Edit tour

Windows Analysis Report
OKkUGRkZV7.exe

Overview

General Information

Sample name:	OKkUGRkZV7.exe renamed because original name is a hash value
Original sample name:	12f38b57f20acea350ed883756309c9516c6b5b814ebedcb19dcb5ba798579e1.exe
Analysis ID:	1588332
MD5:	f484f16874ddb071b45cb9f1fa8d0c56
SHA1:	8cf9f6ab9a0a8520650145ae1702cc35f0e4b123
SHA256:	12f38b57f20acea350ed883756309c9516c6b5b814ebedcb19dcb5ba798579e1
Tags:	exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Delayed program exit found

Drops VBS files to the startup folder

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to execute programs as a different user

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

OKkUGRkZV7.exe (PID: 7788 cmdline: "C:\Users\user\Desktop\OKkUGRkZV7.exe" MD5: F484F16874DDB071B45CB9F1FA8D0C56)

ambiparous.exe (PID: 7880 cmdline: "C:\Users\user\Desktop\OKkUGRkZV7.exe" MD5: F484F16874DDB071B45CB9F1FA8D0C56)

svchost.exe (PID: 7900 cmdline: "C:\Users\user\Desktop\OKkUGRkZV7.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

iexplore.exe (PID: 7920 cmdline: "c:\program files (x86)\internet explorer\iexplore.exe" MD5: 6F0F06D6AB125A99E43335427066A4A1)

wscript.exe (PID: 8060 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

ambiparous.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Local\lecheries\ambiparous.exe" MD5: F484F16874DDB071B45CB9F1FA8D0C56)

svchost.exe (PID: 8168 cmdline: "C:\Users\user\AppData\Local\lecheries\ambiparous.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3786705466.0000000004EDE000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
00000008.00000002.3786396527.0000000003200000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
Process Memory Space: ambiparous.exe PID: 7880	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: ambiparous.exe PID: 7880	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: ambiparous.exe PID: 7880	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: ambiparous.exe PID: 7880	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x16442b:$a1: Remcos restarted by watchdog! 0x164985:$a3: %02i:%02i:%02i:%03i 0x164db4:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 7900	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 7900	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 7900	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 7900	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x12e80:$a1: Remcos restarted by watchdog! 0x133da:$a3: %02i:%02i:%02i:%03i 0x13809:$a3: %02i:%02i:%02i:%03i
Process Memory Space: ambiparous.exe PID: 8128	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: ambiparous.exe PID: 8128	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: ambiparous.exe PID: 8128	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: ambiparous.exe PID: 8128	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x864f:$a1: Remcos restarted by watchdog! 0x8ba9:$a3: %02i:%02i:%02i:%03i 0x8fd8:$a3: %02i:%02i:%02i:%03i
Process Memory Space: svchost.exe PID: 8168	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost.exe PID: 8168	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 8168	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: svchost.exe PID: 8168	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xe059:$a1: Remcos restarted by watchdog! 0xe5b3:$a3: %02i:%02i:%02i:%03i 0xe9e2:$a3: %02i:%02i:%02i:%03i
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
3.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
3.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
8.2.svchost.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
8.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
8.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
8.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
8.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4b8:$a1: Remcos restarted by watchdog! 0x6ca30:$a3: %02i:%02i:%02i:%03i
8.2.svchost.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x6650c:$str_a1: C:\Windows\System32\cmd.exe 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6657c:$str_b2: Executing file: 0x675fc:$str_b3: GetDirectListeningPort 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67128:$str_b7: \update.vbs 0x665a4:$str_b9: Downloaded file: 0x66590:$str_b10: Downloading file: 0x66634:$str_b12: Failed to upload file: 0x675c4:$str_b13: StartForward 0x675e4:$str_b14: StopForward 0x67080:$str_b15: fso.DeleteFile " 0x67014:$str_b16: On Error Resume Next 0x670b0:$str_b17: fso.DeleteFolder " 0x66624:$str_b18: Uploaded file: 0x665e4:$str_b19: Unable to delete: 0x67048:$str_b20: while fso.FileExists(" 0x66ac1:$str_c0: [Firefox StoredLogins not found]
8.2.svchost.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6638c:$s1: CoGetObject 0x663a0:$s1: CoGetObject 0x663bc:$s1: CoGetObject 0x7035e:$s1: CoGetObject 0x6634c:$s2: Elevation:Administrator!new:
7.2.ambiparous.exe.39e0000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.ambiparous.exe.39e0000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.ambiparous.exe.39e0000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.ambiparous.exe.39e0000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
7.2.ambiparous.exe.39e0000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
7.2.ambiparous.exe.39e0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
7.2.ambiparous.exe.39e0000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
7.2.ambiparous.exe.39e0000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
7.2.ambiparous.exe.39e0000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
7.2.ambiparous.exe.39e0000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
7.2.ambiparous.exe.39e0000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
7.2.ambiparous.exe.39e0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
2.2.ambiparous.exe.3600000.1.raw.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.ambiparous.exe.3600000.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.ambiparous.exe.3600000.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.ambiparous.exe.3600000.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
2.2.ambiparous.exe.3600000.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
2.2.ambiparous.exe.3600000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
3.2.svchost.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
3.2.svchost.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
3.2.svchost.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aab8:$a1: Remcos restarted by watchdog! 0x6b030:$a3: %02i:%02i:%02i:%03i
3.2.svchost.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64b0c:$str_a1: C:\Windows\System32\cmd.exe 0x64a88:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a88:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f88:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b7c:$str_b2: Executing file: 0x65bfc:$str_b3: GetDirectListeningPort 0x655a8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65728:$str_b7: \update.vbs 0x64ba4:$str_b9: Downloaded file: 0x64b90:$str_b10: Downloading file: 0x64c34:$str_b12: Failed to upload file: 0x65bc4:$str_b13: StartForward 0x65be4:$str_b14: StopForward 0x65680:$str_b15: fso.DeleteFile " 0x65614:$str_b16: On Error Resume Next 0x656b0:$str_b17: fso.DeleteFolder " 0x64c24:$str_b18: Uploaded file: 0x64be4:$str_b19: Unable to delete: 0x65648:$str_b20: while fso.FileExists(" 0x650c1:$str_c0: [Firefox StoredLogins not found]
3.2.svchost.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649f8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6498c:$s1: CoGetObject 0x649a0:$s1: CoGetObject 0x649bc:$s1: CoGetObject 0x6e95e:$s1: CoGetObject 0x6494c:$s2: Elevation:Administrator!new:
2.2.ambiparous.exe.3600000.1.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
2.2.ambiparous.exe.3600000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
2.2.ambiparous.exe.3600000.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
2.2.ambiparous.exe.3600000.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690b8:$a1: Remcos restarted by watchdog! 0x69630:$a3: %02i:%02i:%02i:%03i
2.2.ambiparous.exe.3600000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x6310c:$str_a1: C:\Windows\System32\cmd.exe 0x63088:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63088:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63588:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63db8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6317c:$str_b2: Executing file: 0x641fc:$str_b3: GetDirectListeningPort 0x63ba8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d28:$str_b7: \update.vbs 0x631a4:$str_b9: Downloaded file: 0x63190:$str_b10: Downloading file: 0x63234:$str_b12: Failed to upload file: 0x641c4:$str_b13: StartForward 0x641e4:$str_b14: StopForward 0x63c80:$str_b15: fso.DeleteFile " 0x63c14:$str_b16: On Error Resume Next 0x63cb0:$str_b17: fso.DeleteFolder " 0x63224:$str_b18: Uploaded file: 0x631e4:$str_b19: Unable to delete: 0x63c48:$str_b20: while fso.FileExists(" 0x636c1:$str_c0: [Firefox StoredLogins not found]
2.2.ambiparous.exe.3600000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62ff8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f8c:$s1: CoGetObject 0x62fa0:$s1: CoGetObject 0x62fbc:$s1: CoGetObject 0x6cf5e:$s1: CoGetObject 0x62f4c:$s2: Elevation:Administrator!new:
Click to see the 43 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs" , ProcessId: 8060, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\OKkUGRkZV7.exe", CommandLine: "C:\Users\user\Desktop\OKkUGRkZV7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\OKkUGRkZV7.exe", ParentImage: C:\Users\user\AppData\Local\lecheries\ambiparous.exe, ParentProcessId: 7880, ParentProcessName: ambiparous.exe, ProcessCommandLine: "C:\Users\user\Desktop\OKkUGRkZV7.exe", ProcessId: 7900, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs" , ProcessId: 8060, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\OKkUGRkZV7.exe", CommandLine: "C:\Users\user\Desktop\OKkUGRkZV7.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\OKkUGRkZV7.exe", ParentImage: C:\Users\user\AppData\Local\lecheries\ambiparous.exe, ParentProcessId: 7880, ParentProcessName: ambiparous.exe, ProcessCommandLine: "C:\Users\user\Desktop\OKkUGRkZV7.exe", ProcessId: 7900, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\lecheries\ambiparous.exe, ProcessId: 7880, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 30 0F C2 2C CB 87 25 B5 69 01 22 00 77 48 42 83 92 4F 9F E5 99 5F D5 7C 8A D8 0F 42 5F 17 45 BF 49 A5 42 D4 38 96 AA F2 0E 1B 47 44 16 9A 49 78 80 FC 66 0B 6B 55 83 8F 77 20 D0 5B F9 67 8C ED , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7900, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZFXG9Y\exepath

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T00:06:38.629735+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49984	192.3.64.152	2559	TCP
2025-01-11T00:07:26.497356+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49857	192.3.64.152	2559	TCP
2025-01-11T00:07:48.884522+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49974	192.3.64.152	2559	TCP
2025-01-11T00:08:11.264481+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49976	192.3.64.152	2559	TCP
2025-01-11T00:08:33.670381+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49977	192.3.64.152	2559	TCP
2025-01-11T00:08:56.062490+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49978	192.3.64.152	2559	TCP
2025-01-11T00:09:18.468490+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49979	192.3.64.152	2559	TCP
2025-01-11T00:09:40.871688+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49980	192.3.64.152	2559	TCP
2025-01-11T00:10:03.252533+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49981	192.3.64.152	2559	TCP
2025-01-11T00:10:25.676512+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49982	192.3.64.152	2559	TCP
2025-01-11T00:10:48.918592+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.11	49983	192.3.64.152	2559	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.3786396527.0000000003200000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["192.3.64.152:2559:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-ZFXG9Y", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Virustotal: Detection: 61%			Perma Link

Multi AV Scanner detection for submitted file

Source: OKkUGRkZV7.exe	Virustotal: Detection: 61%			Perma Link
Source: OKkUGRkZV7.exe	ReversingLabs: Detection: 65%

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3786705466.0000000004EDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3786396527.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OKkUGRkZV7.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		3_2_004338C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		8_2_004338C8

Source: ambiparous.exe, 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_68015bc1-d

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8168, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00407538 _wcslen,CoGetObject,		3_2_00407538
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00407538 _wcslen,CoGetObject,		8_2_00407538

Source: OKkUGRkZV7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: ambiparous.exe, 00000002.00000003.1388403621.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000002.00000003.1390662543.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000007.00000003.1533944638.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000007.00000003.1535030253.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ambiparous.exe, 00000002.00000003.1388403621.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000002.00000003.1390662543.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000007.00000003.1533944638.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000007.00000003.1535030253.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, 00000003.00000003.1392980933.0000000000821000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1397706009.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, iexplore.exe, iexplore.exe, 00000004.00000002.1393803718.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000003.00000003.1392980933.0000000000821000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1397706009.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, iexplore.exe, 00000004.00000002.1393803718.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003A445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003A445A
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AC6D1 FindFirstFileW,FindClose,	0_2_003AC6D1
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003AC75C
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003AEF95
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003AF0F2
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003AF3F3
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003A37EF
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003A3B12
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003ABCBC
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00B5445A
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5C6D1 FindFirstFileW,FindClose,	2_2_00B5C6D1
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00B5C75C
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00B5EF95
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00B5F0F2
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00B5F3F3
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00B537EF
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B53B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00B53B12
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00B5BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_0040928E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_004096A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_00408847
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00407877 FindFirstFileW,FindNextFileW,	3_2_00407877
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0044E8F9 FindFirstFileExA,	3_2_0044E8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419B86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_0040928E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_0041C322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_0040C388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_004096A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	8_2_00408847
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00407877 FindFirstFileW,FindNextFileW,	8_2_00407877
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0044E8F9 FindFirstFileExA,	8_2_0044E8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_00419B86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040BD72

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00407CD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49857 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49977 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49979 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49982 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49976 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49978 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49974 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49980 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49983 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49981 -> 192.3.64.152:2559
Source: Network traffic	Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.11:49984 -> 192.3.64.152:2559

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 192.3.64.152 2559

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 192.3.64.152

Source: Joe Sandbox View

IP Address: 192.3.64.152 192.3.64.152

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.64.152

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003B22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_003B22EE

Source: svchost.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: ambiparous.exe, 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, ambiparous.exe, 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,00000000

3_2_0040A2F3

Installs a global keyboard hook

Source: C:\Windows\SysWOW64\svchost.exe

Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exe

Jump to behavior

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_003B4164

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003B4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	0_2_003B4164
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B64164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,	2_2_00B64164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	3_2_004168FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	8_2_004168FC

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003B3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_003B3F66

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003A001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_003A001C

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003CCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_003CCABC
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B7CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_00B7CABC

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8168, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3786705466.0000000004EDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3786396527.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041CA73 SystemParametersInfoW,		3_2_0041CA73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041CA73 SystemParametersInfoW,		8_2_0041CA73

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: ambiparous.exe PID: 7880, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7900, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: ambiparous.exe PID: 8128, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 8168, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00343B3A
Source: OKkUGRkZV7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: OKkUGRkZV7.exe, 00000000.00000003.1354253807.0000000003F03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0038f306-f
Source: OKkUGRkZV7.exe, 00000000.00000003.1354253807.0000000003F03000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_04113fad-b
Source: OKkUGRkZV7.exe, 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c5e7771d-c
Source: OKkUGRkZV7.exe, 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_477a71c8-f
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00AF3B3A
Source: ambiparous.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ambiparous.exe, 00000002.00000000.1354777001.0000000000BA4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4e3926b0-c
Source: ambiparous.exe, 00000002.00000000.1354777001.0000000000BA4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_5c467cf6-8
Source: ambiparous.exe, 00000007.00000002.1536966033.0000000000BA4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6a610fee-f
Source: ambiparous.exe, 00000007.00000002.1536966033.0000000000BA4000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6a189d7e-6
Source: OKkUGRkZV7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4e0972f8-d
Source: OKkUGRkZV7.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_87205f43-7
Source: ambiparous.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8c376ad4-3
Source: ambiparous.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_beb5ec92-7

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process Stats: CPU usage > 49%

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	3_2_0041812A
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD3360 ExitProcess,NtSetInformationProcess,SetErrorMode,	4_2_02FD3360
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD33C0 NtSetInformationProcess,SetErrorMode,	4_2_02FD33C0

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003AA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_003AA1EF

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00398310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00398310

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003A51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	0_2_003A51BD
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B551BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	2_2_00B551BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	3_2_004167EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,	8_2_004167EF

