfaed3858de6a7cb1950075439a6ec4d60daff
Instruction ID: 699b518c9d44a7195a25f56b15f791ecc7f0b3ad0f2a5bc065fc43fd90cad35f
Opcode Fuzzy Hash: 082066e7a76a4053cf3ed0fdb0cfaed3858de6a7cb1950075439a6ec4d60daff
Instruction Fuzzy Hash: DEF054B1590380BBE71027617C4DF7B3A5CEB197D5F404060BA09D9992D7754C108BA8

Function 0024406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00243F85), ref: 00244085
GetProcAddress.KERNEL32(00000000), ref: 0024408C
EncodePointer.KERNEL32(00000000), ref: 00244097
DecodePointer.KERNEL32(00243F85), ref: 002440B2

Strings

RoUninitialize, xrefs: 00244074
combase.dll, xrefs: 00244080

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 1413b1333f7ce81de503d3b0db8795ed3e9335fb34dc7ea80420fc155944c468
Instruction ID: 1055f3c8390cf86435eee11eb259417304d3ffa96e17a8ad3dd3cd632b73accb
Opcode Fuzzy Hash: 1413b1333f7ce81de503d3b0db8795ed3e9335fb34dc7ea80420fc155944c468
Instruction Fuzzy Hash: D5E04F70590341EFDB54EFA2FD4CB413AE4B701743F00046CF105EA0A0CFBA4214CA10

Function 002864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0028660B
_memmove.LIBCMT ref: 00286546

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

_memmove.LIBCMT ref: 002865B9
_memmove.LIBCMT ref: 002866A0
_memmove.LIBCMT ref: 002866B9
_memmove.LIBCMT ref: 002866D5

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: d8df0fb3e78593c115222af8b93de24b2260ab7f60eb3aa8ad62c9fb0218b0f9
Instruction ID: 9067f6be4861cb5c7c82d8fbdfb356df1337cda2edc473977192c7d1c3e31e4c
Opcode Fuzzy Hash: d8df0fb3e78593c115222af8b93de24b2260ab7f60eb3aa8ad62c9fb0218b0f9
Instruction Fuzzy Hash: FF619D3492026AABCF15FFA0CC85EFE37A9AF05308F044519F9555B292EB3898A5CF51

Function 002A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 002A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029FDAD,?,?), ref: 002A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002A0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002A0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 002A038C
RegCloseKey.ADVAPI32(00000000), ref: 002A0399

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: ec776ea30eb59580e9f6a42cd87bf9d513e10665ebd581c46060302d3dd0b021
Instruction ID: 98b4f62dd8f2c3c3cce26c2683e266d9022acbe937933d1b25a767786e85c86f
Opcode Fuzzy Hash: ec776ea30eb59580e9f6a42cd87bf9d513e10665ebd581c46060302d3dd0b021
Instruction Fuzzy Hash: 3E513971128201AFCB14EF64D885E6ABBE8FF86314F04491DF9458B2A1DB31E965CF52

Function 002A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 002A57FB
GetMenuItemCount.USER32(00000000), ref: 002A5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002A585A
GetMenuItemID.USER32(?,?), ref: 002A58C9
GetSubMenu.USER32(?,?), ref: 002A58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 002A5928

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 7a464a83ec85d2990d81680d6783d91c2977de8c0be7adc35304c010fab841d7
Instruction ID: 8e75059a27c79efde69f4e70b0c4c093a0d871b82d1e1c02bf5a2764056067de
Opcode Fuzzy Hash: 7a464a83ec85d2990d81680d6783d91c2977de8c0be7adc35304c010fab841d7
Instruction Fuzzy Hash: FC517B35E10626EFCF05EFA4C845AAEB7B4EF49720F104069E811BB351CB74AE918F90

Function 0027EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027EF06
VariantClear.OLEAUT32(00000013), ref: 0027EF78
VariantClear.OLEAUT32(00000000), ref: 0027EFD3
_memmove.LIBCMT ref: 0027EFFD
VariantClear.OLEAUT32(?), ref: 0027F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0027F078

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 9fb3ff9255bdd5cd8b8e62d4615daaa5889fd87b95156c671d79ba78663e637b
Instruction ID: 8bf44059586fd292fcc5cc417f8e3553f4a61808a15bbe7c759376eecddb109a
Opcode Fuzzy Hash: 9fb3ff9255bdd5cd8b8e62d4615daaa5889fd87b95156c671d79ba78663e637b
Instruction Fuzzy Hash: 11517AB5A10209EFDB14CF58C884AAAB7B8FF4D314B158569EE49DB305E734E911CFA0

Function 0028220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002822A3
IsMenu.USER32(00000000), ref: 002822C3
CreatePopupMenu.USER32 ref: 002822F7
GetMenuItemCount.USER32(000000FF), ref: 00282355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00282386

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7724d241987d0eed300915ce9b7c87613f8d2e3613e93c7265575c00dbf9ec8d
Instruction ID: 0b95163bc4c30c1952aa470f011f9dc9ece88572110268bcadbbe02605296cf4
Opcode Fuzzy Hash: 7724d241987d0eed300915ce9b7c87613f8d2e3613e93c7265575c00dbf9ec8d
Instruction Fuzzy Hash: 3351E274A1220ADFCF21EF64D998BADBBF4FF45314F1441A9E811A72D0D7788928CB11

Function 00221765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0022179A
GetWindowRect.USER32(?,?), ref: 002217FE
ScreenToClient.USER32(?,?), ref: 0022181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0022182C
EndPaint.USER32(?,?), ref: 00221876

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: fddf790f43e5082521c32555ff61d31c44f5db65e8453f0315efe2fa0e99e21c
Instruction ID: d888fa6bac2106b276f9d878e69c3e81b65ccb08fd69aaaa84df25c003624ccc
Opcode Fuzzy Hash: fddf790f43e5082521c32555ff61d31c44f5db65e8453f0315efe2fa0e99e21c
Instruction Fuzzy Hash: BA41E230120761EFD711DF64ECC8FB67BE8EB56724F040268F9A48B2A1C7709865CB62

Function 002AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(002E57B0,00000000,01844C38,?,?,002E57B0,?,002AB5A8,?,?), ref: 002AB712
EnableWindow.USER32(00000000,00000000), ref: 002AB736
ShowWindow.USER32(002E57B0,00000000,01844C38,?,?,002E57B0,?,002AB5A8,?,?), ref: 002AB796
ShowWindow.USER32(00000000,00000004,?,002AB5A8,?,?), ref: 002AB7A8
EnableWindow.USER32(00000000,00000001), ref: 002AB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 002AB7EF

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8c02bf25ac2c83d45791764a73838ee87cbc6353be2a6e1b817dbd2f6d051c19
Instruction ID: 1f43b9114f4943b971e3b4bb5b5b9dc921ad81abba8be0ac5e3eb90473ae5c3c
Opcode Fuzzy Hash: 8c02bf25ac2c83d45791764a73838ee87cbc6353be2a6e1b817dbd2f6d051c19
Instruction Fuzzy Hash: 0F417135640241AFDB22CF24D999B94BBE1FF46710F1841B9E9488F6A3CB71AC66CB50

Function 0029709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00294E41,?,?,00000000,00000001), ref: 002970AC

Part of subcall function 002939A0: GetWindowRect.USER32(?,?), ref: 002939B3

GetDesktopWindow.USER32 ref: 002970D6
GetWindowRect.USER32(00000000), ref: 002970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0029710F

Part of subcall function 00285244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002852BC

GetCursorPos.USER32(?), ref: 0029713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00297199

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: b077d37d85ef32877bec2960ef978cb4fa0bbcd8e8c18643be9a3e4087b3dcd0
Instruction ID: b03485c6dcd929aa86ad732a5bd850b2ed0b12ebc2a36bcf7b3e6af52b54628b
Opcode Fuzzy Hash: b077d37d85ef32877bec2960ef978cb4fa0bbcd8e8c18643be9a3e4087b3dcd0
Instruction Fuzzy Hash: 9A313432519306ABCB20DF54DC49F9BB7E9FF89310F000919F88897181CB34EA18CB92

Function 00278879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 002780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002780C0
Part of subcall function 002780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002780CA
Part of subcall function 002780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002780D9
Part of subcall function 002780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002780E0
Part of subcall function 002780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002780F6

GetLengthSid.ADVAPI32(?,00000000,0027842F), ref: 002788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 002788D6
HeapAlloc.KERNEL32(00000000), ref: 002788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 002788F6
GetProcessHeap.KERNEL32(00000000,00000000,0027842F), ref: 0027890A
HeapFree.KERNEL32(00000000), ref: 00278911

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b145f48e2f2bb08f5151a95a075c084eceb2057daeefa8b8f061936e0dc41274
Instruction ID: 43b557aed247605f5d31bfd6a5bfeb9340041308421c1e1d041a6bc2cec21eab
Opcode Fuzzy Hash: b145f48e2f2bb08f5151a95a075c084eceb2057daeefa8b8f061936e0dc41274
Instruction Fuzzy Hash: 4911B13166120AFFDB109FA4DD0DBBE7B68EB45311F108028E98997210CB369D20DB61

Function 002785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002785E2
OpenProcessToken.ADVAPI32(00000000), ref: 002785E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002785F8
CloseHandle.KERNEL32(00000004), ref: 00278603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00278632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00278646

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bd65318bedb046a392f7e464627c9da48c8885b30cd8f642d46822821cd9c7c0
Instruction ID: 37dcc42a962854e33731f31d024348072780ebf9c8980ba017d2fa4c138b0a35
Opcode Fuzzy Hash: bd65318bedb046a392f7e464627c9da48c8885b30cd8f642d46822821cd9c7c0
Instruction Fuzzy Hash: 0B115C7254124AABDF018FA4ED4DBEE7BA9EF09304F048064FE04A2160CB758D60DB60

Function 0027B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0027B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0027B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0027B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0027B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0027B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0027B7FE

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 56ba1ce6d9850721900a8dc773846ec6bc55bd3894e98eb7e556bfcbf99aef97
Instruction ID: 7f1788ee85ac5fab4bc27082ccd28e912cb67261576379ce70619c52686cef7e
Opcode Fuzzy Hash: 56ba1ce6d9850721900a8dc773846ec6bc55bd3894e98eb7e556bfcbf99aef97
Instruction Fuzzy Hash: 52018475E00309BBEB109FE69D49B5EBFB8EB49711F008075FA08A7291DA749C10CF90

Function 00240162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00240193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0024019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 002401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 002401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 002401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 002401C1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 3448ea43650c14ee627b6924aaba1868e30041157131772cb18e62501c6f9f0d
Instruction ID: a3ec5f03091ed4a5c5c30b0b4720d1b25519f379ab2c1ba95de9e19088de3701
Opcode Fuzzy Hash: 3448ea43650c14ee627b6924aaba1868e30041157131772cb18e62501c6f9f0d
Instruction Fuzzy Hash: 8D016CB09017597DE3008F5A8C85B52FFA8FF19754F00411BA15C47941C7F5A864CFE5

Function 002853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0028540F
GetWindowThreadProcessId.USER32(?,?), ref: 0028541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0028542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00285437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0028543E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6023ea1356b43582d314992b76e7b071ad7f3e8528f8c7005089d1c3a0520ff7
Instruction ID: 91e26b1c8213a8faa150e8396fa5faf232d47f344393fca7448719c8aeb58ced
Opcode Fuzzy Hash: 6023ea1356b43582d314992b76e7b071ad7f3e8528f8c7005089d1c3a0520ff7
Instruction Fuzzy Hash: A2F06D32241158BBE7605BE2ED0DEAB7A7CEBC7B11F000169FA14D10909AA81A0186B5

Function 00287230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00287243
EnterCriticalSection.KERNEL32(?,?,00230EE4,?,?), ref: 00287254
TerminateThread.KERNEL32(00000000,000001F6,?,00230EE4,?,?), ref: 00287261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00230EE4,?,?), ref: 0028726E

Part of subcall function 00286C35: CloseHandle.KERNEL32(00000000,?,0028727B,?,00230EE4,?,?), ref: 00286C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00287281
LeaveCriticalSection.KERNEL32(?,?,00230EE4,?,?), ref: 00287288

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b859d2c3617705a7e03f748e3d3b7784fcb8fe0dc74c28dc68fe0b9df1377368
Instruction ID: 512778871a7bdbe199876ef82b7e3eff10dd8a76a5a4cbbe9ee26f25d95fe0c2
Opcode Fuzzy Hash: b859d2c3617705a7e03f748e3d3b7784fcb8fe0dc74c28dc68fe0b9df1377368
Instruction Fuzzy Hash: 2BF05E3A541612EBD7A22FA4FE4CAEA7729EF46702B140532F903910A4DF7A5811CB50

Function 00278992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0027899D
UnloadUserProfile.USERENV(?,?), ref: 002789A9
CloseHandle.KERNEL32(?), ref: 002789B2
CloseHandle.KERNEL32(?), ref: 002789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 002789C3
HeapFree.KERNEL32(00000000), ref: 002789CA

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 21c6f92b3dc9cf5cd186ab64d0dbebc86cf2395a7ba424d49dbcdf2e45fc2580
Instruction ID: 34e8515ff98b671708850325f9feca248b8d5f0146d2269e19d72bdc30dd85d0
Opcode Fuzzy Hash: 21c6f92b3dc9cf5cd186ab64d0dbebc86cf2395a7ba424d49dbcdf2e45fc2580
Instruction Fuzzy Hash: 50E05276104505FFDB811FE5FE0C95ABB69FB8A762B508631F21981470CF3A9461DB50

Function 00277530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002B2C7C,?), ref: 002776EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002B2C7C,?), ref: 00277702
CLSIDFromProgID.OLE32(?,?,00000000,002AFB80,000000FF,?,00000000,00000800,00000000,?,002B2C7C,?), ref: 00277727
_memcmp.LIBCMT ref: 00277748

Strings

,,+, xrefs: 0027753D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,+
API String ID: 314563124-1536947320
Opcode ID: 3fe1f61ca4707fd988627cb0e380faa4e284fc443c0cd8d83b599a00d0c84ee8
Instruction ID: f8553c0c9bcaca968ac95a621b00c0bc5b513eb1f6dc8dd7d3f5319ff8d0dd35
Opcode Fuzzy Hash: 3fe1f61ca4707fd988627cb0e380faa4e284fc443c0cd8d83b599a00d0c84ee8
Instruction Fuzzy Hash: 21811D75A1010AEFCB04DFE4C984EEEB7B9FF89315F208558E505AB250DB71AE46CB60

Function 002985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00298613
CharUpperBuffW.USER32(?,?), ref: 00298722
VariantClear.OLEAUT32(?), ref: 0029889A

Part of subcall function 00287562: VariantInit.OLEAUT32(00000000), ref: 002875A2
Part of subcall function 00287562: VariantCopy.OLEAUT32(00000000,?), ref: 002875AB
Part of subcall function 00287562: VariantClear.OLEAUT32(00000000), ref: 002875B7

Strings

Incorrect Parameter format, xrefs: 0029864B, 0029880D
AUTOIT.ERROR, xrefs: 00298728

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 4bc4d78049e9e0f6c88a21c0fed2d0b1bf4a1e59b5361873e1247333713e43db
Instruction ID: f4e4e7a7ce51e6de1d1a824e2796a88afc9f25f9718039f9e43d2c7634e737a3
Opcode Fuzzy Hash: 4bc4d78049e9e0f6c88a21c0fed2d0b1bf4a1e59b5361873e1247333713e43db
Instruction Fuzzy Hash: 02917D746283019FCB10DF64C48495AB7E4FF8A714F18896EF88A8B361DB31E955CF92

Function 00282A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023FC86: _wcscpy.LIBCMT ref: 0023FCA9

_memset.LIBCMT ref: 00282B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00282BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00282C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00282C97

Strings

0, xrefs: 00282B73

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e6a1207c14726df0c63a8d94093306c2c2ae0af8aaf492feea08090b068769dd
Instruction ID: c6295bbe5c52d44763e6196d4274877c1d12f1da024a23475c1c8d6d50c994cd
Opcode Fuzzy Hash: e6a1207c14726df0c63a8d94093306c2c2ae0af8aaf492feea08090b068769dd
Instruction Fuzzy Hash: AE51D17963A312DAD724EE24D84567F77E8EF45314F040A2EF891D61D0DB70CC688B52

Function 00233137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00233277
_memmove.LIBCMT ref: 00233310
_free.LIBCMT ref: 00233336
_memmove.LIBCMT ref: 002333E9

Strings

3c#, xrefs: 00233225
_#, xrefs: 00233322

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c#$_#
API String ID: 2620147621-1894676648
Opcode ID: 184ded42622f58ee5e5536f9150b5fb0331571ee77961a52f11190837d45f21e
Instruction ID: b03529365334941ffed930300b7b0db8e964e7a49b8e7ccb146a962ed4919007
Opcode Fuzzy Hash: 184ded42622f58ee5e5536f9150b5fb0331571ee77961a52f11190837d45f21e
Instruction Fuzzy Hash: DE514CB1A243418FDB25CF28C480B6ABBE5BF85314F44482DE98987351DB31EA65CB42

Function 00236192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00236248
_memmove.LIBCMT ref: 002362E4
_memset.LIBCMT ref: 00236308

Strings

3c#, xrefs: 002362AF
ERCP, xrefs: 002361B3

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c#$ERCP
API String ID: 2532777613-311049264
Opcode ID: 47f07c803004f02fe6fc69d67ffdb865f3f34c6e1709f76347b680ffa5732a35
Instruction ID: d2e45160222a0ad5d7949c676ff6983c265438c8c45057505a88ab8f96b0eba7
Opcode Fuzzy Hash: 47f07c803004f02fe6fc69d67ffdb865f3f34c6e1709f76347b680ffa5732a35
Instruction Fuzzy Hash: 155191B1920706EBDB24DF55C8857ABB7E8EF04704F20856EE94ACB241E770A9A4CB40

Function 00282753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00282822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002E5890,00000000), ref: 0028286B

Strings

0, xrefs: 002827B5

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: c1fa6384a2707abba3578077958ba55e524c7a0e7033f2ef44a0c025de6ea2fe
Instruction ID: d1f19100114ce619c53c036a9e09e86f93ad81da1250acbb7ad2d5f1d9b5f225
Opcode Fuzzy Hash: c1fa6384a2707abba3578077958ba55e524c7a0e7033f2ef44a0c025de6ea2fe
Instruction Fuzzy Hash: 3C41A274616302EFDB24EF24D848B1ABBE8EF85314F04496EF465972D2D770A819CB62

Function 0029D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0029D7C5

Part of subcall function 0022784B: _memmove.LIBCMT ref: 00227899

Strings

stdcall, xrefs: 0029D847
winapi, xrefs: 0029D836
cdecl, xrefs: 0029D81C
none, xrefs: 0029D8A0

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 42044965d4c2a403d087247e0dc928a29d9d623147c6fefd52659ee60fda48b6
Instruction ID: 7efe6cede91fca9891aa52ce31fd9bcac690bcc184092f26120949a725530dc8
Opcode Fuzzy Hash: 42044965d4c2a403d087247e0dc928a29d9d623147c6fefd52659ee60fda48b6
Instruction Fuzzy Hash: 0831C370924226ABCF00DF94C8519BEB3B4FF05320B10866AE865977D2DB71AD65CF80

Function 00278E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 0027AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0027AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00278F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00278F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00278F57

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

Strings

ComboBox, xrefs: 00278E9E
ListBox, xrefs: 00278ED3

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 25d718796327da9e5c263d1043ba0b392d74b2275aa1bd6a414a0274c2b5c010
Instruction ID: 39ef65184bccd638ee374f675167a18a362116ee8257c177d63bf1c051df4eba
Opcode Fuzzy Hash: 25d718796327da9e5c263d1043ba0b392d74b2275aa1bd6a414a0274c2b5c010
Instruction Fuzzy Hash: A5210171A64105BFDB14ABB0DC8ACFFB779DF06320B548129F429972E0DF3948699A60

Function 0029182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0029184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00291872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002918A2
InternetCloseHandle.WININET(00000000), ref: 002918E9

Part of subcall function 00292483: GetLastError.KERNEL32(?,?,00291817,00000000,00000000,00000001), ref: 00292498
Part of subcall function 00292483: SetEvent.KERNEL32(?,?,00291817,00000000,00000000,00000001), ref: 002924AD

Strings

, xrefs: 00291893

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 5c11a172e520299737a40eac5b7fdff9c3fb26214d1a9dce9179377a3e53ad12
Instruction ID: 20eaff5eb16983486441fd95b6b72bc8652f08d4db82bf35a11c5447c9635253
Opcode Fuzzy Hash: 5c11a172e520299737a40eac5b7fdff9c3fb26214d1a9dce9179377a3e53ad12
Instruction Fuzzy Hash: AB21B0B5520309BFFB119F61DC85EBF77EDFF49744F10412AF80596140DA649D246BA0

Function 002A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00221D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00221D73
Part of subcall function 00221D35: GetStockObject.GDI32(00000011), ref: 00221D87
Part of subcall function 00221D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00221D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002A6461
LoadLibraryW.KERNEL32(?), ref: 002A6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002A647D
DestroyWindow.USER32(?), ref: 002A6485

Strings

SysAnimate32, xrefs: 002A643C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: fd2b19b2bd481c0a0d6035a3818a809290f4568c8cb92f103889376c0b323cad
Instruction ID: 72c4be2af7cdd8acf53e11087dc50b43b7147dc5d502b6b837e6fc08f6c93ff8
Opcode Fuzzy Hash: fd2b19b2bd481c0a0d6035a3818a809290f4568c8cb92f103889376c0b323cad
Instruction Fuzzy Hash: D0219271120206BFEF204FA4EC48EBB77ADEB5A724F184629F91096190DB75DC619B60

Function 00286D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00286DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00286DEF
GetStdHandle.KERNEL32(0000000C), ref: 00286E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00286E3B

Strings

nul, xrefs: 00286E36

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 612ebfbe63170773701852c9f679291081e4cb4d37e0c3de7957867f415f44d7
Instruction ID: 5cb231ca597ed4787f588216dea7f9a1f6cdee4d790514cd3dd63be64d52a308
Opcode Fuzzy Hash: 612ebfbe63170773701852c9f679291081e4cb4d37e0c3de7957867f415f44d7
Instruction Fuzzy Hash: C221A47961130AABDB20AF69DC0CB9A77F4EF45720F204619FCA1D72D0DB709960CB50

Function 00286E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00286E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00286EBB
GetStdHandle.KERNEL32(000000F6), ref: 00286ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00286F06

Strings

nul, xrefs: 00286F01

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 77e14b6d1f42eff6b2d92cad05bcb923c517d4d5ea93ed9e6a1fcf79609e9346
Instruction ID: 4b0db0615678f50a8417b7c5aa9f0b223da6703d994bbb00d03884fe2d0c83fe
Opcode Fuzzy Hash: 77e14b6d1f42eff6b2d92cad05bcb923c517d4d5ea93ed9e6a1fcf79609e9346
Instruction Fuzzy Hash: 9D21A47D5113069BDB20AF69DC0CF9A77A8EF45721F200A19FDA1D72D0DB709860CB50

Function 0028AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0028AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0028ACA8
__swprintf.LIBCMT ref: 0028ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,002AF910), ref: 0028ACFF

Strings

%lu, xrefs: 0028ACBB

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: bf2d8f793cf0b17f642609e56e6e48cf8475cb8dad40a3ed2f13f887019ab420
Instruction ID: fe70afce3e3eae8da4219823e69b7d989d11c434ba37e9ab8f88f9ca0e96c4d2
Opcode Fuzzy Hash: bf2d8f793cf0b17f642609e56e6e48cf8475cb8dad40a3ed2f13f887019ab420
Instruction Fuzzy Hash: 8B218334A10209AFCB10EFA5DD45DAE7BB8FF49714B004069F909DB251DB71EA51CF61