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0034E6A0	0_2_0034E6A0
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0036D975	0_2_0036D975
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0034FCE0	0_2_0034FCE0
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003621C5	0_2_003621C5
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003762D2	0_2_003762D2
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003C03DA	0_2_003C03DA
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0037242E	0_2_0037242E
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003625FA	0_2_003625FA
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0039E616	0_2_0039E616
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003566E1	0_2_003566E1
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0037878F	0_2_0037878F
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00358808	0_2_00358808
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003C0857	0_2_003C0857
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00376844	0_2_00376844
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003A8889	0_2_003A8889
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0036CB21	0_2_0036CB21
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00376DB6	0_2_00376DB6
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00356F9E	0_2_00356F9E
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00353030	0_2_00353030
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00363187	0_2_00363187
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0036F1D9	0_2_0036F1D9
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00341287	0_2_00341287
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00361484	0_2_00361484
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00355520	0_2_00355520
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00367696	0_2_00367696
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00355760	0_2_00355760
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00361978	0_2_00361978
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00379AB5	0_2_00379AB5
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0036BDA6	0_2_0036BDA6
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00361D90	0_2_00361D90
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003C7DDB	0_2_003C7DDB
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0034DF00	0_2_0034DF00
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00353FE0	0_2_00353FE0
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_01697680	0_2_01697680
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00AFE6A0	2_2_00AFE6A0
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B1D975	2_2_00B1D975
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00AFFCE0	2_2_00AFFCE0
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B121C5	2_2_00B121C5
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B262D2	2_2_00B262D2
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B703DA	2_2_00B703DA
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B2242E	2_2_00B2242E
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B125FA	2_2_00B125FA
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B066E1	2_2_00B066E1
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B4E616	2_2_00B4E616
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B2878F	2_2_00B2878F
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B58889	2_2_00B58889
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B08808	2_2_00B08808
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B70857	2_2_00B70857
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B26844	2_2_00B26844
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B1CB21	2_2_00B1CB21
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B26DB6	2_2_00B26DB6
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B06F9E	2_2_00B06F9E
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B03030	2_2_00B03030
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B13187	2_2_00B13187
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B1F1D9	2_2_00B1F1D9
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00AF1287	2_2_00AF1287
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B11484	2_2_00B11484
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B05520	2_2_00B05520
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B17696	2_2_00B17696
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B05760	2_2_00B05760
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B11978	2_2_00B11978
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B29AB5	2_2_00B29AB5
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B1BDA6	2_2_00B1BDA6
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B11D90	2_2_00B11D90
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B77DDB	2_2_00B77DDB
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B03FE0	2_2_00B03FE0
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00AFDF00	2_2_00AFDF00
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_01188928	2_2_01188928
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043706A	3_2_0043706A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00414005	3_2_00414005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043E11C	3_2_0043E11C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004541D9	3_2_004541D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004381E8	3_2_004381E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041F18B	3_2_0041F18B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00446270	3_2_00446270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043E34B	3_2_0043E34B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004533AB	3_2_004533AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042742E	3_2_0042742E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00437566	3_2_00437566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043E5A8	3_2_0043E5A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004387F0	3_2_004387F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043797E	3_2_0043797E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004339D7	3_2_004339D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0044DA49	3_2_0044DA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00427AD7	3_2_00427AD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041DBF3	3_2_0041DBF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00427C40	3_2_00427C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00437DB3	3_2_00437DB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00435EEB	3_2_00435EEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043DEED	3_2_0043DEED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00426E9F	3_2_00426E9F
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD2720	4_2_02FD2720
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 7_2_012BA270	7_2_012BA270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043706A	8_2_0043706A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00414005	8_2_00414005
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043E11C	8_2_0043E11C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004541D9	8_2_004541D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004381E8	8_2_004381E8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041F18B	8_2_0041F18B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00446270	8_2_00446270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043E34B	8_2_0043E34B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004533AB	8_2_004533AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0042742E	8_2_0042742E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00437566	8_2_00437566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043E5A8	8_2_0043E5A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004387F0	8_2_004387F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043797E	8_2_0043797E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004339D7	8_2_004339D7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0044DA49	8_2_0044DA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00427AD7	8_2_00427AD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041DBF3	8_2_0041DBF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00427C40	8_2_00427C40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00437DB3	8_2_00437DB3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00435EEB	8_2_00435EEB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043DEED	8_2_0043DEED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00426E9F	8_2_00426E9F

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00402213 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004052FD appears 32 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0040417E appears 46 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00402093 appears 100 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401E65 appears 68 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434E70 appears 108 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00401FAB appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004020DF appears 40 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00434801 appears 82 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00457AA8 appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00445951 appears 56 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0044854A appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00411FA2 appears 32 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 004046F7 appears 34 times
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: String function: 00AF7DE1 appears 36 times
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: String function: 00B18900 appears 42 times
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: String function: 00B10AE3 appears 70 times
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: String function: 00360AE3 appears 70 times
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: String function: 00347DE1 appears 35 times
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: String function: 00368900 appears 42 times

Source: OKkUGRkZV7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: ambiparous.exe PID: 7880, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7900, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: ambiparous.exe PID: 8128, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 8168, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@12/7@0/1

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003AA06A GetLastError,FormatMessageW,

0_2_003AA06A

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003981CB AdjustTokenPrivileges,CloseHandle,	0_2_003981CB
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003987E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_003987E1
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B481CB AdjustTokenPrivileges,CloseHandle,	2_2_00B481CB
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B487E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_00B487E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	3_2_0041798D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	8_2_0041798D

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003AB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003AB333

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003BEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_003BEE0D

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003B83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_003B83BB

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00344E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00344E89

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0041AADB

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

File created: C:\Users\user\AppData\Local\lecheries

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

File created: C:\Users\user\AppData\Local\Temp\autC2A3.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs"

Source: OKkUGRkZV7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OKkUGRkZV7.exe	Virustotal: Detection: 61%
Source: OKkUGRkZV7.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

File read: C:\Users\user\Desktop\OKkUGRkZV7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\OKkUGRkZV7.exe "C:\Users\user\Desktop\OKkUGRkZV7.exe"
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Process created: C:\Users\user\AppData\Local\lecheries\ambiparous.exe "C:\Users\user\Desktop\OKkUGRkZV7.exe"
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OKkUGRkZV7.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\lecheries\ambiparous.exe "C:\Users\user\AppData\Local\lecheries\ambiparous.exe"
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\lecheries\ambiparous.exe"
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Process created: C:\Users\user\AppData\Local\lecheries\ambiparous.exe "C:\Users\user\Desktop\OKkUGRkZV7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OKkUGRkZV7.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\lecheries\ambiparous.exe "C:\Users\user\AppData\Local\lecheries\ambiparous.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\lecheries\ambiparous.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: OKkUGRkZV7.exe

Static file information: File size 1323520 > 1048576

Source: OKkUGRkZV7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: OKkUGRkZV7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: OKkUGRkZV7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: OKkUGRkZV7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: OKkUGRkZV7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: OKkUGRkZV7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: OKkUGRkZV7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: ambiparous.exe, 00000002.00000003.1388403621.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000002.00000003.1390662543.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000007.00000003.1533944638.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000007.00000003.1535030253.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ambiparous.exe, 00000002.00000003.1388403621.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000002.00000003.1390662543.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000007.00000003.1533944638.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, ambiparous.exe, 00000007.00000003.1535030253.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: svchost.exe, 00000003.00000003.1392980933.0000000000821000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1397706009.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, iexplore.exe, iexplore.exe, 00000004.00000002.1393803718.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: svchost.exe, 00000003.00000003.1392980933.0000000000821000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1397706009.00000000005A0000.00000040.10000000.00040000.00000000.sdmp, iexplore.exe, 00000004.00000002.1393803718.0000000002FD0000.00000040.80000000.00040000.00000000.sdmp

Source: OKkUGRkZV7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: OKkUGRkZV7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: OKkUGRkZV7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: OKkUGRkZV7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: OKkUGRkZV7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00344B37 LoadLibraryA,GetProcAddress,

0_2_00344B37

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0034C4C6 push A30034BAh; retn 0034h	0_2_0034C50D
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_00368945 push ecx; ret	0_2_00368958
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B18945 push ecx; ret	2_2_00B18958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00457186 push ecx; ret	3_2_00457199
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0045E55D push esi; ret	3_2_0045E566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00457AA8 push eax; ret	3_2_00457AC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00434EB6 push ecx; ret	3_2_00434EC9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00457186 push ecx; ret	8_2_00457199
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0045E55D push esi; ret	8_2_0045E566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00457AA8 push eax; ret	8_2_00457AC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00434EB6 push ecx; ret	8_2_00434EC9

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00406EEB ShellExecuteW,URLDownloadToFileW,

3_2_00406EEB

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

File created: C:\Users\user\AppData\Local\lecheries\ambiparous.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

3_2_0041AADB

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_003448D7
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003C5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_003C5376
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00AF48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00AF48D7
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B75376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_00B75376

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00363187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00363187

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040F7E2 Sleep,ExitProcess,		3_2_0040F7E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040F7E2 Sleep,ExitProcess,		8_2_0040F7E2

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	API/Special instruction interceptor: Address: 118854C
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	API/Special instruction interceptor: Address: 12B9E94

Source: C:\Windows\SysWOW64\svchost.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		3_2_0041A7D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,		8_2_0041A7D9

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 3078	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: threadDelayed 6426	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Window / User API: foregroundWindowGot 1752	Jump to behavior

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	API coverage: 4.8 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 2636	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2636	Thread sleep time: -97000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7172	Thread sleep count: 3078 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7172	Thread sleep time: -9234000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7172	Thread sleep count: 6426 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7172	Thread sleep time: -19278000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003A445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003A445A
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AC6D1 FindFirstFileW,FindClose,	0_2_003AC6D1
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003AC75C
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003AEF95
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003AF0F2
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003AF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003AF3F3
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003A37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003A37EF
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003A3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003A3B12
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003ABCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003ABCBC
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_00B5445A
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5C6D1 FindFirstFileW,FindClose,	2_2_00B5C6D1
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_00B5C75C
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00B5EF95
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_00B5F0F2
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00B5F3F3
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B537EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00B537EF
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B53B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_00B53B12
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B5BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_00B5BCBC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_0040928E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	3_2_0041C322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	3_2_0040C388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	3_2_004096A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	3_2_00408847
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00407877 FindFirstFileW,FindNextFileW,	3_2_00407877
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0044E8F9 FindFirstFileExA,	3_2_0044E8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	3_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,	3_2_00419B86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	3_2_0040BD72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_0040928E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	8_2_0041C322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	8_2_0040C388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	8_2_004096A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	8_2_00408847
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00407877 FindFirstFileW,FindNextFileW,	8_2_00407877
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0044E8F9 FindFirstFileExA,	8_2_0044E8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	8_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,	8_2_00419B86
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	8_2_0040BD72

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

3_2_00407CD2

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003449A0

Source: OKkUGRkZV7.exe, 00000000.00000003.1318805540.000000000174F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe{1u
Source: ambiparous.exe, 00000002.00000003.1355847915.00000000011FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe@
Source: svchost.exe, 00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: ambiparous.exe, 00000007.00000002.1537726676.000000000136F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmwareworkstation.exe

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	API call chain: ExitProcess graph end node			graph_0-101179
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003B3F09 BlockInput,

0_2_003B3F09

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00343B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00343B3A

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00375A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00375A7C

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00344B37 LoadLibraryA,GetProcAddress,

0_2_00344B37

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_01697570 mov eax, dword ptr fs:[00000030h]	0_2_01697570
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_01697510 mov eax, dword ptr fs:[00000030h]	0_2_01697510
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_01695ED0 mov eax, dword ptr fs:[00000030h]	0_2_01695ED0
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_01187178 mov eax, dword ptr fs:[00000030h]	2_2_01187178
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_011887B8 mov eax, dword ptr fs:[00000030h]	2_2_011887B8
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_01188818 mov eax, dword ptr fs:[00000030h]	2_2_01188818
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00443355 mov eax, dword ptr fs:[00000030h]	3_2_00443355
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD3060 mov eax, dword ptr fs:[00000030h]	4_2_02FD3060
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD3060 mov eax, dword ptr fs:[00000030h]	4_2_02FD3060
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD3060 mov eax, dword ptr fs:[00000030h]	4_2_02FD3060
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD3060 mov eax, dword ptr fs:[00000030h]	4_2_02FD3060
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD3540 mov eax, dword ptr fs:[00000030h]	4_2_02FD3540
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD3540 mov eax, dword ptr fs:[00000030h]	4_2_02FD3540
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD3540 mov eax, dword ptr fs:[00000030h]	4_2_02FD3540
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD56A0 mov eax, dword ptr fs:[00000030h]	4_2_02FD56A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD56A0 mov ecx, dword ptr fs:[00000030h]	4_2_02FD56A0
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD4610 mov eax, dword ptr fs:[00000030h]	4_2_02FD4610
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD4610 mov eax, dword ptr fs:[00000030h]	4_2_02FD4610
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD4610 mov eax, dword ptr fs:[00000030h]	4_2_02FD4610
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD4610 mov eax, dword ptr fs:[00000030h]	4_2_02FD4610
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD4410 mov eax, dword ptr fs:[00000030h]	4_2_02FD4410
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Code function: 4_2_02FD4410 mov eax, dword ptr fs:[00000030h]	4_2_02FD4410
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 7_2_012BA100 mov eax, dword ptr fs:[00000030h]	7_2_012BA100
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 7_2_012BA160 mov eax, dword ptr fs:[00000030h]	7_2_012BA160
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 7_2_012B8AC0 mov eax, dword ptr fs:[00000030h]	7_2_012B8AC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00443355 mov eax, dword ptr fs:[00000030h]	8_2_00443355

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003980A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_003980A9

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0036A124 SetUnhandledExceptionFilter,	0_2_0036A124
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_0036A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0036A155
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B1A124 SetUnhandledExceptionFilter,	2_2_00B1A124
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B1A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00B1A155
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0043503C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00434A8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0043BB71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00434BD8 SetUnhandledExceptionFilter,	3_2_00434BD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0043503C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00434A8A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0043BB71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 8_2_00434BD8 SetUnhandledExceptionFilter,	8_2_00434BD8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\svchost.exe

Network Connect: 192.3.64.152 2559

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

3_2_0041812A

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\Internet Explorer\iexplore.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F7008	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Memory written: C:\Program Files (x86)\Internet Explorer\iexplore.exe base: 30F0008	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2E6A008	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		3_2_00412132
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe		8_2_00412132

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003987B1 LogonUserW,

0_2_003987B1

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00343B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00343B3A

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003448D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_003448D7

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003A4C27 mouse_event,

0_2_003A4C27

Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OKkUGRkZV7.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "c:\program files (x86)\internet explorer\iexplore.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\lecheries\ambiparous.exe "C:\Users\user\AppData\Local\lecheries\ambiparous.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\lecheries\ambiparous.exe"	Jump to behavior

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00397CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00397CAF

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_0039874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0039874B

Source: OKkUGRkZV7.exe, ambiparous.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: svchost.exe, 00000008.00000002.3786536893.0000000003236000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager9Y\
Source: OKkUGRkZV7.exe, ambiparous.exe	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000008.00000002.3786536893.0000000003236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerP
Source: svchost.exe, 00000008.00000002.3786536893.0000000003236000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerProgram Manager9Y\
Source: svchost.exe, 00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSOR_REVISION=8f08Program Manager9Y\
Source: svchost.exe, 00000008.00000002.3786472852.0000000003231000.00000004.00000020.00020000.00000000.sdmp, logs.dat.8.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_0036862B cpuid

0_2_0036862B

Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	3_2_0045201B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	3_2_004520B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00452143
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	3_2_00452393
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	3_2_00448484
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_004524BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	3_2_004525C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00452690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	3_2_0044896D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	3_2_0040F90C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_00451D58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	3_2_00451FD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	8_2_0045201B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	8_2_004520B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_00452143
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	8_2_00452393
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	8_2_00448484
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_004524BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	8_2_004525C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_00452690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	8_2_0044896D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	8_2_0040F90C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	8_2_00451D58
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	8_2_00451FD0

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00374E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00374E87

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00381E06 GetUserNameW,

0_2_00381E06

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_00373F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00373F3A

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Code function: 0_2_003449A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003449A0

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3786705466.0000000004EDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3786396527.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		3_2_0040BA4D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data		8_2_0040BA4D

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	3_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \key3.db	3_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	8_2_0040BB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \key3.db	8_2_0040BB6B

Source: ambiparous.exe	Binary or memory string: WIN_81
Source: ambiparous.exe	Binary or memory string: WIN_XP
Source: ambiparous.exe	Binary or memory string: WIN_XPe
Source: ambiparous.exe	Binary or memory string: WIN_VISTA
Source: ambiparous.exe	Binary or memory string: WIN_7
Source: ambiparous.exe	Binary or memory string: WIN_8
Source: ambiparous.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\svchost.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Mutex created: \Sessions\1\BaseNamedObjects\Rmc-ZFXG9Y			Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.ambiparous.exe.39e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.ambiparous.exe.3600000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3786705466.0000000004EDE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3786396527.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ambiparous.exe PID: 8128, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 8168, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Windows\SysWOW64\svchost.exe	Code function: cmd.exe		3_2_0040569A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: cmd.exe		8_2_0040569A

Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003B6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_003B6283
Source: C:\Users\user\Desktop\OKkUGRkZV7.exe	Code function: 0_2_003B6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_003B6747
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B66283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_00B66283
Source: C:\Users\user\AppData\Local\lecheries\ambiparous.exe	Code function: 2_2_00B66747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_00B66747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Native API	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	221 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	2 Valid Accounts	1 Bypass User Account Control	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	2 Valid Accounts	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Bypass User Account Control	LSA Secrets	126 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Windows Service	1 Masquerading	Cached Domain Credentials	231 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	422 Process Injection	2 Valid Accounts	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	2 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	11 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	422 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OKkUGRkZV7.exe	61%	Virustotal		Browse
OKkUGRkZV7.exe	66%	ReversingLabs	Win32.Backdoor.Remcos
OKkUGRkZV7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\lecheries\ambiparous.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\lecheries\ambiparous.exe	66%	ReversingLabs	Win32.Backdoor.Remcos
C:\Users\user\AppData\Local\lecheries\ambiparous.exe	61%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	svchost.exe	false		high
http://geoplugin.net/json.gp/C	ambiparous.exe, 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, ambiparous.exe, 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.3.64.152	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588332
Start date and time:	2025-01-11 00:05:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OKkUGRkZV7.exe renamed because original name is a hash value
Original Sample Name:	12f38b57f20acea350ed883756309c9516c6b5b814ebedcb19dcb5ba798579e1.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@12/7@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 57 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:06:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs
18:07:36	API Interceptor	4841384x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
192.3.64.152	MLxloAVuCZ.exe	Get hash	malicious	Remcos	Browse
	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse
	LdSbZG1iH6.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse
	EIuz8Bk9kGav2ix.exe	Get hash	malicious	Remcos	Browse
	6Ctc0o7vhqKgjU7.exe	Get hash	malicious	Remcos	Browse
	New Order.exe	Get hash	malicious	Remcos	Browse
	UsoOuMVYCv8QrxG.exe	Get hash	malicious	Remcos	Browse
	New Order.exe	Get hash	malicious	Remcos	Browse
	SecuriteInfo.com.Trojan.PackedNET.3042.4675.2937.exe	Get hash	malicious	Remcos	Browse
	Quote.exe	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://maya-lopez.filemail.com/t/XhcWEjoR	Get hash	malicious	Unknown	Browse	13.107.246.45
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	240815025266174071.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	hgq5nzWJll.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Ddj3E3qerh.exe	Get hash	malicious	Snake Keylogger	Browse	13.107.246.45
	WN9uCxgU1T.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.45
	Yef4EqsQha.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	Qz8OEUxYuH.exe	Get hash	malicious	FormBook	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	NssBkEQKsI.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	l1QC9H0SNR.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	MLxloAVuCZ.exe	Get hash	malicious	Remcos	Browse	192.3.64.152
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	192.210.150.26
	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.27.144
	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.27.144
	Nuevo-orden.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.27.144
	sh4.elf	Get hash	malicious	Mirai	Browse	23.95.117.229
	sweetnessgoodforgreatnessthingswithgood.tIF.vbs	Get hash	malicious	SmokeLoader	Browse	192.3.27.144
	begoodforeverythinggreatthingsformebetterforgood.hta	Get hash	malicious	Cobalt Strike, SmokeLoader	Browse	192.3.27.144

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.3683413243328855
Encrypted:	false
SSDEEP:	3:rglsOlfUldlfPlWfpFi5JWRal2Jl+7R0DAlBG45klovDl6v:Mls6Uln425YcIeeDAlOWAv
MD5:	2BCAB8B7AECECBC8BA0AE1D4FC0211BF
SHA1:	44CEC12FE41B0FBD046DF67817E307FB9027EBE5
SHA-256:	F64DC38838ED1B44E96B609BEF2B642E784DED1C0D87E8AECB18767FE852C349
SHA-512:	D7202673496BEC10A782E27A417141553FAE8FAA49E44632BEB4D32535B7AB3AFB9A09D552A0CD80EAB05D6A6C4CA1E45A1696E0C7EEDA0D94A1C3F64D3F9EC6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Reputation:	low
Preview:	....[.2.0.2.5./.0.1./.1.0. .1.8.:.0.7.:.0.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Temp\aut6FF.tmp

Download File

Process:	C:\Users\user\AppData\Local\lecheries\ambiparous.exe
File Type:	data
Category:	dropped
Size (bytes):	398740
Entropy (8bit):	7.944649802781788
Encrypted:	false
SSDEEP:	12288:L5aGzSggRst9XijY0a9cxInNeiQYYcHvMBdz:dfz0st9B0AsuUvrgUl
MD5:	2F27F8C2D7DAA4BF537C692FDA7ED077
SHA1:	2B46E686A3D83B3E8DC894C7B9895227655881C7
SHA-256:	D33F0DD622F656AF29139344A4A40DFCD64369465FCC7CA661F1012FE43EAF09
SHA-512:	9E2793980C5268A1D64D06A8F05E213C1215429492E0EE339ECA9786FF35EE6689A7C830008F240ECC5B2F26563B0A6E45E88747421D728DEF23A1E3BB832B6A
Malicious:	false
Reputation:	low
Preview:	EA06.....@4....H..&....kK........Z...`.....}U...M..(..d..`.M ..jA(..g.9.Js"..r..nA5.U..:..Ma....X..........e.H.6...Bh.9..U..Bd^9...........!1.......m... ..<...0e.RI.,.`.]3sx.....y.....I\|..%`......D...M..5....m...0......m...7.....!..j.p......i.l.eO.v.....hkSzU"c@.PiS.}..7.0.7).>.J.<4...B.....:.D.M..4.......C..$b.Z...s..".(.ld.....c...N.v.:].b..j&T.,D....L.....A.R/ ..6..`.....L...<..C=...m...n..m)3...P.....'.a.Mev...S5..i.....S. ..Y0.T....E..T.....=..`.L.....A...<\|.....o.Vg... .a.L.Q..f....J..m^Q!.....`.`.R@'32.x.iTi..0...Q1A....JH......*.yeN.H.......A..0-. ..............A.Rh...w.<....\|....&..;A...%<.T:.....S.f3..C(}.=b.8...........#...?S..R(v.or....".(M..0.{.....m.R._9%#.B(;-...`...<....x...x..!+..a.....B.[1.....@.W.$...........@.b.........Q.\4...ef..N.....TR..3f.0......a..`bEz..4.p..l...0,g~.......u"S;..;....0...s.g..b.........1..D.`...1`....1~/.P.CqD......C.l.....B...J.\..Cuy..ur^=".P........3.Dp]....`.p.6.d8..9....`.......(.1..p.`...3.....1c<q....7..$.P

C:\Users\user\AppData\Local\Temp\autC2A3.tmp

Download File

Process:	C:\Users\user\Desktop\OKkUGRkZV7.exe
File Type:	data
Category:	dropped
Size (bytes):	398740
Entropy (8bit):	7.944649802781788
Encrypted:	false
SSDEEP:	12288:L5aGzSggRst9XijY0a9cxInNeiQYYcHvMBdz:dfz0st9B0AsuUvrgUl
MD5:	2F27F8C2D7DAA4BF537C692FDA7ED077
SHA1:	2B46E686A3D83B3E8DC894C7B9895227655881C7
SHA-256:	D33F0DD622F656AF29139344A4A40DFCD64369465FCC7CA661F1012FE43EAF09
SHA-512:	9E2793980C5268A1D64D06A8F05E213C1215429492E0EE339ECA9786FF35EE6689A7C830008F240ECC5B2F26563B0A6E45E88747421D728DEF23A1E3BB832B6A
Malicious:	false
Reputation:	low
Preview:	EA06.....@4....H..&....kK........Z...`.....}U...M..(..d..`.M ..jA(..g.9.Js"..r..nA5.U..:..Ma....X..........e.H.6...Bh.9..U..Bd^9...........!1.......m... ..<...0e.RI.,.`.]3sx.....y.....I\|..%`......D...M..5....m...0......m...7.....!..j.p......i.l.eO.v.....hkSzU"c@.PiS.}..7.0.7).>.J.<4...B.....:.D.M..4.......C..$b.Z...s..".(.ld.....c...N.v.:].b..j&T.,D....L.....A.R/ ..6..`.....L...<..C=...m...n..m)3...P.....'.a.Mev...S5..i.....S. ..Y0.T....E..T.....=..`.L.....A...<\|.....o.Vg... .a.L.Q..f....J..m^Q!.....`.`.R@'32.x.iTi..0...Q1A....JH......*.yeN.H.......A..0-. ..............A.Rh...w.<....\|....&..;A...%<.T:.....S.f3..C(}.=b.8...........#...?S..R(v.or....".(M..0.{.....m.R._9%#.B(;-...`...<....x...x..!+..a.....B.[1.....@.W.$...........@.b.........Q.\4...ef..N.....TR..3f.0......a..`bEz..4.p..l...0,g~.......u"S;..;....0...s.g..b.........1..D.`...1`....1~/.P.CqD......C.l.....B...J.\..Cuy..ur^=".P........3.Dp]....`.p.6.d8..9....`.......(.1..p.`...3.....1c<q....7..$.P

C:\Users\user\AppData\Local\Temp\autD10A.tmp

Download File

Process:	C:\Users\user\AppData\Local\lecheries\ambiparous.exe
File Type:	data
Category:	dropped
Size (bytes):	398740
Entropy (8bit):	7.944649802781788
Encrypted:	false
SSDEEP:	12288:L5aGzSggRst9XijY0a9cxInNeiQYYcHvMBdz:dfz0st9B0AsuUvrgUl
MD5:	2F27F8C2D7DAA4BF537C692FDA7ED077
SHA1:	2B46E686A3D83B3E8DC894C7B9895227655881C7
SHA-256:	D33F0DD622F656AF29139344A4A40DFCD64369465FCC7CA661F1012FE43EAF09
SHA-512:	9E2793980C5268A1D64D06A8F05E213C1215429492E0EE339ECA9786FF35EE6689A7C830008F240ECC5B2F26563B0A6E45E88747421D728DEF23A1E3BB832B6A
Malicious:	false
Reputation:	low
Preview:	EA06.....@4....H..&....kK........Z...`.....}U...M..(..d..`.M ..jA(..g.9.Js"..r..nA5.U..:..Ma....X..........e.H.6...Bh.9..U..Bd^9...........!1.......m... ..<...0e.RI.,.`.]3sx.....y.....I\|..%`......D...M..5....m...0......m...7.....!..j.p......i.l.eO.v.....hkSzU"c@.PiS.}..7.0.7).>.J.<4...B.....:.D.M..4.......C..$b.Z...s..".(.ld.....c...N.v.:].b..j&T.,D....L.....A.R/ ..6..`.....L...<..C=...m...n..m)3...P.....'.a.Mev...S5..i.....S. ..Y0.T....E..T.....=..`.L.....A...<\|.....o.Vg... .a.L.Q..f....J..m^Q!.....`.`.R@'32.x.iTi..0...Q1A....JH......*.yeN.H.......A..0-. ..............A.Rh...w.<....\|....&..;A...%<.T:.....S.f3..C(}.=b.8...........#...?S..R(v.or....".(M..0.{.....m.R._9%#.B(;-...`...<....x...x..!+..a.....B.[1.....@.W.$...........@.b.........Q.\4...ef..N.....TR..3f.0......a..`bEz..4.p..l...0,g~.......u"S;..;....0...s.g..b.........1..D.`...1`....1~/.P.CqD......C.l.....B...J.\..Cuy..ur^=".P........3.Dp]....`.p.6.d8..9....`.......(.1..p.`...3.....1c<q....7..$.P

C:\Users\user\AppData\Local\Temp\intemeration

Download File

Process:	C:\Users\user\Desktop\OKkUGRkZV7.exe
File Type:	data
Category:	dropped
Size (bytes):	494592
Entropy (8bit):	7.542100190762085
Encrypted:	false
SSDEEP:	6144:Flc5kW5Yzs13Cc3bOScUAAEDc2TDZQHNGINX6s6fQmKEy44ekeklnLWiS9qc/oRn:HUYzsxhbOv/Rg2TVRINB5JekBLzoxJmZ
MD5:	8479F2723F780796C7534696DC950CBB
SHA1:	5B2D9C8B8FC13D92AA7356CBF85BBA365301398D
SHA-256:	5C33AA73C78D8C92CD6B1820F6F04A646F915B134C9AE0E3E8B7B0900D07CB92
SHA-512:	67E3514B4A1B68CBB171B1CC5CB8A658277000213D6F87BBA9C73F0A6869C6018EB9F168A3E560A4A7AAFEBB198761B0EACBF86C0375EAC855640C0130CE8F1A
Malicious:	false
Reputation:	low
Preview:	...K@0NHE85O..5K.0NHA85O.Z5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OY[5KM/.FA.<.`.4.... (K.?35R9"]n+ V[ 5zW.cB;&aQ[o..fk._-o58EeZ5KC0NHMC.b.@.5..6.".1...5..6...1.@.5..j6.".1.8g5..6..$1.@.5.t.7.".1...41.6.\|.0+@.5.R.6.".1.@.55+.6.\|.0m@.5.tg6.".1...4..6.QV'.@.5C0NHA85OAZ5KC0NHA85OAZ5K.uNH.92O...-C0NHA85O.Z7JH1@HAJ0OAL7KC0NH.r6OAJ5KC.KHA8uOAJ5KC2NHD84OAZ5KF0OHA85OAz=KC4NHA85OCZ5.C0^HA(5OAZ%KC NHA85OQZ5KC0NHA85O..3KG1NHA.2O..5KC0NHA85OAZ5KC0NHA.2O.a5K..HHy85OAZ5KC0NHA85OAZ5K..HHY85O.3K.0NHA85OAZ5KC.KHA=5OAZ5KC0NHA85OAZ5KC0NHA85Oo.P370NH.I0OAJ5KCBKHA<5OAZ5KC0NHA85OaZ5+mB)5Y5O.#4KC.KHAB4OA,0KC0NHA85OAZ5K.0N.o\T; Z5K.mNHA(2OAT5KC.HHA85OAZ5KC0NH.85.o.Y8C0NHH85OA2KC2NHA.3OAZ5KC0NHA85O.Z5.mW(!%K5OqX5KC.IHA<5OAZ2KC0NHA85OAZ5K.0N.oJF="Z5K.{NHA.2OA.5KC4IHA85OAZ5KC0NH.85.o(P',SNH..5OA.2KC.NHAh2OAZ5KC0NHA85O.Z5.C0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5KC0NHA85OAZ5K

C:\Users\user\AppData\Local\lecheries\ambiparous.exe

Download File

Process:	C:\Users\user\Desktop\OKkUGRkZV7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1323520
Entropy (8bit):	7.296986518920411
Encrypted:	false
SSDEEP:	24576:Qu6J33O0c+JY5UZ+XC0kGso6Fauf9v8AWLJgm9Ko2YyVWY:au0c++OCvkGs9Fauf9vJwJH9cYvY
MD5:	F484F16874DDB071B45CB9F1FA8D0C56
SHA1:	8CF9F6AB9A0A8520650145AE1702CC35F0E4B123
SHA-256:	12F38B57F20ACEA350ED883756309C9516C6B5B814EBEDCB19DCB5BA798579E1
SHA-512:	A20A46F56D408E9B2B5DCF956C9DEC9A1170885FBBCB7C24A8CAA6ED7202C30309BC72DC7A4C193DDB6F13CDC4C94E5F105E6D76CDFF5B1D0585C7D807318E15
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 61%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....tVg.........."..........P.......}............@.................................'.....@...@.......@.....................L...\|....p..D.................... ...q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...D....p......................@..@.reloc...q... ...r..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs

Download File

Process:	C:\Users\user\AppData\Local\lecheries\ambiparous.exe
File Type:	data
Category:	dropped
Size (bytes):	280
Entropy (8bit):	3.3838457202027814
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclmVzUEZ+lX1Rak0BnriIM8lfQVn:DsO+vNlGQ1WmA2n
MD5:	9D937E23D7FAB1953CABD2D8CCD23C28
SHA1:	9D8ED59C846CA6BF670D49161966591D9C7CA69D
SHA-256:	B1CB4C33F22996455957EDD565897A9118CC3A7E1894C394D492C7B48E698D5F
SHA-512:	7CB6F2B994B4482D4464742EA24A44522F352F51AB15D7B45935A9D712C4FCC5956B3C0E7E6338AF54D616D4C58660AE05C72F58A2B54996256798830B61722B
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.l.e.c.h.e.r.i.e.s.\.a.m.b.i.p.a.r.o.u.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.296986518920411
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OKkUGRkZV7.exe
File size:	1'323'520 bytes
MD5:	f484f16874ddb071b45cb9f1fa8d0c56
SHA1:	8cf9f6ab9a0a8520650145ae1702cc35f0e4b123
SHA256:	12f38b57f20acea350ed883756309c9516c6b5b814ebedcb19dcb5ba798579e1
SHA512:	a20a46f56d408e9b2b5dcf956c9dec9a1170885fbbcb7c24a8caa6ed7202c30309bc72dc7a4c193ddb6f13cdc4c94e5f105e6d76cdff5b1d0585c7d807318e15
SSDEEP:	24576:Qu6J33O0c+JY5UZ+XC0kGso6Fauf9v8AWLJgm9Ko2YyVWY:au0c++OCvkGs9Fauf9vJwJH9cYvY
TLSH:	A255CF2273DDC360CB669173BF69B7016EBF3C614630B95B2F880D7DA950162162DBA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675674A0 [Mon Dec 9 04:40:00 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F8B7D279A8Ah
jmp 00007F8B7D26C854h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F8B7D26C9DAh
cmp edi, eax
jc 00007F8B7D26CD3Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F8B7D26C9D9h
rep movsb
jmp 00007F8B7D26CCECh
cmp ecx, 00000080h
jc 00007F8B7D26CBA4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F8B7D26C9E0h
bt dword ptr [004BE324h], 01h
jc 00007F8B7D26CEB0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F8B7D26CB7Dh
test edi, 00000003h
jne 00007F8B7D26CB8Eh
test esi, 00000003h
jne 00007F8B7D26CB6Dh
bt edi, 02h
jnc 00007F8B7D26C9DFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F8B7D26C9E3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F8B7D26CA35h
bt esi, 03h
jnc 00007F8B7D26CA88h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x7a944	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x142000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x7a944	0x7aa00	efbda78f1705fac83b3e77ba286db62c	False	0.9466265290519877	data	7.9328603924305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x142000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x71c0b	data			1.000324082321202
RT_GROUP_ICON	0x1413c4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x14143c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x141450	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x141464	0x14	data	English	Great Britain	1.25
RT_VERSION	0x141478	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x141554	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 00:07:05.109534025 CET	49857	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:05.115813971 CET	2559	49857	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:05.116033077 CET	49857	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:05.121388912 CET	49857	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:05.126187086 CET	2559	49857	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:26.497174978 CET	2559	49857	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:26.497355938 CET	49857	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:26.497510910 CET	49857	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:26.502311945 CET	2559	49857	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:27.501091003 CET	49974	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:27.505999088 CET	2559	49974	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:27.506091118 CET	49974	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:27.510718107 CET	49974	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:27.515532017 CET	2559	49974	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:48.884401083 CET	2559	49974	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:48.884521961 CET	49974	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:48.884640932 CET	49974	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:48.889381886 CET	2559	49974	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:49.892203093 CET	49976	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:49.897340059 CET	2559	49976	192.3.64.152	192.168.2.11
Jan 11, 2025 00:07:49.897449970 CET	49976	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:49.901403904 CET	49976	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:07:49.906553984 CET	2559	49976	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:11.263581038 CET	2559	49976	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:11.264481068 CET	49976	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:11.264617920 CET	49976	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:11.269438982 CET	2559	49976	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:12.266753912 CET	49977	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:12.271656036 CET	2559	49977	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:12.271743059 CET	49977	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:12.275307894 CET	49977	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:12.280119896 CET	2559	49977	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:33.670284033 CET	2559	49977	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:33.670381069 CET	49977	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:33.670452118 CET	49977	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:33.675226927 CET	2559	49977	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:34.676031113 CET	49978	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:34.680892944 CET	2559	49978	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:34.680974007 CET	49978	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:34.684602976 CET	49978	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:34.689330101 CET	2559	49978	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:56.061204910 CET	2559	49978	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:56.062489986 CET	49978	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:56.065656900 CET	49978	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:56.073827028 CET	2559	49978	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:57.079937935 CET	49979	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:57.084975004 CET	2559	49979	192.3.64.152	192.168.2.11
Jan 11, 2025 00:08:57.087079048 CET	49979	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:57.091222048 CET	49979	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:08:57.096117020 CET	2559	49979	192.3.64.152	192.168.2.11
Jan 11, 2025 00:09:18.463421106 CET	2559	49979	192.3.64.152	192.168.2.11
Jan 11, 2025 00:09:18.468489885 CET	49979	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:18.468564987 CET	49979	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:18.473381996 CET	2559	49979	192.3.64.152	192.168.2.11
Jan 11, 2025 00:09:19.484003067 CET	49980	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:19.489022970 CET	2559	49980	192.3.64.152	192.168.2.11
Jan 11, 2025 00:09:19.490828037 CET	49980	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:19.577183962 CET	49980	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:19.582101107 CET	2559	49980	192.3.64.152	192.168.2.11
Jan 11, 2025 00:09:40.871623993 CET	2559	49980	192.3.64.152	192.168.2.11
Jan 11, 2025 00:09:40.871687889 CET	49980	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:40.871750116 CET	49980	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:40.876471043 CET	2559	49980	192.3.64.152	192.168.2.11
Jan 11, 2025 00:09:41.876348972 CET	49981	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:41.881133080 CET	2559	49981	192.3.64.152	192.168.2.11
Jan 11, 2025 00:09:41.881198883 CET	49981	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:41.885205984 CET	49981	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:09:41.889977932 CET	2559	49981	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:03.249950886 CET	2559	49981	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:03.252532959 CET	49981	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:03.252624035 CET	49981	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:03.257419109 CET	2559	49981	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:04.266923904 CET	49982	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:04.271816969 CET	2559	49982	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:04.272085905 CET	49982	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:04.276889086 CET	49982	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:04.281847000 CET	2559	49982	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:25.673630953 CET	2559	49982	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:25.676512003 CET	49982	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:25.685173988 CET	49982	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:25.691736937 CET	2559	49982	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:26.692771912 CET	49983	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:26.698959112 CET	2559	49983	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:26.700536966 CET	49983	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:26.704760075 CET	49983	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:26.711124897 CET	2559	49983	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:48.918478012 CET	2559	49983	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:48.918591976 CET	49983	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:48.918677092 CET	49983	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:48.918912888 CET	2559	49983	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:48.918983936 CET	49983	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:48.919115067 CET	2559	49983	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:48.919205904 CET	49983	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:48.928009987 CET	2559	49983	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:49.923023939 CET	49984	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:49.927875042 CET	2559	49984	192.3.64.152	192.168.2.11
Jan 11, 2025 00:10:49.927959919 CET	49984	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:49.931682110 CET	49984	2559	192.168.2.11	192.3.64.152
Jan 11, 2025 00:10:49.936435938 CET	2559	49984	192.3.64.152	192.168.2.11

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 00:06:39.981091022 CET	1.1.1.1	192.168.2.11	0x5fda	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 00:06:39.981091022 CET	1.1.1.1	192.168.2.11	0x5fda	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	18:06:42
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\OKkUGRkZV7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OKkUGRkZV7.exe"
Imagebase:	0x340000
File size:	1'323'520 bytes
MD5 hash:	F484F16874DDB071B45CB9F1FA8D0C56
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:06:46
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\lecheries\ambiparous.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OKkUGRkZV7.exe"
Imagebase:	0xaf0000
File size:	1'323'520 bytes
MD5 hash:	F484F16874DDB071B45CB9F1FA8D0C56
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.1398020611.0000000003600000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs Detection: 61%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:06:49
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OKkUGRkZV7.exe"
Imagebase:	0xcd0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.1395816177.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:06:50
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"c:\program files (x86)\internet explorer\iexplore.exe"
Imagebase:	0xb90000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:06:59
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ambiparous.vbs"
Imagebase:	0x7ff607f60000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:07:00
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\lecheries\ambiparous.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\lecheries\ambiparous.exe"
Imagebase:	0xaf0000
File size:	1'323'520 bytes
MD5 hash:	F484F16874DDB071B45CB9F1FA8D0C56
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000007.00000002.1537946128.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:07:04
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\lecheries\ambiparous.exe"
Imagebase:	0xcd0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3786705466.0000000004EDE000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3786396527.0000000003200000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.3785910612.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3786431770.0000000003212000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	64

Executed Functions

Function 00343B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00343B68
IsDebuggerPresent.KERNEL32 ref: 00343B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004052F8,004052E0,?,?), ref: 00343BEB

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

Part of subcall function 0035092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00343C14,004052F8,?,?,?), ref: 0035096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00343C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003F7770,00000010), ref: 0037D281
SetCurrentDirectoryW.KERNEL32(?,004052F8,?,?,?), ref: 0037D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003F4260,004052F8,?,?,?), ref: 0037D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0037D346

Part of subcall function 00343A46: GetSysColorBrush.USER32(0000000F), ref: 00343A50
Part of subcall function 00343A46: LoadCursorW.USER32(00000000,00007F00), ref: 00343A5F
Part of subcall function 00343A46: LoadIconW.USER32(00000063), ref: 00343A76
Part of subcall function 00343A46: LoadIconW.USER32(000000A4), ref: 00343A88
Part of subcall function 00343A46: LoadIconW.USER32(000000A2), ref: 00343A9A
Part of subcall function 00343A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00343AC0
Part of subcall function 00343A46: RegisterClassExW.USER32(?), ref: 00343B16

Part of subcall function 003439D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00343A03
Part of subcall function 003439D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343A24
Part of subcall function 003439D5: ShowWindow.USER32(00000000,?,?), ref: 00343A38
Part of subcall function 003439D5: ShowWindow.USER32(00000000,?,?), ref: 00343A41

Part of subcall function 0034434A: _memset.LIBCMT ref: 00344370
Part of subcall function 0034434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00344415

Strings

This is a third-party compiled AutoIt script., xrefs: 0037D279
runas, xrefs: 0037D33A
%=, xrefs: 00343C44

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%=
API String ID: 529118366-4029254884
Opcode ID: 1fc482806fd91a37aa6a1a33f365638abde5a00cc55df753e57d8058212cf12d
Instruction ID: 1700416a66f215588f0b7e083e26f259becec2961cf7c73281ef6e0e1a225c1d
Opcode Fuzzy Hash: 1fc482806fd91a37aa6a1a33f365638abde5a00cc55df753e57d8058212cf12d
Instruction Fuzzy Hash: 5351AE31908148AEDB13ABB49C45EEE7BB9EF45700F0080B9E451BF1A2DB746A06CF25

Function 003449A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003449CD

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

GetCurrentProcess.KERNEL32(?,003CFAEC,00000000,00000000,?), ref: 00344A9A
IsWow64Process.KERNEL32(00000000), ref: 00344AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00344AE7
FreeLibrary.KERNEL32(00000000), ref: 00344AF2
GetSystemInfo.KERNEL32(00000000), ref: 00344B23
GetSystemInfo.KERNEL32(00000000), ref: 00344B2F

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 5b6dab150a132dcd6c185d0bf0df8a870179ebffcf9c141c51604b872b41e0dd
Instruction ID: c7623902c5a1b4191a22d773389135e20053e249b5fd4afdabb84cd0e5cf7963
Opcode Fuzzy Hash: 5b6dab150a132dcd6c185d0bf0df8a870179ebffcf9c141c51604b872b41e0dd
Instruction Fuzzy Hash: A691B5319897C4DEC733DB6885506AAFFF9AF2A300B484D6DD0CB9BA41D624F508C75A

Function 00344E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00344D8E,?,?,00000000,00000000), ref: 00344E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00344D8E,?,?,00000000,00000000), ref: 00344EB0
LoadResource.KERNEL32(?,00000000,?,?,00344D8E,?,?,00000000,00000000,?,?,?,?,?,?,00344E2F), ref: 0037D937
SizeofResource.KERNEL32(?,00000000,?,?,00344D8E,?,?,00000000,00000000,?,?,?,?,?,?,00344E2F), ref: 0037D94C
LockResource.KERNEL32(00344D8E,?,?,00344D8E,?,?,00000000,00000000,?,?,?,?,?,?,00344E2F,00000000), ref: 0037D95F

Strings

SCRIPT, xrefs: 00344EA6

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: df428549780473ae5099fb05300430489adda7a9b2b3e73b0600e9adeedf8688
Instruction ID: b6dd185724a74d3bbf9cb34d5e5d5fcd9e818217cd347a3bd262102aefed2211
Opcode Fuzzy Hash: df428549780473ae5099fb05300430489adda7a9b2b3e73b0600e9adeedf8688
Instruction Fuzzy Hash: FE111875240701AFE7228B65EC48F67BBBEEBC5B51F208668F506DA650DB61E8408A60

Function 0034FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pb@, xrefs: 003849B9
%=, xrefs: 0034FCF3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BuffCharUpper
String ID: pb@$%=
API String ID: 3964851224-3470441875
Opcode ID: 61dd28e226887e0687c8c48d29defb67febe1c7b11cbe41293642ba343339db4
Instruction ID: 481e264dbd5bb8c9089f406caebbd2513f123ee6f24e522e6fac4de3cf6eea90
Opcode Fuzzy Hash: 61dd28e226887e0687c8c48d29defb67febe1c7b11cbe41293642ba343339db4
Instruction Fuzzy Hash: 39928A706083418FD726DF24C480B2BB7E5BF85304F15896DE88A9B762D776EC49CB92

Function 0034E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dd@, xrefs: 0034EAC1
Dd@, xrefs: 0034EABA
Dd@, xrefs: 00383B2E
Variable must be of type 'Object'., xrefs: 00383E62
Dd@, xrefs: 00383AF5

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID: Dd@$Dd@$Dd@$Dd@$Variable must be of type 'Object'.
API String ID: 0-2845646731
Opcode ID: 7d7f3b884b36f67610af19c338e4ea15ca08f7e41ac5184a045e7601f851c152
Instruction ID: 817357476d068a017c31f062f03d4a0e8f7a0827326816ab117606ec38541f37
Opcode Fuzzy Hash: 7d7f3b884b36f67610af19c338e4ea15ca08f7e41ac5184a045e7601f851c152
Instruction Fuzzy Hash: E7A26875A00205CFCB26DF58C480AAAB7F6FF59714F268469E806AF351D735BD82CB90

Function 003A445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0037E398), ref: 003A446A
FindFirstFileW.KERNELBASE(?,?), ref: 003A447B
FindClose.KERNEL32(00000000), ref: 003A448B

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 321a08201eea30abc9f308c6d3b7d613a0e5e02e0b9c4eb4d9539a13300a37d8
Instruction ID: 85dc5cec80620de1d7cc77f9ebd89936dbc02378f172d079e2a88bc945faba1f
Opcode Fuzzy Hash: 321a08201eea30abc9f308c6d3b7d613a0e5e02e0b9c4eb4d9539a13300a37d8
Instruction Fuzzy Hash: 76E0D8364145006B82116B38EC0D8E9775DDF4A335F100B15F835C10D0E7F4A9009695