Function 00281142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0027FCED,?,00280D40,?,00008000), ref: 0028115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0027FCED,?,00280D40,?,00008000), ref: 00281184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0027FCED,?,00280D40,?,00008000), ref: 0028118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0027FCED,?,00280D40,?,00008000), ref: 002811C1

Strings

@(, xrefs: 0028119D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @(
API String ID: 2875609808-264274533
Opcode ID: 474d1f81f575534f86a8b3c5d4a3c874cbef8deab1c0aed8faaac8b756fd4da4
Instruction ID: c031f1ab9cb7732776de65134f6ecd5462988bfb32a579e4cba0715e21190507
Opcode Fuzzy Hash: 474d1f81f575534f86a8b3c5d4a3c874cbef8deab1c0aed8faaac8b756fd4da4
Instruction Fuzzy Hash: 23114C35C11519D7DF00AFA4E94C6EEBB78FF09711F004055EA88B22C0CB7095B1DB91

Function 00281AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00281B19

Strings

APPEND, xrefs: 00281B52
KEYS, xrefs: 00281B30
EXISTS, xrefs: 00281B41
REMOVE, xrefs: 00281B1F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: a052a00f4bcc34a8d5292705bd3c9249b038fb76b079c4bd817e0321dddd6372
Instruction ID: d1b0792489d43c442d8425b8030e4eaaf556df48b111c8e7d7dad3149ef60225
Opcode Fuzzy Hash: a052a00f4bcc34a8d5292705bd3c9249b038fb76b079c4bd817e0321dddd6372
Instruction Fuzzy Hash: 9F115E749601199FCF04EF94E8918EEB7B8FF26308F5084A5D954A72D2EB325D26CF50

Function 0029EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0029EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0029EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0029ED6A
CloseHandle.KERNEL32(?), ref: 0029EDEB

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 9ec65c7e45d504564638f288a5591f0f3bee29e6dd6c7771687951d4484a8cef
Instruction ID: 83adc6a04910c74fdad4645211cf5798fa4994339224dec288f6fd1d542982c0
Opcode Fuzzy Hash: 9ec65c7e45d504564638f288a5591f0f3bee29e6dd6c7771687951d4484a8cef
Instruction Fuzzy Hash: A9818171610311AFDB64EF68D846F2AB7E5AF48710F04881DF9999B292DAB0EC50CF52

Function 002A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 002A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0029FDAD,?,?), ref: 002A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002A00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002A013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002A0183
RegCloseKey.ADVAPI32(?,?), ref: 002A01AF
RegCloseKey.ADVAPI32(00000000), ref: 002A01BC

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 80fe9dc8d84431a089fb0f2d493c144d528ab0d72aa876d5b8121072a7de743a
Instruction ID: 9438d4b1874accea3e629f5a43af0eea18072c3994d7e9daea4b65cbb5feb7ba
Opcode Fuzzy Hash: 80fe9dc8d84431a089fb0f2d493c144d528ab0d72aa876d5b8121072a7de743a
Instruction Fuzzy Hash: F7519E71228205AFC714EF98D881EAAB7E8FF85304F40882DF58987291DB31E964CF52

Function 0029D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0029D927
GetProcAddress.KERNEL32(00000000,?), ref: 0029D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0029D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0029DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0029DA21

Part of subcall function 00225A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00287896,?,?,00000000), ref: 00225A2C
Part of subcall function 00225A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00287896,?,?,00000000,?,?), ref: 00225A50

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: db3b42b8ab6a5fdf66bb847745cd241d0fc590bcf2556e03a3dc2023a8872989
Instruction ID: 1646c9d9dae5dbbd1b8503f1493d9ed253a27debecfdc319ff8f83aa9d1ac428
Opcode Fuzzy Hash: db3b42b8ab6a5fdf66bb847745cd241d0fc590bcf2556e03a3dc2023a8872989
Instruction Fuzzy Hash: 24512935A10215EFDB00EFA8D4849ADB7B4FF19324B14C065E859AB312DB30ADA5CF91

Function 0028E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0028E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0028E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0028E687

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0028E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0028E6B4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 7b95b2f5b012958cedf38c2a9c2dc35841afac2d3fbe4cc02e98150a4ab731ef
Instruction ID: 28abf5b6411781523fa34fae87c5d9043fb459f055794d8839e72f28d70b756f
Opcode Fuzzy Hash: 7b95b2f5b012958cedf38c2a9c2dc35841afac2d3fbe4cc02e98150a4ab731ef
Instruction Fuzzy Hash: 85513C35A10115EFCB00EFA4D985AADBBF5EF09314F148099E809AB361DB31ED60CF51

Function 002AA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d66d89ba5cacc7aaa3b9ffa112b5529bd6572c526b030a0485cc0dfe57f5316
Instruction ID: 27d7df9acbaa18f1d0666526b1bdbeeb857d88d52daa8b1327f879d6d2e25c72
Opcode Fuzzy Hash: 5d66d89ba5cacc7aaa3b9ffa112b5529bd6572c526b030a0485cc0dfe57f5316
Instruction Fuzzy Hash: D741F235924215BFC720DF68DC89FA9BBA8EF0B310F140165F91AA72E0CF70AD61DA51

Function 00222344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00222357
ScreenToClient.USER32(002E57B0,?), ref: 00222374
GetAsyncKeyState.USER32(00000001), ref: 00222399
GetAsyncKeyState.USER32(00000002), ref: 002223A7

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ada89b7eacbd6edd72172a42922dcee392a3573906572ed32adcbd6c43e306a2
Instruction ID: 88254579c4e450a1321b24dd3ccda7916ecdd365a54b12ea3d2e330139b67463
Opcode Fuzzy Hash: ada89b7eacbd6edd72172a42922dcee392a3573906572ed32adcbd6c43e306a2
Instruction Fuzzy Hash: 8541A335524216FFCF15DFA8D848AE9BB74FB05320F204355F828A2290CB759968DF90

Function 002763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00276433
TranslateMessage.USER32(?), ref: 0027645C
DispatchMessageW.USER32(?), ref: 00276466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00276475

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: bf2abc5164150603dc84f7eb04e4dc3fb8fa4494146a5b117bd2d04d77eb5421
Instruction ID: 234f4a409c3135cafcf9039160c15418ffb09f730540f9955a22d782def6c2e3
Opcode Fuzzy Hash: bf2abc5164150603dc84f7eb04e4dc3fb8fa4494146a5b117bd2d04d77eb5421
Instruction Fuzzy Hash: E1312B30570A53AFDB74CFB0EC9CBB6BBECAB01304F148165E429C60A0E77894A4DB60

Function 00278A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00278A30
PostMessageW.USER32(?,00000201,00000001), ref: 00278ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00278AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00278AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00278AF8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f646dc35f491bd1153252cd6bfcf1e0c9e94496e75a412d0523d10068c4f72d9
Instruction ID: 980aa7c80bcce11427b001d3e8b4c62025720bcc349439ec9490ac5dedeb9799
Opcode Fuzzy Hash: f646dc35f491bd1153252cd6bfcf1e0c9e94496e75a412d0523d10068c4f72d9
Instruction Fuzzy Hash: 5731C07150021AEBDF14CFA8D94CA9E3BB5FB05315F10822AF929E61D0CBB49924DB90

Function 0027B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0027B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0027B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0027B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0027B27F
_wcsstr.LIBCMT ref: 0027B289

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 1ed0b9c5eac60593fc2988974738f9f4881b2a980db4e5130e8e0ffbfbe8413c
Instruction ID: 131d70a72ef20ec609731ae1516d0c821d49aa0a1f6547106e119a9d83017de0
Opcode Fuzzy Hash: 1ed0b9c5eac60593fc2988974738f9f4881b2a980db4e5130e8e0ffbfbe8413c
Instruction Fuzzy Hash: EF212531225201BBEB169F759C49F7F7B9CDF4A710F008029FC08DA162EF758C6096A0

Function 002AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

GetWindowLongW.USER32(?,000000F0), ref: 002AB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002AB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002AB1CF
GetSystemMetrics.USER32(00000004), ref: 002AB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00290E90,00000000), ref: 002AB216

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 40846f242bd66179e7f294fec7292f522af0034341d76214148d37e1633eda96
Instruction ID: bd872972e9de13300a2c3f1e6fc93524f333d91c334f55c3c69d5bc09eeed3cd
Opcode Fuzzy Hash: 40846f242bd66179e7f294fec7292f522af0034341d76214148d37e1633eda96
Instruction Fuzzy Hash: 66218071930662AFCB119F78AC58B6A37A4EB06321F104729BD36D71E1EB309870DB90

Function 00279307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00279320

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00279352
__itow.LIBCMT ref: 0027936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00279392
__itow.LIBCMT ref: 002793A3

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 5eeeb60d770c44b619de6a11b02b9b5935b35534c53a2441ff4932e452b8cd48
Instruction ID: 2e8f8f6c4f879296955c7095f8adec5f977a6b4b4ca84abb64cb9b8020ef1e96
Opcode Fuzzy Hash: 5eeeb60d770c44b619de6a11b02b9b5935b35534c53a2441ff4932e452b8cd48
Instruction Fuzzy Hash: 8A212C317253057BDB109FA59C89EEE3BACEB49710F048065FD08D71D0DAB0CDA18B91

Function 00295A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00295A6E
GetForegroundWindow.USER32 ref: 00295A85
GetDC.USER32(00000000), ref: 00295AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00295ACD
ReleaseDC.USER32(00000000,00000003), ref: 00295B08

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 650317b222aab331e116850376419fe9c158c98bfb2f6096f441b904991d8d3e
Instruction ID: 1d09b8e1d48bbb46b50a65cfa6f860802aa9f2fcf70d8d643f912130b9179ea9
Opcode Fuzzy Hash: 650317b222aab331e116850376419fe9c158c98bfb2f6096f441b904991d8d3e
Instruction Fuzzy Hash: 2921A135A10114AFDB14EFA4ED88A9ABBF9EF49310F148079F819D7362CE34AC50CB90

Function 002212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0022134D
SelectObject.GDI32(?,00000000), ref: 0022135C
BeginPath.GDI32(?), ref: 00221373
SelectObject.GDI32(?,00000000), ref: 0022139C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d94682b08b9927a36fad9212c13f1f27e0b26ef631c6522ad6da8eeef8fc9cdd
Instruction ID: eb56b838cec5e21aa1c1d6cdcebdfbd04951bc4370c7dfd08454871b6bda9c27
Opcode Fuzzy Hash: d94682b08b9927a36fad9212c13f1f27e0b26ef631c6522ad6da8eeef8fc9cdd
Instruction Fuzzy Hash: 2221AC30820669EBDB10CFA4FD88B693BE9FB10325F144266F8009A0B0D7B588B1CF80

Function 00284A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00284ABA
__beginthreadex.LIBCMT ref: 00284AD8
MessageBoxW.USER32(?,?,?,?), ref: 00284AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00284B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00284B0A

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: eef54f8c506a2b21dc4aa9025d9c5045a8d32b3fb66832de11fe9b341396a288
Instruction ID: 720423337d3d30f44f031f4262269b99aac05c0637c5258f1d4d6b914dfe5a38
Opcode Fuzzy Hash: eef54f8c506a2b21dc4aa9025d9c5045a8d32b3fb66832de11fe9b341396a288
Instruction Fuzzy Hash: 15118876915655BBCB00AFB8BC0CA9B7FACEB45324F040269FD14C3290D674C81087A0

Function 00278202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0027821E
GetLastError.KERNEL32(?,00277CE2,?,?,?), ref: 00278228
GetProcessHeap.KERNEL32(00000008,?,?,00277CE2,?,?,?), ref: 00278237
HeapAlloc.KERNEL32(00000000,?,00277CE2,?,?,?), ref: 0027823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00278255