Function 003509D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00350A5B
timeGetTime.WINMM ref: 00350D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00350E53
Sleep.KERNEL32(0000000A), ref: 00350E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00350EFA
DestroyWindow.USER32 ref: 00350F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00350F20
Sleep.KERNEL32(0000000A,?,?), ref: 00384E83
TranslateMessage.USER32(?), ref: 00385C60
DispatchMessageW.USER32(?), ref: 00385C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00385C82

Strings

@TRAY_ID, xrefs: 0038578F
pb@, xrefs: 00385003
@GUI_CTRLID, xrefs: 00384F3A
pb@, xrefs: 00384F59
pb@, xrefs: 00384FAE
pb@, xrefs: 003857B4
@GUI_WINHANDLE, xrefs: 00384F8F
@COM_EVENTOBJ, xrefs: 003854F0
@GUI_CTRLHANDLE, xrefs: 00384FE4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb@$pb@$pb@$pb@
API String ID: 4212290369-4030950617
Opcode ID: 42e64bf074522153984b01ac0ac20e0c1fb08efc638870f5dfc87e835d24bb29
Instruction ID: 215b09dc95ad39c430e1764f603e0ab540e6edb13fdc9092a3eb9bcbef16b15e
Opcode Fuzzy Hash: 42e64bf074522153984b01ac0ac20e0c1fb08efc638870f5dfc87e835d24bb29
Instruction Fuzzy Hash: 1FB2D370608741DFD72AEF24C885FAAB7E5FF84304F15495DE8999B2A1CB71E848CB42

Function 003A9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003A8F5F: __time64.LIBCMT ref: 003A8F69

Part of subcall function 00344EE5: _fseek.LIBCMT ref: 00344EFD

__wsplitpath.LIBCMT ref: 003A9234

Part of subcall function 003640FB: __wsplitpath_helper.LIBCMT ref: 0036413B

_wcscpy.LIBCMT ref: 003A9247
_wcscat.LIBCMT ref: 003A925A
__wsplitpath.LIBCMT ref: 003A927F
_wcscat.LIBCMT ref: 003A9295
_wcscat.LIBCMT ref: 003A92A8

Part of subcall function 003A8FA5: _memmove.LIBCMT ref: 003A8FDE
Part of subcall function 003A8FA5: _memmove.LIBCMT ref: 003A8FED

_wcscmp.LIBCMT ref: 003A91EF

Part of subcall function 003A9734: _wcscmp.LIBCMT ref: 003A9824
Part of subcall function 003A9734: _wcscmp.LIBCMT ref: 003A9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003A9452
_wcsncpy.LIBCMT ref: 003A94C5
DeleteFileW.KERNEL32(?,?), ref: 003A94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003A9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003A9534

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: f73adc158c7f89b2fec5106460f1d0432188cdbc250221842b1f7028c20fca3a
Instruction ID: 332622cc6f15c6e1f8b13a0fc5100b6fcddabe610304274c89d22d402cdeb96e
Opcode Fuzzy Hash: f73adc158c7f89b2fec5106460f1d0432188cdbc250221842b1f7028c20fca3a
Instruction Fuzzy Hash: 07C12BB1D00219AADF26DF95CC85EDEB7BDEF45310F0044AAF609EA151DB309A448F65

Function 00343015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00343074
RegisterClassExW.USER32(00000030), ref: 0034309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
InitCommonControlsEx.COMCTL32(?), ref: 003430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
LoadIconW.USER32(000000A9), ref: 003430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101

Strings

AutoIt v3 GUI, xrefs: 00343090
+, xrefs: 0034305D
0, xrefs: 00343056
TaskbarCreated, xrefs: 003430A4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c7dd36887b27c74ec3e857c6aaf86c0cb6a81343a1a50a324a7bcf2f33a83bf6
Instruction ID: 4902571e3167f6fcd604d00398bfce160ad81ef5215cad01a9b44436e18f14e5
Opcode Fuzzy Hash: c7dd36887b27c74ec3e857c6aaf86c0cb6a81343a1a50a324a7bcf2f33a83bf6
Instruction Fuzzy Hash: D13178B2800358AFDB02DFA4D888ADABFF5FB09310F14816EE580EA2A0D3B51554CF91

Function 00343041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00343074
RegisterClassExW.USER32(00000030), ref: 0034309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
InitCommonControlsEx.COMCTL32(?), ref: 003430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
LoadIconW.USER32(000000A9), ref: 003430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101

Strings

AutoIt v3 GUI, xrefs: 00343090
+, xrefs: 0034305D
0, xrefs: 00343056
TaskbarCreated, xrefs: 003430A4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5d8a3ff9f714d074fd46a6d4e2476a310b4eeeb97434b380332f757179bb25bf
Instruction ID: 6786a2aae98f86858b020351409db048cba1b9126dc7bc679877eb2932daf379
Opcode Fuzzy Hash: 5d8a3ff9f714d074fd46a6d4e2476a310b4eeeb97434b380332f757179bb25bf
Instruction Fuzzy Hash: 5A21C7B6901718AFDB01EFA4ED49BDEBBF9FB08700F00812AF911E62A0D7B155548F95

Function 0034708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00344706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004052F8,?,003437AE,?), ref: 00344724

Part of subcall function 0036050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00347165), ref: 0036052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003471A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0037E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0037E909
RegCloseKey.ADVAPI32(?), ref: 0037E947
_wcscat.LIBCMT ref: 0037E9A0

Strings

\, xrefs: 0037E9C3
Include, xrefs: 0037E8BF, 0037E900
Software\AutoIt v3\AutoIt, xrefs: 0034719E
\Include\, xrefs: 00347165

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 2e9beb17cd41f0f6b4bd12bef7560c44954e09658b16d4fbf3d9c54245be6d2e
Instruction ID: 02b97b8933857fd32f368a91e9c8add5161bda8b36812d97918529badac6c3df
Opcode Fuzzy Hash: 2e9beb17cd41f0f6b4bd12bef7560c44954e09658b16d4fbf3d9c54245be6d2e
Instruction Fuzzy Hash: 3071C0724083019EC316EF25ED8199BBBE8FF89310F41457EF446EB1A0DB75A908CB56

Function 00343633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 003436D2
KillTimer.USER32(?,00000001), ref: 003436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0034371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0034372A
CreatePopupMenu.USER32 ref: 0034373E
PostQuitMessage.USER32(00000000), ref: 0034374D

Strings

TaskbarCreated, xrefs: 00343725
%=, xrefs: 0037D081, 0037D0CF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%=
API String ID: 129472671-273969447
Opcode ID: ecc3f3c15ff5335266a93744a00854ec49f4a3716f965089f06b69a6672993c0
Instruction ID: f6c5e593e313819e72a250edb315795d2069c5473e9cf3fc09c7f922671bddc8
Opcode Fuzzy Hash: ecc3f3c15ff5335266a93744a00854ec49f4a3716f965089f06b69a6672993c0
Instruction Fuzzy Hash: 8C412AB2100506ABDF276F24DC49F7A3AD9EB00340F554135F902EF2E2CA78BD109B65

Function 00343A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00343A50
LoadCursorW.USER32(00000000,00007F00), ref: 00343A5F
LoadIconW.USER32(00000063), ref: 00343A76
LoadIconW.USER32(000000A4), ref: 00343A88
LoadIconW.USER32(000000A2), ref: 00343A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00343AC0
RegisterClassExW.USER32(?), ref: 00343B16

Part of subcall function 00343041: GetSysColorBrush.USER32(0000000F), ref: 00343074
Part of subcall function 00343041: RegisterClassExW.USER32(00000030), ref: 0034309E
Part of subcall function 00343041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003430AF
Part of subcall function 00343041: InitCommonControlsEx.COMCTL32(?), ref: 003430CC
Part of subcall function 00343041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003430DC
Part of subcall function 00343041: LoadIconW.USER32(000000A9), ref: 003430F2
Part of subcall function 00343041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00343101

Strings

#, xrefs: 00343AFB
0, xrefs: 00343AF4
AutoIt v3, xrefs: 00343B05

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2b7350e262791321e31ca9fc958aa9d28dac1ae1fea8bf955a15411f7ecdd123
Instruction ID: a57c9e54dcae05206adb28da18954712e79374d608579767ad6a442d54a90c61
Opcode Fuzzy Hash: 2b7350e262791321e31ca9fc958aa9d28dac1ae1fea8bf955a15411f7ecdd123
Instruction Fuzzy Hash: 88213974910308EFEB11DFA4EE49B9E7FB5EB08711F00016AE504BA2A1D3B566508F98

Function 00343766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 003437FB
/AutoIt3ExecuteScript, xrefs: 003438BC
/AutoIt3OutputDebug, xrefs: 00343892
CMDLINE, xrefs: 00343822
/ErrorStdOut, xrefs: 0034387D
R@, xrefs: 0037D213
/AutoIt3ExecuteLine, xrefs: 003438A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 003437AE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R@
API String ID: 1825951767-3808460316
Opcode ID: 77a7388cd04da4cfa3856b77fb536f765121be4d8d059e1e5dc18fef6cff54c1
Instruction ID: 99e2acc5d7ba2a504bd428b878c20da48190e3e2b7f579d27c335469d72c7c0b
Opcode Fuzzy Hash: 77a7388cd04da4cfa3856b77fb536f765121be4d8d059e1e5dc18fef6cff54c1
Instruction Fuzzy Hash: 01A12C7291021DAACF16EBA4DC95EEEB7B9FF15310F40042AE415BF191DF746A08CB60

Function 0034F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00360162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00360193
Part of subcall function 00360162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0036019B
Part of subcall function 00360162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003601A6
Part of subcall function 00360162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003601B1
Part of subcall function 00360162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003601B9
Part of subcall function 00360162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003601C1

Part of subcall function 003560F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0034F930), ref: 00356154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0034F9CD
OleInitialize.OLE32(00000000), ref: 0034FA4A
CloseHandle.KERNEL32(00000000), ref: 003845C8

Strings

<W@, xrefs: 0034F930
\T@, xrefs: 0034F7F7
S@, xrefs: 0034F7EB
%=, xrefs: 0034F796, 0034F7A8, 0034F96E, 0034FA51

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <W@$\T@$%=$S@
API String ID: 1986988660-3831757665
Opcode ID: c2d96dec79c104af2e11dc4bea63454cf92e5a7b11c6832678530a6ed6ee99cb
Instruction ID: 313ea6f997809685061c9951369ce616a3849886897e7fba559b1ebecbc0e22f
Opcode Fuzzy Hash: c2d96dec79c104af2e11dc4bea63454cf92e5a7b11c6832678530a6ed6ee99cb
Instruction Fuzzy Hash: 6A81BFB0911A40DFC785EF39AE49B9B7BE5EB88306750813AD418EB372E77448848F1D

Function 01694950 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01694995

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: bcaded4e2e0dbfae1f50678998e0db0a445838efd7326e3f4e8e01c07c616582
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: F6511975A10208FBEF20DFA4CD49FEE7778AF48711F108554FA0AEA284DB749646CB64

Function 003439D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00343A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343A24
ShowWindow.USER32(00000000,?,?), ref: 00343A38
ShowWindow.USER32(00000000,?,?), ref: 00343A41

Strings

edit, xrefs: 00343A1E
AutoIt v3, xrefs: 003439FB, 00343A00, 00343A01

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 208c17a5ef6ba46f661b39db14d1884826d82dc76a4d4d5b4efc01fca6bfb1c1
Instruction ID: 4cddf0b51f4a1c5ddd6490b280d254647f40bd5fa17dda66e96a57cc2ac13fdb
Opcode Fuzzy Hash: 208c17a5ef6ba46f661b39db14d1884826d82dc76a4d4d5b4efc01fca6bfb1c1
Instruction Fuzzy Hash: 4DF01770500294BEEA2157236C0CE6B2E7EDBC6F50F00407EB904F2160C2751C10CEB4

Function 0034407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0037D3D7

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

_memset.LIBCMT ref: 003440FC
_wcscpy.LIBCMT ref: 00344150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00344160

Strings

Line: , xrefs: 0037D400

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: faeb71b64ae831db37e097b12199472217e592ba5fe07bb293b9bca8d507f90d
Instruction ID: c16aaf4d0bb25f86cf3c57364ca424db892f517e0e2a649c894598f6e60f058b
Opcode Fuzzy Hash: faeb71b64ae831db37e097b12199472217e592ba5fe07bb293b9bca8d507f90d
Instruction Fuzzy Hash: 4C318D71008704AFD722EB60DC4AFEB77E8EF44304F20452EF5899A0A1DB74A658CB96

Function 0036541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0036547B
_memcpy_s.LIBCMT ref: 003654ED
__read_nolock.LIBCMT ref: 0036554B
__filbuf.LIBCMT ref: 0036556E
_memset.LIBCMT ref: 003655B2

Part of subcall function 00368B28: __getptd_noexit.LIBCMT ref: 00368B28

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 01cc1000e36f6d3f7ef8eabdaea79b8c94eb07fe16afabe547ecf35df0b08ba4
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: A751F630A00B05DBCB278F69C88466E77B6AF41321F25C779F937962D8DB709D508B40

Function 0034686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00344DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344E0F

_free.LIBCMT ref: 0037E263
_free.LIBCMT ref: 0037E2AA

Part of subcall function 00346A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00346BAD

Strings

Bad directive syntax error, xrefs: 0037E292
>>>AUTOIT SCRIPT<<<, xrefs: 0037E039

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: bbb2f7cdc1d7cd303da6163497366afe187bfe615d033ef053d02df8cb173c04
Instruction ID: b7db576c9d327fcc6f6cf5b1966d69aac9b90d0cf138ad7e7b869475a1a4cee1
Opcode Fuzzy Hash: bbb2f7cdc1d7cd303da6163497366afe187bfe615d033ef053d02df8cb173c04
Instruction Fuzzy Hash: 0D916E71910219DFCF16EFA4CC829EDB7B8FF09310B11846AF815AF2A2DB75A945CB50

Function 01696410 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01696300: Sleep.KERNELBASE(000001F4), ref: 01696311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0169653C

Strings

AZ5KC0NHA85O, xrefs: 016965BC, 016965BF

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID: CreateFileSleep
String ID: AZ5KC0NHA85O
API String ID: 2694422964-2268946937
Opcode ID: 49a5a048eadd298404188ff5733ac0b074aba741f74b1d6a120deca4f8ba826b
Instruction ID: ebb8dfb4fd380d14940ac93502bbe32d1963568140387cabe876f7c2e13dab9a
Opcode Fuzzy Hash: 49a5a048eadd298404188ff5733ac0b074aba741f74b1d6a120deca4f8ba826b
Instruction Fuzzy Hash: 35519070D14249EBEF11DBA4C815BEEBB79AF54300F004199E609BB2C0DB791B45CBA6

Function 003435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003435A1,SwapMouseButtons,00000004,?), ref: 003435D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003435A1,SwapMouseButtons,00000004,?,?,?,?,00342754), ref: 003435F5
RegCloseKey.KERNELBASE(00000000,?,?,003435A1,SwapMouseButtons,00000004,?,?,?,?,00342754), ref: 00343617

Strings

Control Panel\Mouse, xrefs: 003435D2

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 55bb9b9100de5c1241f49691d31da5453977616c824d9726acc3d3927f329b0c
Instruction ID: de96766eb7374da28f2e1b2bc7a95a09846b954bf061f96a978116487ca974c0
Opcode Fuzzy Hash: 55bb9b9100de5c1241f49691d31da5453977616c824d9726acc3d3927f329b0c
Instruction Fuzzy Hash: EF114571614219BFDB229F64DC80EAEBBFDEF04740F128469E805DB210E275AE409BA0

Function 0036470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003647A0
__flush.LIBCMT ref: 003647C0
__write.LIBCMT ref: 003647F3
__flsbuf.LIBCMT ref: 00364821

Part of subcall function 00368B28: __getptd_noexit.LIBCMT ref: 00368B28

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 4fb870467ac3f892eb32d5d4856a26b373161b8ef3a4b2b368d3a744c5b3c5ea
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 7541F574F00746DBDB1ADFA9C8809AE7BA5EF46360B24C13DE825CB648EB71DD408B50