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 67290a9b033574f7a50665a543f049ce2d90181829a3097ac87d90629a341874
Instruction ID: 99299d19e195b4b788b8390c27ef8a5db6781180c3170fc1da918fd37e938e66
Opcode Fuzzy Hash: 67290a9b033574f7a50665a543f049ce2d90181829a3097ac87d90629a341874
Instruction Fuzzy Hash: 3F014671290245EFDB204FA6ED4CD6B7BACEF8A756B504469F909C2220DE318C10CA60

Function 0027710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?,?,?,00277455), ref: 00277127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?,?), ref: 00277142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?,?), ref: 00277150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?), ref: 00277160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00277044,80070057,?,?), ref: 0027716C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c0531d629636e3e6ce8781a04e0f0ca7838f0ea276fca2d2b4b16d33bcf68fd4
Instruction ID: 3302ce739f4433f76e63146f371bf163f647f519e7d4448218b7c6eba945bb91
Opcode Fuzzy Hash: c0531d629636e3e6ce8781a04e0f0ca7838f0ea276fca2d2b4b16d33bcf68fd4
Instruction Fuzzy Hash: 3501DF76620205BFDB104FA4ED48BAABBACEF45791F1081B4FD0CD2220DB79DD108BA0

Function 00285244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00285260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0028526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00285276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00285280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002852BC

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0241e4c2b2cb03040ba805c45320c616ce0c93d7371f72c8d3b01578a6edaf92
Instruction ID: 6bf87c42aa62df0967b5afd95f5e620a7a0d59d970d791fa684e3d7093b7a020
Opcode Fuzzy Hash: 0241e4c2b2cb03040ba805c45320c616ce0c93d7371f72c8d3b01578a6edaf92
Instruction Fuzzy Hash: 86015735D12A29DBDF00EFE4ED4CAEDBB78BB09311F400166E985B2184CF3459648BA1

Function 0027810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00278121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0027812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0027813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00278141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00278157

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d7abefb8054c0c37de24869b21f7cd549d0e8dec1b286c7dab2af5f599138470
Instruction ID: 61d613296db8fd2c64b41beee496670f54686ff240d8e8eb0af6fa1dd607c20c
Opcode Fuzzy Hash: d7abefb8054c0c37de24869b21f7cd549d0e8dec1b286c7dab2af5f599138470
Instruction Fuzzy Hash: B6F0AF70350305AFEB510FA4EC8CE673BACEF4A755B400035F94DC2150CF749811DA60

Function 0027C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0027C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0027C20E
MessageBeep.USER32(00000000), ref: 0027C226
KillTimer.USER32(?,0000040A), ref: 0027C242
EndDialog.USER32(?,00000001), ref: 0027C25C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: c62649479ca0e0ee1a4605b223209f5c2e9cc6ce1ad24ad522c22f4225f80593
Instruction ID: c38b28ca1808894cecdd82098c233944ba7b63cf7456dd505a3da023755dd5fd
Opcode Fuzzy Hash: c62649479ca0e0ee1a4605b223209f5c2e9cc6ce1ad24ad522c22f4225f80593
Instruction Fuzzy Hash: 8B01A730414304ABEB205FA0ED4EB96777CBB01B06F00426DA996A14E1DBF469548B50

Function 002213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 002213BF
StrokeAndFillPath.GDI32(?,?,0025B888,00000000,?), ref: 002213DB
SelectObject.GDI32(?,00000000), ref: 002213EE
DeleteObject.GDI32 ref: 00221401
StrokePath.GDI32(?), ref: 0022141C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 130b6bafe142b2bc0c609a1db07f25e292482d203b7e455640efca303e29e027
Instruction ID: 06c57f9528fba006d346c289de8d8c6651d414cc0cef3383e547b55cc8c9f5fe
Opcode Fuzzy Hash: 130b6bafe142b2bc0c609a1db07f25e292482d203b7e455640efca303e29e027
Instruction Fuzzy Hash: B8F01930060B59EBDB559FA6FD8CB583BE5AB1132AF088224E469880F1CB7549A5DF10

Function 0028C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0028C432
CoCreateInstance.OLE32(002B2D6C,00000000,00000001,002B2BDC,?), ref: 0028C44A

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

CoUninitialize.OLE32 ref: 0028C6B7

Strings

.lnk, xrefs: 0028C3C6, 0028C3EE, 0028C3F8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 25af5a37f43a8dbd4a7159608504cb3c4c6ada3c75caf0a056a321e531add5e7
Instruction ID: 3da1f1ca5be099f42845fb691e60f017ecfa5f9e6c57bd2aa05012d76c9958a9
Opcode Fuzzy Hash: 25af5a37f43a8dbd4a7159608504cb3c4c6ada3c75caf0a056a321e531add5e7
Instruction Fuzzy Hash: AAA15A71118215AFD300EF94D881EABB7ECFF85354F00492CF5558B1A2EB71EA59CB62

Function 00232CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00240DB6: std::exception::exception.LIBCMT ref: 00240DEC
Part of subcall function 00240DB6: __CxxThrowException@8.LIBCMT ref: 00240E01

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 00227A51: _memmove.LIBCMT ref: 00227AAB

__swprintf.LIBCMT ref: 00232ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00232D66

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 05985ab64f43e45b4ddea76db8acb4c263d14af377a8ae2e88d240571d3cc344
Instruction ID: 85fe6e570a5a5c17454ea294703d0184e4a67e10882b5a15ed19e5ab7894f13a
Opcode Fuzzy Hash: 05985ab64f43e45b4ddea76db8acb4c263d14af377a8ae2e88d240571d3cc344
Instruction Fuzzy Hash: B8917E71128312EFC718EF64D886C6FB7A8EF85714F00491DF4559B2A1DA70EDA8CB52

Function 0028B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00224750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00224743,?,?,002237AE,?), ref: 00224770

CoInitialize.OLE32(00000000), ref: 0028B9BB
CoCreateInstance.OLE32(002B2D6C,00000000,00000001,002B2BDC,?), ref: 0028B9D4
CoUninitialize.OLE32 ref: 0028B9F1

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

Strings

.lnk, xrefs: 0028B99D, 0028B9AB

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 89e9d8f6f90e8791ddd916252b99bbcc6578e229a97215807c4f8b1a90add135
Instruction ID: 7b673000ddc6bf53e911e3cffa4accea03776a671be47efffd5947b3c70f7b74
Opcode Fuzzy Hash: 89e9d8f6f90e8791ddd916252b99bbcc6578e229a97215807c4f8b1a90add135
Instruction Fuzzy Hash: 15A13479614311AFCB04EF54C484D6ABBE5FF89314F048998F8999B3A1CB31EC55CB92

Function 0027B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0027B4BE

Strings

%+, xrefs: 0027B561
Container, xrefs: 0027B43B
AutoIt3GUI, xrefs: 0027B436

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%+
API String ID: 3565006973-1591554326
Opcode ID: df2e8b2fe9978920f534e2f3a0882e7957c788a5c2254efde49e33cc77d1d13d
Instruction ID: 0985905b6b21190f08ea30331fbf8e067e42473b5d9037e98512d4c9b5d58cef
Opcode Fuzzy Hash: df2e8b2fe9978920f534e2f3a0882e7957c788a5c2254efde49e33cc77d1d13d
Instruction Fuzzy Hash: 45914870620602AFDB15CF64C894B6ABBF5FF49714F20856EF94ACB291DBB0E851CB50

Function 0024501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 002450AD

Part of subcall function 002500F0: __87except.LIBCMT ref: 0025012B

Strings

pow, xrefs: 00245085, 002450A2

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 8e837e6cb7badd1f9be10050f3ea446c9000a38eb51595f6edabc4c542fb1b34
Instruction ID: 735f6140e3a822adb1c8ac1bad98e9d9b8770c5d9054a81046f3a1b21e6339a4
Opcode Fuzzy Hash: 8e837e6cb7badd1f9be10050f3ea446c9000a38eb51595f6edabc4c542fb1b34
Instruction Fuzzy Hash: D1517B25938A0387DB197F24DC8537E2F909B40711F208D59ECD98629BDE748DFC9A8A

Function 00268584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0026862B
_memmove.LIBCMT ref: 00268685

Strings

3c#, xrefs: 0026860C
_#, xrefs: 002686FF, 0026DFDC, 0026DFF8

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _memmove
String ID: 3c#$_#
API String ID: 4104443479-1894676648
Opcode ID: a2659168883245b89449a2d4622eaf3985d181dbf244529950671910cb127ba3
Instruction ID: f7b4900d1158a69a5001ea9ef78e1916df6f14ecdf8557d65f29ce9068191273
Opcode Fuzzy Hash: a2659168883245b89449a2d4622eaf3985d181dbf244529950671910cb127ba3
Instruction Fuzzy Hash: E5514FB0E1061A9FCF24CF68C884AAEB7F1FF44304F148569E85AD7250EB31E9A5CB51

Function 002797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 002814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00279296,?,?,00000034,00000800,?,00000034), ref: 002814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0027983F

Part of subcall function 00281487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 002814B1

Part of subcall function 002813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00281409
Part of subcall function 002813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0027925A,00000034,?,?,00001004,00000000,00000000), ref: 00281419
Part of subcall function 002813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0027925A,00000034,?,?,00001004,00000000,00000000), ref: 0028142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002798F9

Strings

@, xrefs: 00279911

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 73254682573cfa88854f86c9ad680c30c226526c59172deaa78ea70ae698b2d4
Instruction ID: 9bf4aa350a84236adf71e2958865b051c54f1171b0130f2fd598825eb80cda94
Opcode Fuzzy Hash: 73254682573cfa88854f86c9ad680c30c226526c59172deaa78ea70ae698b2d4
Instruction Fuzzy Hash: B4415076901218BFDB10EFA4CD45ADEBBB8EB09700F104099FA55B7181DA706E95CFA1

Function 002A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002AF910,00000000,?,?,?,?), ref: 002A79DF
GetWindowLongW.USER32 ref: 002A79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 002A7A0C

Strings

SysTreeView32, xrefs: 002A79B1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 92caca789c42e0eaf5764cc0e4b940661238061c4275d1ec9c313078748ab949
Instruction ID: 39a13beaa3ef73e33df05390dc377020837f3885315a699eb7936a670c46d330
Opcode Fuzzy Hash: 92caca789c42e0eaf5764cc0e4b940661238061c4275d1ec9c313078748ab949
Instruction Fuzzy Hash: 0231E131224606BFDB118E78DC45BEB77A9EB0A324F208725F875932E1DB31ED608B54

Function 002A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002A7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002A7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 002A7499

Strings

SysMonthCal32, xrefs: 002A742C

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 7a55898ae9406c91c381dad7a155b2de377e73de26159a51f328266a04602c2b
Instruction ID: c8ecdd23bb30f2deb60bffbb9dda7b5a581148204dca6cc4aad206588bd12599
Opcode Fuzzy Hash: 7a55898ae9406c91c381dad7a155b2de377e73de26159a51f328266a04602c2b
Instruction Fuzzy Hash: 68219132510219ABDF118EA4DC46FEA3B79EB4D724F110114FE156B1D0DA75AC61DBA0

Function 002A7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002A7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002A7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002A7C5F

Strings

msctls_updown32, xrefs: 002A7BC4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 4827787dc9d99e76023cd0229f6d290fd1bdca6ba6969de26c2566fcc77cdd7c
Instruction ID: cacd4977a48b29d9be8ec86b0e333b8ed246ff9ac9f81beb38f1500bcaf380f8
Opcode Fuzzy Hash: 4827787dc9d99e76023cd0229f6d290fd1bdca6ba6969de26c2566fcc77cdd7c
Instruction Fuzzy Hash: 3021AEB5624219AFDB10DF64DCC5CA637EDEF4A368B140059F9109B3A1CB31EC618AA0

Function 002A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002A6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002A6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002A6D70

Strings

Listbox, xrefs: 002A6D08

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9a9931a967e86aa1ce21ab5800c4029d8de300c056a335efdec570a4eb7c6358
Instruction ID: 762e6f52ae2ea6965317f6208252afec700eff3c17179e0a78a92eee1fc901e3
Opcode Fuzzy Hash: 9a9931a967e86aa1ce21ab5800c4029d8de300c056a335efdec570a4eb7c6358
Instruction Fuzzy Hash: 5E219532620119BFDF118F54DC49EBB377AEF8A760F058125FA455B1A0CB719C618BA0

Function 002939E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00293A66

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00293A58
%+, xrefs: 002939F4
, $, xrefs: 00293AA6

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%+
API String ID: 3506404897-2083194344
Opcode ID: 1a4ea7db3e3776f8d32df61e34ed313db28c9ea5d378ef3ee32d388a4d1c70aa
Instruction ID: af7fbc383c912c942f289357643118442d85d62360c393b10a2872988cd8d1b3
Opcode Fuzzy Hash: 1a4ea7db3e3776f8d32df61e34ed313db28c9ea5d378ef3ee32d388a4d1c70aa
Instruction Fuzzy Hash: 6E21A231624229BFCF14EFA4DC82EAE77B5AF45300F404456F459A7281DB34EA65CF61

Function 002A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002A7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002A7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002A7794

Strings

msctls_trackbar32, xrefs: 002A7749

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5ce7ee2258d451e7f44b35b873d4eb285a92bbd5cd788954a1d3eb35df6678e3
Instruction ID: fa6f1476aab78c98389a53412107a51a82a72d56255523074e6ee26a039bbb60
Opcode Fuzzy Hash: 5ce7ee2258d451e7f44b35b873d4eb285a92bbd5cd788954a1d3eb35df6678e3
Instruction Fuzzy Hash: BB113A32260209BFEF105F70CC05FD7776DEF8AB54F010119F64196090CA71E821CB14

Function 00246B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00246B93
__calloc_crt.LIBCMT ref: 00246BAC

Strings

@B., xrefs: 00246BC3
-, xrefs: 00246BD1

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __calloc_crt
String ID: -$@B.
API String ID: 3494438863-912515190
Opcode ID: f23139dead6973903c4b5ddfd2f0ccafaf90bc1b8cb44301b578f18b400bb7b1
Instruction ID: 23d461cb155b4febdcd0ca963c5810288cb4c86398bb34ad45ff15875bbd3afb
Opcode Fuzzy Hash: f23139dead6973903c4b5ddfd2f0ccafaf90bc1b8cb44301b578f18b400bb7b1
Instruction Fuzzy Hash: DFF0C875678A228BF76C9F54BC99B6667D5E701338B10001AE700EE280EB708C5186C1

Function 00249B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00249B94

Part of subcall function 00249C0B: __mtinitlocknum.LIBCMT ref: 00249C1D
Part of subcall function 00249C0B: EnterCriticalSection.KERNEL32(00000000,?,00249A7C,0000000D), ref: 00249C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00249BA4

Part of subcall function 00249100: ___addlocaleref.LIBCMT ref: 0024911C
Part of subcall function 00249100: ___removelocaleref.LIBCMT ref: 00249127
Part of subcall function 00249100: ___freetlocinfo.LIBCMT ref: 0024913B

Strings

8-, xrefs: 00249B8A, 00249B9F, 00249BAB
8-, xrefs: 00249B85

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8-$8-
API String ID: 547918592-306514315
Opcode ID: 5bdc1eb89ee0281477bb483c09239d45677200921afb9fdf86b4d524e8cd62a0
Instruction ID: 4a8ecd9381b00a20eb33478770366db56e672800adc4079db4d0e6cad891df28
Opcode Fuzzy Hash: 5bdc1eb89ee0281477bb483c09239d45677200921afb9fdf86b4d524e8cd62a0
Instruction Fuzzy Hash: 11E08C31973701AAEE18FBE46907B0E2750AB01B29F21015BF099692C1CD702CA08E17

Function 00224C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00224B83,?), ref: 00224C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00224C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00224C50
kernel32.dll, xrefs: 00224C3F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 8f0fecf7d5252d9a1cb99ec6d1662f180203042749c97978327a28f50f3aa1c1
Instruction ID: 7656f293e5baa15af314f23033c719fbe760cacafa63824dade911a3752ca24d
Opcode Fuzzy Hash: 8f0fecf7d5252d9a1cb99ec6d1662f180203042749c97978327a28f50f3aa1c1
Instruction Fuzzy Hash: 14D01230520723DFD7206FB5EA4864676E4AF06351B11883AD496E6160EA74D890C660

Function 00224C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00224BD0,?,00224DEF,?,002E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00224C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00224C23

Strings

kernel32.dll, xrefs: 00224C0C
Wow64DisableWow64FsRedirection, xrefs: 00224C1D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 1f09827c27050de7a5ada8eec44ffd2196194858797db397d895d1bc2d5854bf
Instruction ID: 1831cb43d08be59da694ce08f26c9b8ba8eac3c8406c8ef0d0468953291d14df
Opcode Fuzzy Hash: 1f09827c27050de7a5ada8eec44ffd2196194858797db397d895d1bc2d5854bf
Instruction Fuzzy Hash: DBD01230521723DFD720AFF5EE48646B6E5EF0A752B11CC3AD885D6150EAF4D890C660

Function 002A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,002A1039), ref: 002A0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002A0E07

Strings

advapi32.dll, xrefs: 002A0DF0
RegDeleteKeyExW, xrefs: 002A0E01

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: e80d2635a5866595bc9dcb8e6f7f2746ff431002e312fb0a234146dc13124987
Instruction ID: bf5c3bdc6c73cff115ef71d5eef8e84b41d0c2f8e236a6ebd09c91bcd6ec5ea8
Opcode Fuzzy Hash: e80d2635a5866595bc9dcb8e6f7f2746ff431002e312fb0a234146dc13124987
Instruction Fuzzy Hash: FBD0C270460313CFC3205FB0E94824272D4AF12341F008C3EE485C2250DAB4DCE0C610

Function 002990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00298CF4,?,002AF910), ref: 002990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00299100

Strings

kernel32.dll, xrefs: 002990E9
GetModuleHandleExW, xrefs: 002990FA

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 1a9ed089309dac4e015b1c3156ed1786a94c13b4b9ebaef35ec906962fffb96e
Instruction ID: d1303203e94c784fd7d6a6cf77b468f264737f932cdaef5b9e56bef74c450236
Opcode Fuzzy Hash: 1a9ed089309dac4e015b1c3156ed1786a94c13b4b9ebaef35ec906962fffb96e
Instruction Fuzzy Hash: E4D01234520713CFDB209F75D95C54676E4AF06352B158C3ED489D6550EA74C8D0C660

Function 00261714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00261718
__swprintf.LIBCMT ref: 00261749

Strings

%.3d, xrefs: 00261723
WIN_XPe, xrefs: 00261788

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 2e35a3127cd216025233196773407030eafdf747dbffaee839efa640d5116438
Instruction ID: 8d03dc76a55ae783917416fe44b212e35961a258dde5758037c6e494fe2e2f85
Opcode Fuzzy Hash: 2e35a3127cd216025233196773407030eafdf747dbffaee839efa640d5116438
Instruction Fuzzy Hash: 88D01271834119FAC745969098898B9B37CAB09301F280462B406E2040E3A5ABF4EA21

Function 0027717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c4e08b4f72af35c100d2182f9fc60dbac006e3dc506b74e3ef473d6acc78cd
Instruction ID: 3d1ebd6e9c2c326b72d8b94b22ff693679ed8ca598b1a7f1cf8a8b0028111ba5
Opcode Fuzzy Hash: 65c4e08b4f72af35c100d2182f9fc60dbac006e3dc506b74e3ef473d6acc78cd
Instruction Fuzzy Hash: 8FC18E74A14216EFDB14CFA8C894EAEBBB5FF48704B148598F809EB251D730ED91DB90

Function 0029E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0029E0BE
CharLowerBuffW.USER32(?,?), ref: 0029E101

Part of subcall function 0029D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0029D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0029E301
_memmove.LIBCMT ref: 0029E314

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: f4fb3a5e6e6b4898da7ab3f192744d4f8461686675296b693a79dda045503ae5
Instruction ID: 06da1ec3cd33da0bcee282e7b1ad565f4500058f798e7368a0040b2b54ee78f1
Opcode Fuzzy Hash: f4fb3a5e6e6b4898da7ab3f192744d4f8461686675296b693a79dda045503ae5
Instruction Fuzzy Hash: F2C14671A28311DFCB04DF28C480A6ABBE4FF89714F05896EE8999B351D731E955CF82

Function 00298093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 002980C3
CoUninitialize.OLE32 ref: 002980CE

Part of subcall function 0027D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0027D5D4

VariantInit.OLEAUT32(?), ref: 002980D9
VariantClear.OLEAUT32(?), ref: 002983AA

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: dec21be9047cb0978757994aa6bce7100d24686a45839a088b7652e7a4d27ac6
Instruction ID: 078a8392c16aec7062ac38bab071914df9899d5855c241a1ccf7695a9f929804
Opcode Fuzzy Hash: dec21be9047cb0978757994aa6bce7100d24686a45839a088b7652e7a4d27ac6
Instruction Fuzzy Hash: 39A16A75624711AFCB00DF64C481B2AB7E4BF8A724F184458F99A9B3A1CB34EC55CF46

Function 0027687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027688E
SysAllocString.OLEAUT32(00000000), ref: 00276937
VariantCopy.OLEAUT32 ref: 00276966
VariantClear.OLEAUT32(?), ref: 0027698D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 901f7c1bfa3a2a548ea024434008514e8a767e8d6d701ba893b6832c4fe2f66b
Instruction ID: 2b9dc8b7eaa08b679dda1f731b25dd0ad1cd9e8957b023119661dd64d020adb9
Opcode Fuzzy Hash: 901f7c1bfa3a2a548ea024434008514e8a767e8d6d701ba893b6832c4fe2f66b
Instruction Fuzzy Hash: F051E974730B02DECB24EF65D89962AB3E5AF45310F20D81FE58ED7291DA74D8A08B05

Function 002A97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0184E740,?), ref: 002A9863
ScreenToClient.USER32(00000002,00000002), ref: 002A9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 002A9903

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e1ced406f27190ba663f8c283f4bfa6b8bd0ad952e6cd4fe862418700ac1f3da
Instruction ID: 323c4013a580301260eccc465822d1af31240c23867faba7f5edf03a2993bba0
Opcode Fuzzy Hash: e1ced406f27190ba663f8c283f4bfa6b8bd0ad952e6cd4fe862418700ac1f3da
Instruction Fuzzy Hash: 3B515034A1020AEFCF10CF55D984AAE7BB6FF46360F148159F9659B2A0DB31AD91CB90

Function 00279A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00279AD2
__itow.LIBCMT ref: 00279B03

Part of subcall function 00279D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00279DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00279B6C
__itow.LIBCMT ref: 00279BC3

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 128eb9fd9eb0e4c203bbaa3e5420516f236f01272bfdb59e83b2550fc5fdbfd7
Instruction ID: a75ea55822b29200569cee642a5f0c24ca89233fe53eede89dbc7f427a6428fa
Opcode Fuzzy Hash: 128eb9fd9eb0e4c203bbaa3e5420516f236f01272bfdb59e83b2550fc5fdbfd7
Instruction Fuzzy Hash: B241C370A10319ABDF11EF50D846FEE7BB9EF45714F004029F909A3291DB749EA4CBA1

Function 002969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 002969D1
WSAGetLastError.WSOCK32(00000000), ref: 002969E1

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00296A45
WSAGetLastError.WSOCK32(00000000), ref: 00296A51

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 930a142a180eda146556fd8fc99de1ff6784a4b14362eadf73e711163e8e3271
Instruction ID: 2e2f6aff74051f3e5ffb88d3e8604af79ee45242856e046e52c9bd171ef2ee25
Opcode Fuzzy Hash: 930a142a180eda146556fd8fc99de1ff6784a4b14362eadf73e711163e8e3271
Instruction Fuzzy Hash: 6941C375710210BFEB64AFA4EC8AF3A77E49F04B14F448018FA19AF3C2DA749D508B91

Function 0029641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,002AF910), ref: 002964A7
_strlen.LIBCMT ref: 002964D9