Function 003444A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003444CF

Part of subcall function 0034407C: _memset.LIBCMT ref: 003440FC
Part of subcall function 0034407C: _wcscpy.LIBCMT ref: 00344150
Part of subcall function 0034407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00344160

KillTimer.USER32(?,00000001,?,?), ref: 00344524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00344533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0037D4B9

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 091dc9ba0ec8dc874dae1067af21235dc623ac24a197a4c4769f0d9422732f3e
Instruction ID: c7ff32ba1e67925bb90fbf37ffc1a28d554dac0232db321b9546ab641df09b84
Opcode Fuzzy Hash: 091dc9ba0ec8dc874dae1067af21235dc623ac24a197a4c4769f0d9422732f3e
Instruction Fuzzy Hash: C621C270904784AFEB338B25D895BE7BBECAF06314F0444EDE69E9A181C7747A84CB51

Function 00344C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00344CBA

Strings

AU3!P/=, xrefs: 00344CB4
EA06, xrefs: 0037D8CC

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/=$EA06
API String ID: 4104443479-3802933467
Opcode ID: 5a7eb806eeb6cb1aa863566d1b9355fc19560621c19f3d07ddfbc709697a7d9e
Instruction ID: 8a0a48c8410b0df0d6530bf2bc75d16efe9c0d2ac8e11b4bc35deb78873f26f2
Opcode Fuzzy Hash: 5a7eb806eeb6cb1aa863566d1b9355fc19560621c19f3d07ddfbc709697a7d9e
Instruction Fuzzy Hash: FB414C21E0415867DF239B5488917BE7BF6DF47300F288475EC86AF287D624BD4483A2

Function 00347285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0037EA39
GetOpenFileNameW.COMDLG32(?), ref: 0037EA83

Part of subcall function 00344750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00344743,?,?,003437AE,?), ref: 00344770

Part of subcall function 00360791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003607B0

Strings

X, xrefs: 0037EA51

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: d6f4777a282addaf0753e45c51edbfd591e21012c256af0d0adebc7786dc7976
Instruction ID: 7bb90effe6df22cb900613162b53f9b471ee3312159c883fc566318f47d00e97
Opcode Fuzzy Hash: d6f4777a282addaf0753e45c51edbfd591e21012c256af0d0adebc7786dc7976
Instruction Fuzzy Hash: E021C331A002489BCF539F94C845BEE7BFCAF49714F00805AE508AF241DFB869898FA1

Function 003A8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A8DAC
__fread_nolock.LIBCMT ref: 003A8DC1

Strings

EA06, xrefs: 003A8DF3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: eeacc4cd324213ad3751a55760f90277c5e6e832a784c4566e51770d09626869
Instruction ID: 76ea34248b154d0411742fdf25950f64fcc001384085ebf75bb5402a1688b915
Opcode Fuzzy Hash: eeacc4cd324213ad3751a55760f90277c5e6e832a784c4566e51770d09626869
Instruction Fuzzy Hash: FE01F9718042187EDB19CBA8CC1AEFEBBF8DB11301F00419AF552D6181E975A6048760

Function 01695030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01695075
ExitProcess.KERNEL32(00000000), ref: 01695094

Strings

D, xrefs: 01695041

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction ID: fe19dcbd0d2593e81a54b03eedc5c148391c9c1b797cc868e76ea8ef7a7ed909
Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
Instruction Fuzzy Hash: E9F0EC7294024CABDF60DFE0CC49FEE777CBF04701F008509BA0A9A184DA7896088BA5

Function 003A98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 003A98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003A990F

Strings

aut, xrefs: 003A9909

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 20cb189f165e890caa742136586d450f31f66aa90a818eb7c28f59e7128a12f3
Instruction ID: e5731f6acfb206bc074afbace39c3bc9ef32a5bc54be1774bb184427ea3c021b
Opcode Fuzzy Hash: 20cb189f165e890caa742136586d450f31f66aa90a818eb7c28f59e7128a12f3
Instruction Fuzzy Hash: 08D05B7954030D6FDB519B90DC0DFEA773CD704700F0006B1FB54D1091DA7065548B91

Function 003BCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520f28c805d5b1faf6a8489b914900756ca30626c9cbfad81005b39d8dbfc7fd
Instruction ID: d8d805587ed861408fd26fa3d90965cced4ff3437b4cadd5e0302c94870f5250
Opcode Fuzzy Hash: 520f28c805d5b1faf6a8489b914900756ca30626c9cbfad81005b39d8dbfc7fd
Instruction Fuzzy Hash: 43F16B746083009FCB25DF28C480A6ABBE5FF89318F14896EF9999B351D730E945CF82

Function 0034434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00344370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00344415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00344432

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: ef438f445b52b6c7baab905c643a5438d8fcbc53a2798751c36ffa8d8fc20a68
Instruction ID: 9943573bf5872e46f5bb746f59258e5346dede7aea19bed33f79336f10f3d980
Opcode Fuzzy Hash: ef438f445b52b6c7baab905c643a5438d8fcbc53a2798751c36ffa8d8fc20a68
Instruction Fuzzy Hash: 8C317AB05057018FC722DF24D884B9BBBF8FF48708F00093EE69A9A251E770A944CB96

Function 0036571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00365733

Part of subcall function 0036A16B: __NMSG_WRITE.LIBCMT ref: 0036A192
Part of subcall function 0036A16B: __NMSG_WRITE.LIBCMT ref: 0036A19C

__NMSG_WRITE.LIBCMT ref: 0036573A

Part of subcall function 0036A1C8: GetModuleFileNameW.KERNEL32(00000000,004033BA,00000104,?,00000001,00000000), ref: 0036A25A
Part of subcall function 0036A1C8: ___crtMessageBoxW.LIBCMT ref: 0036A308

Part of subcall function 0036309F: ___crtCorExitProcess.LIBCMT ref: 003630A5
Part of subcall function 0036309F: ExitProcess.KERNEL32 ref: 003630AE

Part of subcall function 00368B28: __getptd_noexit.LIBCMT ref: 00368B28

RtlAllocateHeap.NTDLL(015F0000,00000000,00000001,00000000,?,?,?,00360DD3,?), ref: 0036575F

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 11d6d23cab7aaaf6795d176bb4da595120b656208b75321c09b9e4bd5187e7e1
Instruction ID: fe428e74864ade12edf8e0d020e001b162799db9f581b75fd37d252e1983a3d6
Opcode Fuzzy Hash: 11d6d23cab7aaaf6795d176bb4da595120b656208b75321c09b9e4bd5187e7e1
Instruction Fuzzy Hash: 1101B135240B01DED6133B39EC92A2E778C9B82762F21853AF505AF2CADFB09C004665

Function 003A98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003A9548,?,?,?,?,?,00000004), ref: 003A98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003A9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003A98D1
CloseHandle.KERNEL32(00000000,?,003A9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003A98D8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 019bc84b8cadfdf9b893be0f94ed861fd07299f87610093a39b46c5452f91d7d
Instruction ID: f2c6a46f0cbfdb206c90da058942020aedaadbf6100e85139cf9000c1c1dcbad
Opcode Fuzzy Hash: 019bc84b8cadfdf9b893be0f94ed861fd07299f87610093a39b46c5452f91d7d
Instruction Fuzzy Hash: 06E08632141214BBD7232B54EC09FDA7B1EEB06760F144221FB14B90E087B125119798

Function 003A8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003A8D1B

Part of subcall function 00362D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00369A24), ref: 00362D69
Part of subcall function 00362D55: GetLastError.KERNEL32(00000000,?,00369A24), ref: 00362D7B

_free.LIBCMT ref: 003A8D2C
_free.LIBCMT ref: 003A8D3E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: e6e6b3f99d924059397f329faa5d2134686a5525e6233d80333ffa7ff4749fd4
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 55E012A1601A014ACB26A778A940A9363DC9F59352716491DB46DEB18ADE64F8428124

Function 0034A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0037FC01

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 64a66ddff7ee7a6e600b16fdbe7f739d4b118f2533e9462eded6bc390acabb49
Instruction ID: 23d650859c0add4e19b20d86fbc0fe72098bcb1850ddfb4f9f11d18e6fa2f0c8
Opcode Fuzzy Hash: 64a66ddff7ee7a6e600b16fdbe7f739d4b118f2533e9462eded6bc390acabb49
Instruction Fuzzy Hash: 23225770608701DFCB26DF14C491A2AB7E5FF85304F15896DE89A9F262D735EC85CB82

Function 00347A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00347AAB
_memmove.LIBCMT ref: 00347B16

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: 462fc9e5272a08fa7bbceacb7ba8f13ef6c6f69cf7e848045397efce91565fd0
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 0A316FB1604606AFC715DF68D891E69B3E9FF483207158629E519CF791EB30F960CB90

Function 003447D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00344834

Part of subcall function 0036336C: __lock.LIBCMT ref: 00363372
Part of subcall function 0036336C: DecodePointer.KERNEL32(00000001,?,00344849,00397C74), ref: 0036337E
Part of subcall function 0036336C: EncodePointer.KERNEL32(?,?,00344849,00397C74), ref: 00363389

Part of subcall function 003448FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00344915
Part of subcall function 003448FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0034492A

Part of subcall function 00343B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00343B68
Part of subcall function 00343B3A: IsDebuggerPresent.KERNEL32 ref: 00343B7A
Part of subcall function 00343B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004052F8,004052E0,?,?), ref: 00343BEB
Part of subcall function 00343B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00343C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00344874

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 8d43a570cb64182e7ba2ee273ee5ea8710ad6a4110da480f31e302175b104923
Instruction ID: 431153d9e01787c68dbd5bec3596ad72c80f8445593bbbb8dc7784071e61b658
Opcode Fuzzy Hash: 8d43a570cb64182e7ba2ee273ee5ea8710ad6a4110da480f31e302175b104923
Instruction Fuzzy Hash: F1118C719083059FC701DF28D945A0FBBE8EF85750F10452EF041AB2B1DBB0A954CF96

Function 00360DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0036571C: __FF_MSGBANNER.LIBCMT ref: 00365733
Part of subcall function 0036571C: __NMSG_WRITE.LIBCMT ref: 0036573A
Part of subcall function 0036571C: RtlAllocateHeap.NTDLL(015F0000,00000000,00000001,00000000,?,?,?,00360DD3,?), ref: 0036575F

std::exception::exception.LIBCMT ref: 00360DEC
__CxxThrowException@8.LIBCMT ref: 00360E01

Part of subcall function 0036859B: RaiseException.KERNEL32(?,?,?,003F9E78,00000000,?,?,?,?,00360E06,?,003F9E78,?,00000001), ref: 003685F0

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 5bff39cfa7816052080228a3240d374480ddeb2a785ffcd383199f6b6e78babf
Instruction ID: 7a40f65f548ed55c93cf02b118a43e5042f2a5c9d4f1f19aaa532eb0b9f5fe6c
Opcode Fuzzy Hash: 5bff39cfa7816052080228a3240d374480ddeb2a785ffcd383199f6b6e78babf
Instruction Fuzzy Hash: ECF0287650031D66CB17BB95EC02ADF7BAC9F15311F108526FD189A289DFB19A40C2D1

Function 003655FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0036562C
__lock_file.LIBCMT ref: 0036564D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 1fe0a7773ae174da7688353143dbf989e03a4360fd42f749928f24d3506ae0e2
Instruction ID: 727095f3e9e1105590fa57663a7cc804e3b72255babf5e04c946c65c04dae5d6
Opcode Fuzzy Hash: 1fe0a7773ae174da7688353143dbf989e03a4360fd42f749928f24d3506ae0e2
Instruction Fuzzy Hash: AC01F771800A08EBCF13AF69DC028AE7B61AF50361F41C225F8241F199DB718A11DFA1

Function 003653A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00368B28: __getptd_noexit.LIBCMT ref: 00368B28

__lock_file.LIBCMT ref: 003653EB

Part of subcall function 00366C11: __lock.LIBCMT ref: 00366C34

__fclose_nolock.LIBCMT ref: 003653F6

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 40a13043c3675881375eb4f9461b1b8dde9900a53821d395dcef09bb655ddb65
Instruction ID: a9960116f1e6288233470dea5167a54e3d44202e901d6b8837a6d8dcda38d65c
Opcode Fuzzy Hash: 40a13043c3675881375eb4f9461b1b8dde9900a53821d395dcef09bb655ddb65
Instruction Fuzzy Hash: 41F09671800A059ADB136F6598027AD7AE06F41774F35C319E424AF2C9CFBC49419B51

Function 016950A0 Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 01694910: GetFileAttributesW.KERNELBASE(?), ref: 0169491B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 01695205

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 8b1c7563f997010c8cb8e7eb47c063bef6c3542d808756ee285f79c16ecb0b7f
Instruction ID: 69a306d2764b81b70cb2880dc9186c97a64535f7a3e8042f3c93b3b1a78cca64
Opcode Fuzzy Hash: 8b1c7563f997010c8cb8e7eb47c063bef6c3542d808756ee285f79c16ecb0b7f
Instruction Fuzzy Hash: E3516E31A1020997EF14DFA4D854BEE737AFF58300F00856DE609E7290EB759A45C7A5

Function 00360C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00360CB7

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: ad6915fd89b7503fc063a0e8f439e4519d5b14d072d1c79b3466c1e74706038a
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3831E070A001059FC71ADF48C486A6AFBB6FB49300B25C6A5E80ACF759DB31EDD1DB90

Function 0037FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0037FCB7

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 37774f10c01b2d96019bb3af34ff6be684d20039d7083ddbecf907c4fbb05ac4
Instruction ID: 45b2c9f108318b90d74cbfdee242a2864d86dd664c6fc2d4fa596bcf3d14e72c
Opcode Fuzzy Hash: 37774f10c01b2d96019bb3af34ff6be684d20039d7083ddbecf907c4fbb05ac4
Instruction Fuzzy Hash: 4841F3746087518FDB26DF14C494B1ABBE1BF45318F0988ACE8998B762C736FC45CB52

Function 00347B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00347BB3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e886819d3f6e044e098e9c9e7f01cc26c8f53719d4f6f569ecf1baea26ddc641
Instruction ID: 35cb93b79d0e1b97dbe6e1c0871cd79fa76b1470fd2db256dcca1e8975d7522f
Opcode Fuzzy Hash: e886819d3f6e044e098e9c9e7f01cc26c8f53719d4f6f569ecf1baea26ddc641
Instruction Fuzzy Hash: 54210872614A09EBDB278F15E84177A7BF8FB18350F21C56EE449C91A0EB3091D0D745

Function 003606FE Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a7fdcf8f26cf7499cf53811273db1d038b19e08a758a41fabadd13cc4981c7
Instruction ID: 47d996a051046e28276ae12d9842644ee1e03908dbb10dfa4453b0ca76536535
Opcode Fuzzy Hash: f0a7fdcf8f26cf7499cf53811273db1d038b19e08a758a41fabadd13cc4981c7
Instruction Fuzzy Hash: FE210535109B50AFC7338F24D842AE7BBE8EF42311B0185BEF8488BD55D7344AA5CBA1

Function 00344DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00344BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00344BEF

Part of subcall function 0036525B: __wfsopen.LIBCMT ref: 00365266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344E0F

Part of subcall function 00344B6A: FreeLibrary.KERNEL32(00000000), ref: 00344BA4

Part of subcall function 00344C70: _memmove.LIBCMT ref: 00344CBA

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 882dde8a0dacb5b476d977cb304547aefbc0aa05fafd553de23307d3e3f07a9c
Instruction ID: 5649d42aa68ad503735dc54581d0379c21dc689babb9ea63a0b1e2f61870ff9c
Opcode Fuzzy Hash: 882dde8a0dacb5b476d977cb304547aefbc0aa05fafd553de23307d3e3f07a9c
Instruction Fuzzy Hash: 4E11A331600205ABCF27AF70D816FAD77E9EF44710F108839F541AF181EA75AE559B51

Function 0037FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0037FD91

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e808ccd9a958540cf11c380576508a1a0f8c08c9294c65a071cf3dabd39b74c8
Instruction ID: 5138e0ac444cb0f8980286bd97e470c7a41474ac311e47054443ef5433e6e8ff
Opcode Fuzzy Hash: e808ccd9a958540cf11c380576508a1a0f8c08c9294c65a071cf3dabd39b74c8
Instruction Fuzzy Hash: 93210474A08701DFCB16DF64C444A1ABBE5BF85314F05896CE8899B761D731F809CB92

Function 0039F73D Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0039F778

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1ae1c48679b6b2f114c07c9a019fded545236127864d2326fb7410a615e64069
Instruction ID: 142c24800aa48951444e9e7bbf77153a4b4c0d0afed6d0ecaf9f27d4f34f8967
Opcode Fuzzy Hash: 1ae1c48679b6b2f114c07c9a019fded545236127864d2326fb7410a615e64069
Instruction Fuzzy Hash: EA01D172200225ABCB19DF2DC8819ABB7A9EF85364714843EE90ACF205E631E90187A0

Function 00364863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 003648A6

Part of subcall function 00368B28: __getptd_noexit.LIBCMT ref: 00368B28

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: cf14e3f48ebb70675c1cc31ac62b035473c01f6b3d6db1a179e456d95e37a397
Instruction ID: dd985b371327945350ce760b672fb30f602ac6707d3aca785c2d9663e70c2238
Opcode Fuzzy Hash: cf14e3f48ebb70675c1cc31ac62b035473c01f6b3d6db1a179e456d95e37a397
Instruction Fuzzy Hash: 35F0AF71D00609ABDF13AFA88C067AE36A1AF00325F15C514F4249F199CBB9C951DF51

Function 00344E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344E7E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: f655ff83fe0df26ba1b1339a6eb0e63f1e108d1a3bf1138aaf267e173edc5f19
Instruction ID: c026a941badee23cc9ac704594b736abf63a7e956631a39d4f9b0719f768549f
Opcode Fuzzy Hash: f655ff83fe0df26ba1b1339a6eb0e63f1e108d1a3bf1138aaf267e173edc5f19
Instruction Fuzzy Hash: 25F06D71501711CFCB369F64E494912BBF5BF143293258A3EE1D78AA20C772B880DF40

Function 00360791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003607B0

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 2c6d64d83487c6f8a0654c70a4378690e1e117302aae80a131cd074c06d6779c
Instruction ID: 16d10b178b5dae8ea05da1d157e944104e5262aa7e75098c33357669db383a2d
Opcode Fuzzy Hash: 2c6d64d83487c6f8a0654c70a4378690e1e117302aae80a131cd074c06d6779c
Instruction Fuzzy Hash: D4E0CD379041285BC722D65C9C05FEA77DDDF897A0F0441B5FD0CDB204DA64AC8087D0

Function 003A8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003A8EC1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: fc83322b9bb4898e0730ab9b07c6f2d628602ddd62720cccce0eeaebcb365663
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 75E092B0504B009BD7398B24D800BA373E1EB06304F00091DF2AB83241EB6278418759

Function 01694910 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 0169491B

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 49bbc72d91e30191ad65715fbfbef5670d62168474abe0d4d5248d1cbd2280f8
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: ABE08C32A05208EBDF20CEA88E14BA973ACD706320F004754E90AC3380DA318A439614

Function 016948E0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 016948EB

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: e7882d4ab05795fd1437cc505ffea2fad405148888854d8923de39101cf32ff1
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 5DD0A73090620CEBCF10CFB8AE049DA77ACDB04320F004754FD15C7281DA319941D790

Function 0036525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00365266

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 1826a141e7f02041c754d832ff0ba665d823d52e81cb0b01d15ef6abd7d0e8ee
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 18B0927644020C77CE022A82EC02A493B299B41764F408020FB0C1C162A673A6649A89

Function 016962FC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01696311

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 40f047ab5acdfc7e248f06dcabe9d6a8c5fab7b3b51ca721a68e3389ca672630
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: AAE09A7494020DAFDB00EFB4D94969E7BB4EF04301F1005A1FD0596681DA319A548A62

Function 01696300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01696311

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: a139fd02ecc4d0688fad4978bcd0f10d4e92ba9744d9538ee2d2641108514a98
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 8DE0E67494020DDFDB00EFB4D94969E7FB4EF04301F100161FD01D2281D6319D508A62

Non-executed Functions

Function 003CCABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003CCB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003CCB95
GetWindowLongW.USER32(?,000000F0), ref: 003CCBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003CCC00
SendMessageW.USER32 ref: 003CCC29
_wcsncpy.LIBCMT ref: 003CCC95
GetKeyState.USER32(00000011), ref: 003CCCB6
GetKeyState.USER32(00000009), ref: 003CCCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003CCCD9
GetKeyState.USER32(00000010), ref: 003CCCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003CCD0C
SendMessageW.USER32 ref: 003CCD33
SendMessageW.USER32(?,00001030,?,003CB348), ref: 003CCE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003CCE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003CCE60
SetCapture.USER32(?), ref: 003CCE69
ClientToScreen.USER32(?,?), ref: 003CCECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003CCEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003CCEF5
ReleaseCapture.USER32 ref: 003CCF00
GetCursorPos.USER32(?), ref: 003CCF3A
ScreenToClient.USER32(?,?), ref: 003CCF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 003CCFA3
SendMessageW.USER32 ref: 003CCFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 003CD00E
SendMessageW.USER32 ref: 003CD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003CD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 003CD06D
GetCursorPos.USER32(?), ref: 003CD08D
ScreenToClient.USER32(?,?), ref: 003CD09A
GetParent.USER32(?), ref: 003CD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 003CD123
SendMessageW.USER32 ref: 003CD154
ClientToScreen.USER32(?,?), ref: 003CD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003CD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 003CD20C
SendMessageW.USER32 ref: 003CD22F
ClientToScreen.USER32(?,?), ref: 003CD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003CD2B5

Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC

GetWindowLongW.USER32(?,000000F0), ref: 003CD351

Strings

@GUI_DRAGID, xrefs: 003CCE9C
F, xrefs: 003CD235
pb@, xrefs: 003CCEAF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pb@
API String ID: 3977979337-1958197849
Opcode ID: 290686a024506676675a4fa987535de2edd485cf6f6373e007acbcb14f7e8e0e
Instruction ID: 137ed192ac2cfa7c2d0b0f0bf9e72148bc668a33cf0d3a6874a66fa70da5d59e
Opcode Fuzzy Hash: 290686a024506676675a4fa987535de2edd485cf6f6373e007acbcb14f7e8e0e
Instruction Fuzzy Hash: 39428A35214240AFDB22DF64C848FAABBE9FF49310F15492DF659DB2A0C731AC51DB91

Function 00356F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003571C3
_memset.LIBCMT ref: 00357539
_memmove.LIBCMT ref: 003576AC

Strings

]?, xrefs: 00391A22
P\?, xrefs: 00391AB8
[:>:]], xrefs: 00357492
3c5, xrefs: 003923A0
Q\E, xrefs: 00357FCB
[:<:]], xrefs: 00357479
_5, xrefs: 003923CB
\b(?=\w), xrefs: 00393769
DEFINE, xrefs: 00392103
\b(?<=\w), xrefs: 00393773

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]?$3c5$DEFINE$P\?$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_5
API String ID: 1357608183-2281723495
Opcode ID: c000aeea39527d0ee249ba9fa581ae8f2311236d1f9aef0b7b425f0712274bdd
Instruction ID: e6f46c7a0f90dd140bcb78b5af1e7dc7719b810e6bcade37240950b3a4636edf
Opcode Fuzzy Hash: c000aeea39527d0ee249ba9fa581ae8f2311236d1f9aef0b7b425f0712274bdd
Instruction Fuzzy Hash: C793A075E04219DBDF26CF98D881BADB7B1FF48310F25816AE945AB391E7709E81CB40

Function 003448D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 003448DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0037D665
IsIconic.USER32(?), ref: 0037D66E
ShowWindow.USER32(?,00000009), ref: 0037D67B
SetForegroundWindow.USER32(?), ref: 0037D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0037D69B
GetCurrentThreadId.KERNEL32 ref: 0037D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0037D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0037D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0037D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0037D6CF
SetForegroundWindow.USER32(?), ref: 0037D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0037D6E7
keybd_event.USER32(00000012,00000000), ref: 0037D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0037D6FC
keybd_event.USER32(00000012,00000000), ref: 0037D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0037D70A
keybd_event.USER32(00000012,00000000), ref: 0037D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0037D719
keybd_event.USER32(00000012,00000000), ref: 0037D71E
SetForegroundWindow.USER32(?), ref: 0037D721
AttachThreadInput.USER32(?,?,00000000), ref: 0037D748

Strings

Shell_TrayWnd, xrefs: 0037D660

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 7f49a6566f40433d50aab7266e686a7c9c9cc16e0afaaf333c93c7d45b9bcd2f
Instruction ID: 092e0ae0e34ea811e8681c2c7415e6d491c24b526ee3bd6598968eb79b335587
Opcode Fuzzy Hash: 7f49a6566f40433d50aab7266e686a7c9c9cc16e0afaaf333c93c7d45b9bcd2f
Instruction Fuzzy Hash: E2317271A40318BFEB226F619C89F7F7E6DEF44B50F114025FA09EA1D1C6B46910ABA0

Function 00398310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 003987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039882B
Part of subcall function 003987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00398858
Part of subcall function 003987E1: GetLastError.KERNEL32 ref: 00398865

_memset.LIBCMT ref: 00398353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003983A5
CloseHandle.KERNEL32(?), ref: 003983B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003983CD
GetProcessWindowStation.USER32 ref: 003983E6
SetProcessWindowStation.USER32(00000000), ref: 003983F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0039840A

Part of subcall function 003981CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00398309), ref: 003981E0
Part of subcall function 003981CB: CloseHandle.KERNEL32(?,?,00398309), ref: 003981F2

Strings

winsta0, xrefs: 003983C8
default, xrefs: 00398405
, xrefs: 00398362

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e95445e5511a55e4fa238e9c714c34f1cd8bb66df12f9d858a2bf3631b2f5002
Instruction ID: 9b1eacead49812b5726ed859b0b634bb0fa4e7f998a0c7fa39c4e35ec69fdf62
Opcode Fuzzy Hash: e95445e5511a55e4fa238e9c714c34f1cd8bb66df12f9d858a2bf3631b2f5002
Instruction Fuzzy Hash: 2A8177B1900209AFDF129FA5CC45EFEBBB9FF46304F158169F910A6261DB319E18DB20

Function 003AC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003AC78D
FindClose.KERNEL32(00000000), ref: 003AC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003AC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003AC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 003AC844
__swprintf.LIBCMT ref: 003AC890
__swprintf.LIBCMT ref: 003AC8D3

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

__swprintf.LIBCMT ref: 003AC927

Part of subcall function 00363698: __woutput_l.LIBCMT ref: 003636F1

__swprintf.LIBCMT ref: 003AC975

Part of subcall function 00363698: __flsbuf.LIBCMT ref: 00363713
Part of subcall function 00363698: __flsbuf.LIBCMT ref: 0036372B

__swprintf.LIBCMT ref: 003AC9C4
__swprintf.LIBCMT ref: 003ACA13
__swprintf.LIBCMT ref: 003ACA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 003AC88A
%02d, xrefs: 003AC91B, 003AC925, 003AC973, 003AC9C2, 003ACA11, 003ACA60
%4d, xrefs: 003AC8CD

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: e08f3ca68430eaa0e8d88dddde65d79a1963b31120a7d56f86151dc3e746735b
Instruction ID: 10e154fb380002d15e9106d4c942cd221b7391c61119022ec1b616356a3888b9
Opcode Fuzzy Hash: e08f3ca68430eaa0e8d88dddde65d79a1963b31120a7d56f86151dc3e746735b
Instruction Fuzzy Hash: C6A120B1414345ABC712EFA4C885EAFB7ECFF95704F40491AF595CA191EB34EA08CB62

Function 003AEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 003AEFB6
_wcscmp.LIBCMT ref: 003AEFCB
_wcscmp.LIBCMT ref: 003AEFE2
GetFileAttributesW.KERNEL32(?), ref: 003AEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 003AF00E
FindNextFileW.KERNEL32(00000000,?), ref: 003AF026
FindClose.KERNEL32(00000000), ref: 003AF031
FindFirstFileW.KERNEL32(*.*,?), ref: 003AF04D
_wcscmp.LIBCMT ref: 003AF074
_wcscmp.LIBCMT ref: 003AF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 003AF09D
SetCurrentDirectoryW.KERNEL32(003F8920), ref: 003AF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 003AF0C5
FindClose.KERNEL32(00000000), ref: 003AF0D2
FindClose.KERNEL32(00000000), ref: 003AF0E4

Strings

*.*, xrefs: 003AF048

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 610c79404053e4166d26f7911f14b8d9e19d529f73e8993a812e91985bca2a4a
Instruction ID: aaf96ae10375eadcf8459bfa240e75b1c46f19a1d5243a549438dfa551179261
Opcode Fuzzy Hash: 610c79404053e4166d26f7911f14b8d9e19d529f73e8993a812e91985bca2a4a
Instruction Fuzzy Hash: B031BF365012186EDB16EBB4EC48EEEB7ADDF4A360F114176E904E30A1DB70EE44CB65

Function 003566E1 Relevance: 27.1, Strings: 21, Instructions: 889COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 0039114F
NO_AUTO_POSSESS), xrefs: 0039112E
LIMIT_RECURSION=, xrefs: 003911FC
UTF), xrefs: 003910FA
csd2e6tcsd8e6tcsdbe6tcsd4e6tcsd5e6tcsdee6tcsd4e6tcsd5e6tcsd0e6tcsd8e6tcsdbe6tcsd4e6tcsdde6tcsdfe6tcsd8e6tcsd5e6tcsd1e6tcsd8e6tcsdb, xrefs: 003567AB
ANYCRLF), xrefs: 003912FB
LIMIT_MATCH=, xrefs: 00391170
LF), xrefs: 003912A4
0D>, xrefs: 00356733
3c5, xrefs: 003568FF
_5, xrefs: 00391465, 0039150C, 003915B4
CR), xrefs: 00391287
UTF16), xrefs: 003910CF
pG>, xrefs: 00356751
BSR_UNICODE), xrefs: 00391338
0E>, xrefs: 0035673D
0F>, xrefs: 00356747
ANY), xrefs: 003912DE
CRLF), xrefs: 003912C1
UCP), xrefs: 0039110D
BSR_ANYCRLF), xrefs: 0039131E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID: 0D>$0E>$0F>$3c5$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$csd2e6tcsd8e6tcsdbe6tcsd4e6tcsd5e6tcsdee6tcsd4e6tcsd5e6tcsd0e6tcsd8e6tcsdbe6tcsd4e6tcsdde6tcsdfe6tcsd8e6tcsd5e6tcsd1e6tcsd8e6tcsdb$pG>$_5
API String ID: 0-300307796
Opcode ID: 9bb2de73420199f05d5f8bc667b868f48940881e865b30b332cffcb08809946b
Instruction ID: f06de2abe21fe81f4a08969e224642d17ecab9a997c793b2c82db166ae341fb5
Opcode Fuzzy Hash: 9bb2de73420199f05d5f8bc667b868f48940881e865b30b332cffcb08809946b
Instruction Fuzzy Hash: 8D727075E0021A9BDF16CF59C881BAEB7B5FF48310F55816AE805FB690E7309E85CB90

Function 003C0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,003CF910,00000000,?,00000000,?,?), ref: 003C09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003C0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003C0A92
RegCloseKey.ADVAPI32(?), ref: 003C0DB2
RegCloseKey.ADVAPI32(00000000), ref: 003C0DBF

Strings

REG_EXPAND_SZ, xrefs: 003C0A2F
REG_DWORD, xrefs: 003C0C83
REG_MULTI_SZ, xrefs: 003C0B7A
REG_SZ, xrefs: 003C0AD0
REG_QWORD, xrefs: 003C0D00
REG_BINARY, xrefs: 003C0D4D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d08a657bab6b3d3f6027fb628c8e1093da9d674af4184efb9493d36125e6e7a9
Instruction ID: 4956a700ae72bc36828af50130498971e7eec188834f4b791a9b4443a078b77e
Opcode Fuzzy Hash: d08a657bab6b3d3f6027fb628c8e1093da9d674af4184efb9493d36125e6e7a9
Instruction Fuzzy Hash: 640225756006519FCB16EF28C845E2AB7E5EF89710F05885DF88A9F262CB31FC41CB81