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: dc7b4c9a971fa0750f3cde572c62a1f7ad15d7ae43d5bbe77f925b03ecf78b45
Instruction ID: 65922420eae9375b6cfa3ae4b207601d04d9a1fb88965e3c457d4bcc9fb54c37
Opcode Fuzzy Hash: dc7b4c9a971fa0750f3cde572c62a1f7ad15d7ae43d5bbe77f925b03ecf78b45
Instruction Fuzzy Hash: 4341C271A20114AFCF14EBA8EC89FAEB7E8AF45310F548155F8199B292DB30ED64CF50

Function 0028B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0028B89E
GetLastError.KERNEL32(?,00000000), ref: 0028B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0028B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0028B915

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a13171fabb090046e5bccf2558b4da588c647feab78eacf6ca40bdd5b91cc271
Instruction ID: c8c404132d4a656e5a67207d970852544d482975ad79e7fe8496919ff84be16e
Opcode Fuzzy Hash: a13171fabb090046e5bccf2558b4da588c647feab78eacf6ca40bdd5b91cc271
Instruction Fuzzy Hash: FD413839611621EFCB11EF94D584A59BBE1AF4A310F098098EC4A9F362CB34FD51CF96

Function 002A8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002A88DE

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ee37802e29f8337f2f5fad68c7ee9b93ead3fc0e0e10def628485405c07f49eb
Instruction ID: 1b7114c4cb305030d272b85b50902b6e1b1404c72116b097c9edba54bffc6b94
Opcode Fuzzy Hash: ee37802e29f8337f2f5fad68c7ee9b93ead3fc0e0e10def628485405c07f49eb
Instruction Fuzzy Hash: 2D31E43467010AFFEB209E68DC89BBA77B5FB07310F944112FA51E63A1CE74D9609B52

Function 002AAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 002AAB60
GetWindowRect.USER32(?,?), ref: 002AABD6
PtInRect.USER32(?,?,002AC014), ref: 002AABE6
MessageBeep.USER32(00000000), ref: 002AAC57

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3932203f937e002deee8aab67359ad17b8eab3bdc08aa4bdcf4efe0832d71234
Instruction ID: 633ef7faf8299ebd21587f21237ab9ed0a861e15759cb5d62ada076a7192f789
Opcode Fuzzy Hash: 3932203f937e002deee8aab67359ad17b8eab3bdc08aa4bdcf4efe0832d71234
Instruction Fuzzy Hash: 87419330620219DFDB11DF58D888B59BBF6FF4A724F1484AAE4159F260DB30E855CF92

Function 00280AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00280B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00280B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00280BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00280BFB

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5d651d58542e17e50311e80fa89829ba8dd3e684a79f4e5964ba2ba99a01fad2
Instruction ID: fde654a407e618ee0787508e4f5e217bd49c7fc418c57ebf7dd255f97b11de55
Opcode Fuzzy Hash: 5d651d58542e17e50311e80fa89829ba8dd3e684a79f4e5964ba2ba99a01fad2
Instruction Fuzzy Hash: 2731AE34D62209AFFF70AF65CC89BF9BBA9AB4531CF04435AF480521D1C3B889789751

Function 00280C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00280C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00280C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00280CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00280D33

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 16b282d1c597936936392ef5555848c545bdcd63c3699fd32d4f395abe1a8733
Instruction ID: 17f34802eb77b2503e9c3c20bff834e6a758c91c58624a8d4001bdefba40dd39
Opcode Fuzzy Hash: 16b282d1c597936936392ef5555848c545bdcd63c3699fd32d4f395abe1a8733
Instruction Fuzzy Hash: 54315A349222196FFFB0AFA5CC48BFEBB66EB45310F08831BE484521D1D37999798752

Function 002561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002561FB
__isleadbyte_l.LIBCMT ref: 00256229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00256257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0025628D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: e6c4dea2b73179f1973b8d77d5442911fda25cc981196dab591c29e345a12db3
Instruction ID: f21d42d999280f4427a1eff6318286d578c542fbd8e4c86158cc0094b674b62f
Opcode Fuzzy Hash: e6c4dea2b73179f1973b8d77d5442911fda25cc981196dab591c29e345a12db3
Instruction Fuzzy Hash: E431E030610246AFDF218FA5CC48BBA7BA9FF41311F554128EC24C71A1DB71DD64DB94

Function 002A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 002A4F02

Part of subcall function 00283641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028365B
Part of subcall function 00283641: GetCurrentThreadId.KERNEL32 ref: 00283662
Part of subcall function 00283641: AttachThreadInput.USER32(00000000,?,00285005), ref: 00283669

GetCaretPos.USER32(?), ref: 002A4F13
ClientToScreen.USER32(00000000,?), ref: 002A4F4E
GetForegroundWindow.USER32 ref: 002A4F54

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ae493860f3e235daf1d4b0575dc2ca42146d80b76af6a369ddb65101e14b5f11
Instruction ID: 5ccf2198f2b9154d82b96c1b6dace82b3449965bfee44a6dcfc6746e823216a1
Opcode Fuzzy Hash: ae493860f3e235daf1d4b0575dc2ca42146d80b76af6a369ddb65101e14b5f11
Instruction Fuzzy Hash: 6E314C72D10118AFCB00EFA5D8859EFB7F9EF89300F10406AE815E7241EA759E54CFA1

Function 002AC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

GetCursorPos.USER32(?), ref: 002AC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0025B9AB,?,?,?,?,?), ref: 002AC4E7
GetCursorPos.USER32(?), ref: 002AC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0025B9AB,?,?,?), ref: 002AC56E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 63e11fea96c020e88379ed8c4a00c9afc0c55a9df7915037db60b5d652781703
Instruction ID: 9fce0e98e866317593be98c7abc1100d505a12e696d2c59b5490dc90d2152606
Opcode Fuzzy Hash: 63e11fea96c020e88379ed8c4a00c9afc0c55a9df7915037db60b5d652781703
Instruction Fuzzy Hash: 0031D735910068FFCB25CF98D858DEA7BB5EF0A310F944065F9059B261CB316D60DFA4

Function 00278656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0027810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00278121
Part of subcall function 0027810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0027812B
Part of subcall function 0027810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0027813A
Part of subcall function 0027810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00278141
Part of subcall function 0027810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00278157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002786A3
_memcmp.LIBCMT ref: 002786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 002786FC
HeapFree.KERNEL32(00000000), ref: 00278703

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: cb76d1e27a09628079da8d5866ae58892bb566de54218c92ba8827c808213bea
Instruction ID: 9497159c373087fe03b36c4a5d50eb0f9774422af7702eb5c9dcef4d15e943f1
Opcode Fuzzy Hash: cb76d1e27a09628079da8d5866ae58892bb566de54218c92ba8827c808213bea
Instruction Fuzzy Hash: 16217C71E90109EFDB14DFA4CA49BEEB7B8EF45304F158059E448A7240DB30AE15CB60

Function 0024098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 002409AE

Part of subcall function 00225A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00287896,?,?,00000000), ref: 00225A2C
Part of subcall function 00225A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00287896,?,?,00000000,?,?), ref: 00225A50

_fprintf.LIBCMT ref: 002409E5
OutputDebugStringW.KERNEL32(?), ref: 00275DBB

Part of subcall function 00244AAA: _flsall.LIBCMT ref: 00244AC3

__setmode.LIBCMT ref: 00240A1A

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 170c29c215394812c7cd5a843611ec0c829c6f0ad38ae58976e4d059fb1fa1f7
Instruction ID: c9f518c1b3b8542a9ce278d29288d2e83a1b127ee2f8be191e4539b17da9f03c
Opcode Fuzzy Hash: 170c29c215394812c7cd5a843611ec0c829c6f0ad38ae58976e4d059fb1fa1f7
Instruction Fuzzy Hash: 9F1127359242247FDB08B7F4AC87AFEB7A89F56320F644015F20557182EE745CB28BA5

Function 00291767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002917A3

Part of subcall function 0029182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0029184C
Part of subcall function 0029182D: InternetCloseHandle.WININET(00000000), ref: 002918E9

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 191d014b1fcdd95e8c04d5a43ec9dab67dff1e630a90dcc07fc16457d9ec65f9
Instruction ID: d8473ab0c727d7d1e46da9974bb3b4a724e7b8058cae63a0ae7ee8009a829348
Opcode Fuzzy Hash: 191d014b1fcdd95e8c04d5a43ec9dab67dff1e630a90dcc07fc16457d9ec65f9
Instruction Fuzzy Hash: 0421C931220607BFEF165FA1DC45FBAB7A9FF49710F104429F91196550DB71D831ABA0

Function 00283A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,002AFAC0), ref: 00283A64
GetLastError.KERNEL32 ref: 00283A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00283A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002AFAC0), ref: 00283ADF

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 415090983ff3017a01911ec7cd876370b4e6eb6107967659b6a72e1474e44694
Instruction ID: cdfebd8897b6366d85029cb2b28ea711aa8c155fe418ac1ef408d964ddda07a9
Opcode Fuzzy Hash: 415090983ff3017a01911ec7cd876370b4e6eb6107967659b6a72e1474e44694
Instruction Fuzzy Hash: CE21F6381192029F8304EF64D8858AAB7E4BE16724F104A1DF4D9C72E1DB30DE56CB82

Function 002550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00255101

Part of subcall function 0024571C: __FF_MSGBANNER.LIBCMT ref: 00245733
Part of subcall function 0024571C: __NMSG_WRITE.LIBCMT ref: 0024573A
Part of subcall function 0024571C: RtlAllocateHeap.NTDLL(01830000,00000000,00000001,00000000,?,?,?,00240DD3,?), ref: 0024575F

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 2e078cb6318425161fd224875f20527edb5265830b1fd2e9570eddfb546b7be7
Instruction ID: da806671e5c0b577d18ef9ccd277b5fa12adf671ccc933b37dfc6ad782105380
Opcode Fuzzy Hash: 2e078cb6318425161fd224875f20527edb5265830b1fd2e9570eddfb546b7be7
Instruction Fuzzy Hash: CB11E372930E22AFCF352FB0BC5976D3F989F053A3B108529FD489A151DE748C649E98

Function 002244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002244CF

Part of subcall function 0022407C: _memset.LIBCMT ref: 002240FC
Part of subcall function 0022407C: _wcscpy.LIBCMT ref: 00224150
Part of subcall function 0022407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00224160

KillTimer.USER32(?,00000001,?,?), ref: 00224524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00224533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0025D4B9

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 1a036fec3b768190576dee0e89b8845a74cd8d11dd5a5d660b78330af1506fda
Instruction ID: f3710cfe32dc1ad21993c332b785b9f2fa0e0feccb90d66c0ff440fa78b08075
Opcode Fuzzy Hash: 1a036fec3b768190576dee0e89b8845a74cd8d11dd5a5d660b78330af1506fda
Instruction Fuzzy Hash: 53213770814794AFE732DF64A849BE6BBECAF11309F04008DEBCE5A141C3B42A98CB45

Function 00296369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00225A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00287896,?,?,00000000), ref: 00225A2C
Part of subcall function 00225A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00287896,?,?,00000000,?,?), ref: 00225A50

gethostbyname.WSOCK32(?,?,?), ref: 00296399
WSAGetLastError.WSOCK32(00000000), ref: 002963A4
_memmove.LIBCMT ref: 002963D1
inet_ntoa.WSOCK32(?), ref: 002963DC

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 3a96d755c4cf4521b8a55a225b11f1eb11891ee3ea056a762df6abd547f6fce3
Instruction ID: 96ff717350fa60bbbbba1c8d9360ed5dbe43a82f21ff88fae6ec66f8b256074b
Opcode Fuzzy Hash: 3a96d755c4cf4521b8a55a225b11f1eb11891ee3ea056a762df6abd547f6fce3
Instruction Fuzzy Hash: BF114F31520119AFCB04EBE4EA46CAEB7B8AF15310B148065F505A7161DB349E64DFA1

Function 00278B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00278B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00278B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00278B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00278BA4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 37b7028828b36390c77a67dea8c3e28d81e11d80fbe61d680d12cad0b212762f
Instruction ID: eae51f1a92f494cbec644c3e913ee81dee45f45fa6a5f2e7eef278819cfef3c5
Opcode Fuzzy Hash: 37b7028828b36390c77a67dea8c3e28d81e11d80fbe61d680d12cad0b212762f
Instruction Fuzzy Hash: 84115E79941218FFDB10DF95CC84F9DBB78FB48710F204095EA04B7250DA716E11DB94

Function 00221290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00222612: GetWindowLongW.USER32(?,000000EB), ref: 00222623

DefDlgProcW.USER32(?,00000020,?), ref: 002212D8
GetClientRect.USER32(?,?), ref: 0025B5FB
GetCursorPos.USER32(?), ref: 0025B605
ScreenToClient.USER32(?,?), ref: 0025B610

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2abc5c70ad33d02918a6ab2a917fcda7b060cfa46b29c3af7880874e9642e5f7
Instruction ID: dac4094b59f533de435d4bdc31266b0b0dcf306536937b98da1be9725f673b86
Opcode Fuzzy Hash: 2abc5c70ad33d02918a6ab2a917fcda7b060cfa46b29c3af7880874e9642e5f7
Instruction Fuzzy Hash: D7115835920029FFCB10DFE8E989DAE77B8EB16300F400556F911E7241CB30BA618BA5

Function 0027D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0027D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0027D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0027D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0027D897

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: def3be790aa6fa49af1e31483a2cff68d84682e8bd72f693026ebdf401a01bb7
Instruction ID: 64a3225fd30b69d52ade0e33b48b26635eeeb6e8de0d8283f6b7485b3bcd0841
Opcode Fuzzy Hash: def3be790aa6fa49af1e31483a2cff68d84682e8bd72f693026ebdf401a01bb7
Instruction Fuzzy Hash: FA116175626304DBE3208F90ED0DF93BBBCEF04B00F108969A65ED6450D7F4E55A9BA2

Function 00256FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00256FDB

Part of subcall function 002576C2: __fltout2.LIBCMT ref: 002576EB

__cftog_l.LIBCMT ref: 00257001
__cftoe_l.LIBCMT ref: 00257033

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 885fee805a4249936124c1c45c19623ca63604e0f20ca4a6ffd8f69e98da7607
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: EC0180324A814ABBCF125F84EC01CED3FA6BB28352F488415FE1859070D236C9B9AF85

Function 002AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002AB2E4
ScreenToClient.USER32(?,?), ref: 002AB2FC
ScreenToClient.USER32(?,?), ref: 002AB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002AB33B

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: b7be98d634d795836c9b9c19595292e3fd4dd50cbb7dba5fe15c99f8aabd7bb4
Instruction ID: 2cf549cf28a851de826d201035febcdb105759b13148abaae900ebda14b5c2f9
Opcode Fuzzy Hash: b7be98d634d795836c9b9c19595292e3fd4dd50cbb7dba5fe15c99f8aabd7bb4
Instruction Fuzzy Hash: F2114675D00209EFDB41CF99D5849EEBBB9FB09311F104166E914E3220D735AA65DF50

Function 00286BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00286BE6

Part of subcall function 002876C4: _memset.LIBCMT ref: 002876F9

_memmove.LIBCMT ref: 00286C09
_memset.LIBCMT ref: 00286C16
LeaveCriticalSection.KERNEL32(?), ref: 00286C26

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 7996c28c7a085f70ea84319d5649ed2a0d228b718e8773b439a48da483a7522b
Instruction ID: c067a1c31d6db7b3a63a033002f9409aa8abefdd510800a649be92a69d4fd4fe
Opcode Fuzzy Hash: 7996c28c7a085f70ea84319d5649ed2a0d228b718e8773b439a48da483a7522b
Instruction Fuzzy Hash: C9F0543E200100ABCF456F95EC85A4ABB29EF45320F048061FE085E267DB35E821CFB4

Function 00222218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00222231
SetTextColor.GDI32(?,000000FF), ref: 0022223B
SetBkMode.GDI32(?,00000001), ref: 00222250
GetStockObject.GDI32(00000005), ref: 00222258
GetWindowDC.USER32(?,00000000), ref: 0025BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0025BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0025BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0025BEC2
GetPixel.GDI32(00000000,?,?), ref: 0025BEE2
ReleaseDC.USER32(?,00000000), ref: 0025BEED

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1902e652c772e50994a845ee7c24edcf472f2c35be30610e0c422e59b3262599
Instruction ID: 072e101690ae223f2bd07c77d0d2fef22e4275be5b91856e836cfee34ca1d4f4
Opcode Fuzzy Hash: 1902e652c772e50994a845ee7c24edcf472f2c35be30610e0c422e59b3262599
Instruction Fuzzy Hash: EEE03932514245EBDF615FA4FD0D7D87B10EB16332F148366FA69480E18B764994DB22

Function 00278712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0027871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,002782E6), ref: 00278722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002782E6), ref: 0027872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,002782E6), ref: 00278736

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: acb56ec51706b8d6c3f0c35ac01015da2f31e41d57bfa2a7a862c2a1adc8ef95
Instruction ID: ce15988b08676678237c6857f253b8cc1a7571ad5f3962a5d64a4f961faf5e8b
Opcode Fuzzy Hash: acb56ec51706b8d6c3f0c35ac01015da2f31e41d57bfa2a7a862c2a1adc8ef95
Instruction Fuzzy Hash: 70E0863AA552129BD7A05FF07E0CB977BACEF52791F148868B64AC9040DE388451C750

Function 00226240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%+, xrefs: 0022624E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID:
String ID: %+
API String ID: 0-2692660539
Opcode ID: 1b041660064db1f2e1df99a4d250a0d9ba4a5c4a8431ab8fb7cba06836350693
Instruction ID: f41338734d1b74532c8f87ca3b2081276a91d6d6d3cb47be79b4ccb601079e39
Opcode Fuzzy Hash: 1b041660064db1f2e1df99a4d250a0d9ba4a5c4a8431ab8fb7cba06836350693
Instruction Fuzzy Hash: 1CB1D37282412AFBCF24EFD4E489AFDB7B4EF04310F504166E941A7191DB749EA1CB91

Function 0029AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0029AFAE

Strings

xb., xrefs: 0029B010
xb., xrefs: 0029AFE4

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: __itow_s
String ID: xb.$xb.
API String ID: 3653519197-2273934189
Opcode ID: 16585ae1a3a9bc1702523e4d7b5e1286cdef97a26cb4be4efd4b8d8878a2a300
Instruction ID: b053670c4f8d6103fe84bff1f825e1a2c99599f74efe50ac55ca3019e670c25c
Opcode Fuzzy Hash: 16585ae1a3a9bc1702523e4d7b5e1286cdef97a26cb4be4efd4b8d8878a2a300
Instruction Fuzzy Hash: A4B1A370A10206EFCF14DF54D994DBABBB9FF59300F148069F9499B291DB71D9A0CBA0

Function 0028AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0023FC86: _wcscpy.LIBCMT ref: 0023FCA9

Part of subcall function 00229837: __itow.LIBCMT ref: 00229862
Part of subcall function 00229837: __swprintf.LIBCMT ref: 002298AC

__wcsnicmp.LIBCMT ref: 0028B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0028B0F6

Strings

LPT, xrefs: 0028B027

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 7588f75b1f3a85036bf65462995499a96d6b45cc3e08b26e0ab9e0f20b8ac017
Instruction ID: 0c7b885b2c3c5694669925c11a7c44f12498543e4f7fbe5c4e53b0ac393c5ab1
Opcode Fuzzy Hash: 7588f75b1f3a85036bf65462995499a96d6b45cc3e08b26e0ab9e0f20b8ac017
Instruction Fuzzy Hash: BD61C475E20219AFCB15EF94D895EAEB7B4EF09310F04405DF91AAB391D770AE90CB50

Function 00232957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00232968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00232981

Strings

@, xrefs: 00232975

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0afd8beeb97f0fc493960d52fa07be642af31c3bcceb82b87db3a6d2f4f52e5c
Instruction ID: 2097d5e3954f3f0ddf5d729894d1f4206c6f0c16d82c217880ccc5ad1565cf96
Opcode Fuzzy Hash: 0afd8beeb97f0fc493960d52fa07be642af31c3bcceb82b87db3a6d2f4f52e5c
Instruction Fuzzy Hash: 14515772419754ABD320EF50EC86BAFBBE8FB85350F42885DF6D8410A1DB308579CB66

Function 00289734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00224F0B: __fread_nolock.LIBCMT ref: 00224F29

_wcscmp.LIBCMT ref: 00289824
_wcscmp.LIBCMT ref: 00289837

Strings

FILE, xrefs: 00289770

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 429741de6180e46244252540ca201e64c05c00e214b09e9e93c3ac6c35e68a6b
Instruction ID: dbc5bb3e2d64d326aff304b83dad6fa113c16dea8c23bbe0138ca6e7d56f1c44
Opcode Fuzzy Hash: 429741de6180e46244252540ca201e64c05c00e214b09e9e93c3ac6c35e68a6b
Instruction Fuzzy Hash: 7841A575A1021ABADF20AFE0DC45FEFB7BDDF86710F000469F904B7181DA71A9548B61

Function 00260574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0026057F

Strings

Dd., xrefs: 0022A151
Dd., xrefs: 0022A317

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClearVariant
String ID: Dd.$Dd.
API String ID: 1473721057-1161358372
Opcode ID: 17b5227bed81ae7c68bd7c795855980f06a0399bdeac4f02e7ec943cfa932b9b
Instruction ID: 36e33cd72d496c323a7157b612c10a7025af16bee67b6f7455596183988297ac
Opcode Fuzzy Hash: 17b5227bed81ae7c68bd7c795855980f06a0399bdeac4f02e7ec943cfa932b9b
Instruction Fuzzy Hash: 8F513278628352EFD764CF58E484A1ABBF1BB98350F50881CE9858B761D331ECA1CF42

Function 0029258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0029259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002925D4

Strings

|, xrefs: 002925A5

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: bfd6c4f91c63d0a90f628f3d01f52f0f878cea491227cb6eda97b8235e8c1310
Instruction ID: 037b2c2ca34a804f1eabde875c63d3f4d8be203a7fcce6c92bfcde21b0da944c
Opcode Fuzzy Hash: bfd6c4f91c63d0a90f628f3d01f52f0f878cea491227cb6eda97b8235e8c1310
Instruction Fuzzy Hash: D331F571C24119FBCF05AFA1DC85EEEBBB8FF08310F104069F915A6162EA315966DFA0

Function 002A7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 002A7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002A7B76

Strings

', xrefs: 002A7ACA

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f3060dbcf755d95504f53036df1cda81d2aa723f4aef792bc4db0086b7a1d6d7
Instruction ID: e525473253a55ad6f40428b4ad7a83562bfc32f0b2ae16e321d4f2ef87123bda
Opcode Fuzzy Hash: f3060dbcf755d95504f53036df1cda81d2aa723f4aef792bc4db0086b7a1d6d7
Instruction Fuzzy Hash: 4C411B74A1530AAFDB14CF64D981BDABBB5FF09304F10056AE904EB352DB70A961CFA4

Function 002A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 002A6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002A6B53

Strings

static, xrefs: 002A6AB3

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 59e73d9f5f39b3826e9e088cb1faef9e4cda4f16c9e4130deb8e90c5eaa6cc89
Instruction ID: 0531f988f0db71b8597f8253d66687a9805c10d1b1305e7daa14d3a5f922b59c
Opcode Fuzzy Hash: 59e73d9f5f39b3826e9e088cb1faef9e4cda4f16c9e4130deb8e90c5eaa6cc89
Instruction Fuzzy Hash: B431BE71220605AFDB109F68DC84BFB73A9FF49724F148619F9A9D7190DB30ACA1CB60