Function 003AF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 003AF113
_wcscmp.LIBCMT ref: 003AF128
_wcscmp.LIBCMT ref: 003AF13F

Part of subcall function 003A4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003A43A0

FindNextFileW.KERNEL32(00000000,?), ref: 003AF16E
FindClose.KERNEL32(00000000), ref: 003AF179
FindFirstFileW.KERNEL32(*.*,?), ref: 003AF195
_wcscmp.LIBCMT ref: 003AF1BC
_wcscmp.LIBCMT ref: 003AF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 003AF1E5
SetCurrentDirectoryW.KERNEL32(003F8920), ref: 003AF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 003AF20D
FindClose.KERNEL32(00000000), ref: 003AF21A
FindClose.KERNEL32(00000000), ref: 003AF22C

Strings

*.*, xrefs: 003AF190

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 4dac008f8eed7ccffb533da1c902320119bc1aa0334a1edf778f53856a95cb50
Instruction ID: 7016533af811cbc2aca2673339153cf5ad3aa2ec515d4b8d3c828020e53dc552
Opcode Fuzzy Hash: 4dac008f8eed7ccffb533da1c902320119bc1aa0334a1edf778f53856a95cb50
Instruction Fuzzy Hash: 9231CE3A50021DAECB26ABA4EC49FEE77ADDF86360F114575E900E30A0DB70DE45CB64

Function 003AA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003AA20F
__swprintf.LIBCMT ref: 003AA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 003AA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003AA293
_memset.LIBCMT ref: 003AA2B2
_wcsncpy.LIBCMT ref: 003AA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003AA323
CloseHandle.KERNEL32(00000000), ref: 003AA32E
RemoveDirectoryW.KERNEL32(?), ref: 003AA337
CloseHandle.KERNEL32(00000000), ref: 003AA341

Strings

\??\%s, xrefs: 003AA22B
:, xrefs: 003AA252
\, xrefs: 003AA247

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: b939e1d002bd0a31e2cf44611d6e05ab3797fd2b39f008baea8dd89fb2212425
Instruction ID: 45e6b2d6c483cc2b822ff0170667f2a1cd062632921dbb44b83b3abb4199eda3
Opcode Fuzzy Hash: b939e1d002bd0a31e2cf44611d6e05ab3797fd2b39f008baea8dd89fb2212425
Instruction Fuzzy Hash: BC31E8B6500109ABDB22DFA0DC45FEB77BDEF89740F1040B6F508D61A0E7749644CB25

Function 003A001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003A0097
SetKeyboardState.USER32(?), ref: 003A0102
GetAsyncKeyState.USER32(000000A0), ref: 003A0122
GetKeyState.USER32(000000A0), ref: 003A0139
GetAsyncKeyState.USER32(000000A1), ref: 003A0168
GetKeyState.USER32(000000A1), ref: 003A0179
GetAsyncKeyState.USER32(00000011), ref: 003A01A5
GetKeyState.USER32(00000011), ref: 003A01B3
GetAsyncKeyState.USER32(00000012), ref: 003A01DC
GetKeyState.USER32(00000012), ref: 003A01EA
GetAsyncKeyState.USER32(0000005B), ref: 003A0213
GetKeyState.USER32(0000005B), ref: 003A0221

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5d8d1a0bc4d060ea4bea87759d2d08d021f6a4932f0c9c969833fbbdcb824733
Instruction ID: 152f41aedeb8f06eaf4a428a2a135e2c93c257d20365ebedccb6e63d60b88274
Opcode Fuzzy Hash: 5d8d1a0bc4d060ea4bea87759d2d08d021f6a4932f0c9c969833fbbdcb824733
Instruction Fuzzy Hash: 6F51C92490478829FB3ADBB088547EABFB4DF13380F09459E95C25B5C2DAA49B8CC761

Function 003C03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BFDAD,?,?), ref: 003C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C04AC

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003C054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003C05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003C0822
RegCloseKey.ADVAPI32(00000000), ref: 003C082F

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 8478b915d50258c98a383d8d5ff2452c3b27f6ec5b8f89f2233764b81742d87f
Instruction ID: be84b923518846715e36967f827d6afd6cc1f4a1ccd06d06428122564bc95c40
Opcode Fuzzy Hash: 8478b915d50258c98a383d8d5ff2452c3b27f6ec5b8f89f2233764b81742d87f
Instruction Fuzzy Hash: 2FE14D71604210EFCB1ADF28C891E6BBBE9EF89714F04856DF84ADB261D631ED01CB91

Function 003B83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

CoInitialize.OLE32 ref: 003B8403
CoUninitialize.OLE32 ref: 003B840E
CoCreateInstance.OLE32(?,00000000,00000017,003D2BEC,?), ref: 003B846E
IIDFromString.OLE32(?,?), ref: 003B84E1
VariantInit.OLEAUT32(?), ref: 003B857B
VariantClear.OLEAUT32(?), ref: 003B85DC

Strings

Failed to create object, xrefs: 003B8479, 003B852F
NULL Pointer assignment, xrefs: 003B84B3
Invalid parameter, xrefs: 003B84FA

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 28b59e0d0c7e98bb8339ef2a136e1f4f35e58561fbd893f940d8e21192ce775c
Instruction ID: e72ff2bd9cfde0abdb3549dda4d92c06eb2c31120737a205ef775898ed27e5fd
Opcode Fuzzy Hash: 28b59e0d0c7e98bb8339ef2a136e1f4f35e58561fbd893f940d8e21192ce775c
Instruction Fuzzy Hash: D66180706083129FC712DF55C849FABB7ECAF4A758F04481AFA859B691CB70ED44CB92

Function 003B4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 003B418B
EmptyClipboard.USER32 ref: 003B4191
GlobalAlloc.KERNEL32(00000002,?), ref: 003B41A6
CloseClipboard.USER32 ref: 003B4245

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: e83036685b9d00f2d0ff837994a090dc768155fb7983312ca1b0e5822975f5e1
Instruction ID: 843f03bd0b9c749671f90cd4a28287cb5282ea7c9ad9f570742b0f408282bb15
Opcode Fuzzy Hash: e83036685b9d00f2d0ff837994a090dc768155fb7983312ca1b0e5822975f5e1
Instruction Fuzzy Hash: 092194356002109FDB129F14EC09F6A7BADEF45715F11802AFA46DF262DB30BC00CB58

Function 003A37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00344750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00344743,?,?,003437AE,?), ref: 00344770

Part of subcall function 003A4A31: GetFileAttributesW.KERNEL32(?,003A370B), ref: 003A4A32

FindFirstFileW.KERNEL32(?,?), ref: 003A38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 003A394B
MoveFileW.KERNEL32(?,?), ref: 003A395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 003A397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 003A399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 003A39B9

Strings

\*.*, xrefs: 003A384E, 003A3857, 003A386C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 5897b18ce30b67085a039bbce9204f006625f446e927a547a06713462d41191b
Instruction ID: 5a9371111f1fef8e9f32a29315cb323ace065189e05b8e56062a1ebc9b4e5484
Opcode Fuzzy Hash: 5897b18ce30b67085a039bbce9204f006625f446e927a547a06713462d41191b
Instruction Fuzzy Hash: AE51403180514CAACF17EBA0D992AEEB7B9EF16300F604069F405BF192EB756F09CB51

Function 003AF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003AF440
Sleep.KERNEL32(0000000A), ref: 003AF470
_wcscmp.LIBCMT ref: 003AF484
_wcscmp.LIBCMT ref: 003AF49F
FindNextFileW.KERNEL32(?,?), ref: 003AF53D
FindClose.KERNEL32(00000000), ref: 003AF553

Strings

*.*, xrefs: 003AF425

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 37517ebb45e765469afbd4c3b8618f308a9ddd5b1e3ba308d2156308f59f7271
Instruction ID: 7ae5307919725a20b874b881e3e14151a90e729a44463508ea64ec86faac4e9c
Opcode Fuzzy Hash: 37517ebb45e765469afbd4c3b8618f308a9ddd5b1e3ba308d2156308f59f7271
Instruction Fuzzy Hash: 73415C71D0021AAFCF16EFA4CC55AEEBBB8FF06310F144566E815AB191DB30AE44CB50

Function 00353030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3c5, xrefs: 00353225
_5, xrefs: 00353322

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c5$_5
API String ID: 674341424-2150917133
Opcode ID: bc34a19a84a461b33d33785b646bde63d7adea950bcf38303d39cb9b2fdb5079
Instruction ID: 98730d50eeef9dc74cad0fc4e75d339c630f8f743fb25bcb444419bf081989f2
Opcode Fuzzy Hash: bc34a19a84a461b33d33785b646bde63d7adea950bcf38303d39cb9b2fdb5079
Instruction Fuzzy Hash: E02291716083009FC726DF24C892F6FB7E5AF84750F11491DF99A9B2A1DB71E908CB92

Function 00355760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003558A5
_memmove.LIBCMT ref: 003558F5
_memmove.LIBCMT ref: 0035595B

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 32c8398df9ba0a80f54d157533262257c84043af1cd21f79406cfdbb5cca7836
Instruction ID: 064358e13f1369677c205485b69cc8ada8c74a35a1a5a3f524c3a01733d4a048
Opcode Fuzzy Hash: 32c8398df9ba0a80f54d157533262257c84043af1cd21f79406cfdbb5cca7836
Instruction Fuzzy Hash: A7128F70A00609DFDF0ADFA5D991AAEB7F5FF48310F104529E846EB261EB36AD14CB50

Function 003A3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00344750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00344743,?,?,003437AE,?), ref: 00344770

Part of subcall function 003A4A31: GetFileAttributesW.KERNEL32(?,003A370B), ref: 003A4A32

FindFirstFileW.KERNEL32(?,?), ref: 003A3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 003A3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 003A3BEA
FindClose.KERNEL32(00000000), ref: 003A3C01
FindClose.KERNEL32(00000000), ref: 003A3C0A

Strings

\*.*, xrefs: 003A3B5B

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: f5bab947efad50e289f0705d15344e14c441b4636a1082fd467e321fa8629050
Instruction ID: ec5f79c0760c7d230123f896d05f67ddadd1895dd0c99070a38c77fae077b5cb
Opcode Fuzzy Hash: f5bab947efad50e289f0705d15344e14c441b4636a1082fd467e321fa8629050
Instruction Fuzzy Hash: F0317035008385AFC302EF24C891DAFB7EDAE92314F404D2DF4D59A192EB25EA09C763

Function 003A51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003987E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039882B
Part of subcall function 003987E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00398858
Part of subcall function 003987E1: GetLastError.KERNEL32 ref: 00398865

ExitWindowsEx.USER32(?,00000000), ref: 003A51F9

Strings

, xrefs: 003A51E7
@, xrefs: 003A51EC
SeShutdownPrivilege, xrefs: 003A51C9

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: f7f42be1082fde7c0280a66aff791ab93001828b980e6cbc86213e37ef230e39
Instruction ID: 7074c90540551c7757965a1c90def602ee5de36ae80d1920e15e19e91696c3ca
Opcode Fuzzy Hash: f7f42be1082fde7c0280a66aff791ab93001828b980e6cbc86213e37ef230e39
Instruction Fuzzy Hash: FE01F7316916156BEB2F63689C8AFBA725CEB07750F210C20F913E60D2D9516C008690

Function 003B6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003B62DC
WSAGetLastError.WSOCK32(00000000), ref: 003B62EB
bind.WSOCK32(00000000,?,00000010), ref: 003B6307
listen.WSOCK32(00000000,00000005), ref: 003B6316
WSAGetLastError.WSOCK32(00000000), ref: 003B6330
closesocket.WSOCK32(00000000,00000000), ref: 003B6344

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 57372b381d0d17761c55210a35a42f63c800b00182e8cb9d4119ca7c093046ff
Instruction ID: 6c37d2231a1ca45ce9e08ce1d6240b0282731a7405135f36895ef4abdd2feca7
Opcode Fuzzy Hash: 57372b381d0d17761c55210a35a42f63c800b00182e8cb9d4119ca7c093046ff
Instruction Fuzzy Hash: 1B21D0346002009FCB12EF68CC46FAEB7E9EF49324F154159E91AEB3A2C770AC01CB51

Function 00355520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00360DB6: std::exception::exception.LIBCMT ref: 00360DEC
Part of subcall function 00360DB6: __CxxThrowException@8.LIBCMT ref: 00360E01

_memmove.LIBCMT ref: 00390258
_memmove.LIBCMT ref: 0039036D
_memmove.LIBCMT ref: 00390414

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 1fe8ec0c59a20b296bf73affe28c16c489024909c254d2871fc483811456da7b
Instruction ID: f772f7c024799d717d963039d51ddca204a6910f54879d3a46a8c7880d749836
Opcode Fuzzy Hash: 1fe8ec0c59a20b296bf73affe28c16c489024909c254d2871fc483811456da7b
Instruction Fuzzy Hash: 3202B0B0A00209DFCF0ADF64D992AAE7BF9EF44300F158469E806DF255EB35E954CB91

Function 00341287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

DefDlgProcW.USER32(?,?,?,?,?), ref: 003419FA
GetSysColor.USER32(0000000F), ref: 00341A4E
SetBkColor.GDI32(?,00000000), ref: 00341A61

Part of subcall function 00341290: DefDlgProcW.USER32(?,00000020,?), ref: 003412D8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 4123e44afd030fcf071d55c5dd540e3b131a85a96af93c4e68c44e445c5f1773
Instruction ID: 99834bb1d113bd87521a46ea06cfa30320817d8261ae96e5c56502674775ee1b
Opcode Fuzzy Hash: 4123e44afd030fcf071d55c5dd540e3b131a85a96af93c4e68c44e445c5f1773
Instruction Fuzzy Hash: DAA16971112D44BAE63BAF284C48F7F69ECDF42341F16411AF506DE592CB28BD8097B6

Function 003B6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003B7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003B7DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003B679E
WSAGetLastError.WSOCK32(00000000), ref: 003B67C7
bind.WSOCK32(00000000,?,00000010), ref: 003B6800
WSAGetLastError.WSOCK32(00000000), ref: 003B680D
closesocket.WSOCK32(00000000,00000000), ref: 003B6821

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 51fa0b573bda185bbf20488eae7053718c3d92373bf77ed0c4756f3000afc07a
Instruction ID: 5e1b8fab46410d5b149c213d16408d35c86d43c7a8c9c03b738be7665dc101c5
Opcode Fuzzy Hash: 51fa0b573bda185bbf20488eae7053718c3d92373bf77ed0c4756f3000afc07a
Instruction Fuzzy Hash: 7441B275A00210AFDB12BF288C87F6E77E8DB49754F048459FA1AAF3D3CA74AD008791

Function 003C5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 003C53C5
IsWindowEnabled.USER32 ref: 003C53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 003C53E0
IsIconic.USER32 ref: 003C53EE
IsZoomed.USER32 ref: 003C53FC

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 1d09857419589813801ac6a2056b75c074ae8309de2d7468dbe28249ae304827
Instruction ID: d9c8e54513acb14a77d97c72998329e9d5d6865f54dc869fbfa0a4a23bf8ae1a
Opcode Fuzzy Hash: 1d09857419589813801ac6a2056b75c074ae8309de2d7468dbe28249ae304827
Instruction Fuzzy Hash: AE119D323009516FEB236F269C44F6ABB9DEF857A1F41402DE846DB241CBB0FC418BA4

Function 003980A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003980C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003980CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003980D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003980E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003980F6

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d7d15ca5b36222417ba6a43bf8b462638834c1046e458072353cafc882181cb3
Instruction ID: 9a0ea64316a5eecc29eb6d71c08c63f9562b6483a49f3e5bfe