Function 002828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0028294C

Strings

0, xrefs: 0028290A

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 42ba9c72486a7555cc553055f3aa38e6c93519dcd23609b77d0477864f9001d5
Instruction ID: 8aa11ccf05dc310ab3d1733b01bf8c54f4298f20993eeb526bab413226f55e8e
Opcode Fuzzy Hash: 42ba9c72486a7555cc553055f3aa38e6c93519dcd23609b77d0477864f9001d5
Instruction Fuzzy Hash: 0931F739A21306DFDF28EF58C985BAEBBB4EF05350F240019ED85A61E0D7709968CB11

Function 002A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002A6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002A676C

Strings

Combobox, xrefs: 002A672E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: a5165e99efd51e03738d3577afd26b527c736338947df29ca524b7f37eb9a7c4
Instruction ID: 79d47b4b9c5e603fd859a46b52736d93cafb869594cfa924f74d8caf0090b075
Opcode Fuzzy Hash: a5165e99efd51e03738d3577afd26b527c736338947df29ca524b7f37eb9a7c4
Instruction Fuzzy Hash: FA11E671230209AFEF118F54DC88EBB776AEB46368F140125F91497290DB31DCA08BA0

Function 002A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00221D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00221D73
Part of subcall function 00221D35: GetStockObject.GDI32(00000011), ref: 00221D87
Part of subcall function 00221D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00221D91

GetWindowRect.USER32(00000000,?), ref: 002A6C71
GetSysColor.USER32(00000012), ref: 002A6C8B

Strings

static, xrefs: 002A6C4E

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: e401f2dd8d77d00620a64fced4f382f335ae4189f6d922f982027514e6de28af
Instruction ID: 8801b1ffdabc79956a45d3b3ef0914c9241087cfb0893d95c45f2e822315ddf5
Opcode Fuzzy Hash: e401f2dd8d77d00620a64fced4f382f335ae4189f6d922f982027514e6de28af
Instruction Fuzzy Hash: 0921897252021AAFDF04DFB8CC49EEA7BA9FB09314F044629FD95D2240DB35E860DB60

Function 002A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 002A69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002A69B1

Strings

edit, xrefs: 002A6986

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: fed003318efbd6335c9a04ef1e305b9222f7d12b629743b9793029780dba091d
Instruction ID: 5238175e551dbd8fc22b1ea09930ea87636800ebbe7b751ec0ad1842b66f1710
Opcode Fuzzy Hash: fed003318efbd6335c9a04ef1e305b9222f7d12b629743b9793029780dba091d
Instruction Fuzzy Hash: 85118F71520106AFEB108E74DC48EEB376AEB06374F544724F9A5971E0CB75DC619B60

Function 002829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00282A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00282A41

Strings

0, xrefs: 00282A18

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4237782cdb6e6d673d7e6e45987075bf4c3654b975bd95caa3b797efb9a70211
Instruction ID: 71e88b9025d8f98aa418f7acb904ac5c86cc91c50b17f53dc5f4630bc035d5e9
Opcode Fuzzy Hash: 4237782cdb6e6d673d7e6e45987075bf4c3654b975bd95caa3b797efb9a70211
Instruction Fuzzy Hash: D511D33A932125EBDB38EE98D948B9A73ACAF45304F144021E855E72D0D770AD1EC791

Function 002921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0029222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00292255

Strings

<local>, xrefs: 0029221D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: dd7b248c483c75b109cba6ad6353259e7e940308cb3298c60f08e9dd0297c0e0
Instruction ID: 2b9b1fbf3578a3634aba4af2170b3a27ae16ef0483520c5dd871b67346d573f4
Opcode Fuzzy Hash: dd7b248c483c75b109cba6ad6353259e7e940308cb3298c60f08e9dd0297c0e0
Instruction Fuzzy Hash: B4110270961226FADF288F518C88EFBFBACFF06751F10822AF90446000D3B058A8D6F0

Function 0023092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00223C14,002E52F8,?,?,?), ref: 0023096E

Part of subcall function 00227BCC: _memmove.LIBCMT ref: 00227C06

_wcscat.LIBCMT ref: 00264CB7

Strings

S., xrefs: 002309AE

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S.
API String ID: 257928180-2842793924
Opcode ID: cd92f907b0c590a3a14c62109068c79943cff9b7c0d111612d8e5f66918f6b83
Instruction ID: 3c26913e0203985891a64b3d4eadac7d9d6dd16a1929926c732e70d2ad642a79
Opcode Fuzzy Hash: cd92f907b0c590a3a14c62109068c79943cff9b7c0d111612d8e5f66918f6b83
Instruction Fuzzy Hash: F511A171A35219AB8B40FBA4D846FDD73F8AF08745F4044A6B988D7291EAB097A44B20

Function 00278E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 0027AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0027AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00278E73

Strings

ComboBox, xrefs: 00278E12
ListBox, xrefs: 00278E3D

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d1a59f01c2977d880ae8b78f4eb16f2bf27da74a89d86f18b94a8ef00e7d4614
Instruction ID: 1813ec033987695f8b0728f904b868b396bcd7aeb045895166da5b074bace8c6
Opcode Fuzzy Hash: d1a59f01c2977d880ae8b78f4eb16f2bf27da74a89d86f18b94a8ef00e7d4614
Instruction Fuzzy Hash: C401F571665229BB8B14EBE0CC4ACFE7368AF02320B044619F835572D1EF355828DA50

Function 00278CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 0027AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0027AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00278D6B

Strings

ComboBox, xrefs: 00278D0A
ListBox, xrefs: 00278D35

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: dae75548533a70065160c5c041703aa131d8d4d527dc11396199edb5b4a6a8d1
Instruction ID: 3ad2663ac86552ab0d7fd4160ddfb9f6695f6507247073b539c615b89a5994d4
Opcode Fuzzy Hash: dae75548533a70065160c5c041703aa131d8d4d527dc11396199edb5b4a6a8d1
Instruction Fuzzy Hash: C301F771BA1119BBCB24EBE0C956EFE77ACDF16350F104019B809632D1DE355E28DAB1

Function 00278D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00227DE1: _memmove.LIBCMT ref: 00227E22

Part of subcall function 0027AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0027AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00278DEE

Strings

ComboBox, xrefs: 00278D8F
ListBox, xrefs: 00278DBA

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d12bfc5fdbebcc68db811ed28ddb9225eab7f834be4d95fd4bc4a19b86ce6a6b
Instruction ID: 0ddcab19185fd375456adb2f00a470905c7333da2acd2138a46409b7454d75ef
Opcode Fuzzy Hash: d12bfc5fdbebcc68db811ed28ddb9225eab7f834be4d95fd4bc4a19b86ce6a6b
Instruction Fuzzy Hash: 5D012B71AA5119B7CB25EBF4D946EFE77ACDF12310F108015B809A32D1DE354E28EAB1

Function 0027C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0027C534

Part of subcall function 0027C816: _memmove.LIBCMT ref: 0027C860
Part of subcall function 0027C816: VariantInit.OLEAUT32(00000000), ref: 0027C882
Part of subcall function 0027C816: VariantCopy.OLEAUT32(00000000,?), ref: 0027C88C

VariantClear.OLEAUT32(?), ref: 0027C556

Strings

d}-, xrefs: 0027C517

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}-
API String ID: 2932060187-1876025632
Opcode ID: 0df3ff84bf0b36f4ecc8b28ded75320b91015d8fe046b053c49fe4c8b8e8bee8
Instruction ID: e6e324dd9a42741213bc31299682d382a0eb22df5038b3a0d1d1e424f2fbbc8c
Opcode Fuzzy Hash: 0df3ff84bf0b36f4ecc8b28ded75320b91015d8fe046b053c49fe4c8b8e8bee8
Instruction Fuzzy Hash: D6111E719007089FC710DFAAD88489AF7F8FF18310B50862FE58AD7611E771AA54CF90

Function 00284F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00284F46
_wcscmp.LIBCMT ref: 00284F58

Strings

#32770, xrefs: 00284F52

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: f100740734e0da9dfcace66bb486f17274be21c4d7647b6e55d993a07154313a
Instruction ID: 9e8b0abb1404064989d1878448e516d503277f680aede2d20e6e2e61e868c0aa
Opcode Fuzzy Hash: f100740734e0da9dfcace66bb486f17274be21c4d7647b6e55d993a07154313a
Instruction Fuzzy Hash: 81E06832A002292BD320EB99BC4DFA7F7ACEB65B70F00002BFD00D3041E9609A118BE0

Function 0025B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0025B314: _memset.LIBCMT ref: 0025B321

Part of subcall function 00240940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0025B2F0,?,?,?,0022100A), ref: 00240945

IsDebuggerPresent.KERNEL32(?,?,?,0022100A), ref: 0025B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0022100A), ref: 0025B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0025B2FE

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 4574b06ba9412f0c38eb0c72c396de5d1aa08f35806ccfdeabf65a80df88003e
Instruction ID: 8bade4bf7134eb3a6c02416b07ec6d38fff0f9047441eb33e98d52f9f7237367
Opcode Fuzzy Hash: 4574b06ba9412f0c38eb0c72c396de5d1aa08f35806ccfdeabf65a80df88003e
Instruction Fuzzy Hash: D4E09270220751DFE761DF68E908B427BE4AF00705F008AACE856D7241EBB4E458CFA1

Function 00261935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00261775

Part of subcall function 0029BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0026195E,?), ref: 0029BFFE
Part of subcall function 0029BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0029C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0026196D

Strings

WIN_XPe, xrefs: 00261788

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 0ec677f78fb9fc45ed62c765f78f878288e7401424899ed70a6e78adccfa5c52
Instruction ID: 517d150bb07362ef0b721b7278e6959b3feac42731bb94aae2c656bcab4e19dc
Opcode Fuzzy Hash: 0ec677f78fb9fc45ed62c765f78f878288e7401424899ed70a6e78adccfa5c52
Instruction Fuzzy Hash: 7BF0C971820109DFDB56DF91EA88AECBBF8AF18301F680095E106A6090DB756FA4DF60

Function 002A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002A5981

Part of subcall function 00285244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002852BC

Strings

Shell_TrayWnd, xrefs: 002A5967

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9a8c6b58d6b1e82862f82b2da7896bf3d0cfecab03e1f0820ed90fc4491b37f0
Instruction ID: 863012d10dc58ec963f239230a75b62e664a21732187c082d95c3f4f7dd2ed7e
Opcode Fuzzy Hash: 9a8c6b58d6b1e82862f82b2da7896bf3d0cfecab03e1f0820ed90fc4491b37f0
Instruction Fuzzy Hash: D2D0A935390310B7E2A8BBB0AC4FFA22A14AB01B00F000825B609AA1D0CCE49800CA50

Function 002A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002A59AE
PostMessageW.USER32(00000000), ref: 002A59B5

Part of subcall function 00285244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002852BC

Strings

Shell_TrayWnd, xrefs: 002A59A7

Memory Dump Source

Source File: 00000001.00000002.1288398205.0000000000221000.00000020.00000001.01000000.00000003.sdmp, Offset: 00220000, based on PE: true

Associated: 00000001.00000002.1288339945.0000000000220000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288476206.00000000002D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288535780.00000000002DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1288558364.00000000002E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_220000_H75MnQEha8.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: aa604ce9e6f17768cf773b81167f146fe38a6be5cad0658c9eb1e8993c2f9fb0
Instruction ID: 5d1da5e7770e1f9740034e39f166a0af1a2a5b0dd131b4892b79557e56af2c37
Opcode Fuzzy Hash: aa604ce9e6f17768cf773b81167f146fe38a6be5cad0658c9eb1e8993c2f9fb0
Instruction Fuzzy Hash: C8D0A9313803107BE2A8BBB0AC4FF922614AB02B00F000825B605AA1D0CCE4A800CA54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report H75MnQEha8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autDE2.tmp

C:\Users\user\AppData\Local\Temp\autE70.tmp

C:\Users\user\AppData\Local\Temp\electicism

C:\Users\user\AppData\Local\Temp\ultraradicalism

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
H75MnQEha8.exe

Function 00223B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 002249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00224E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00289155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00223015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72
windowregistryCOMMON

Function 00223041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0022708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00223633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00223A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00223766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0022F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 01884B08 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 002239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 018848A8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156
fileCOMMON

Function 0022407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre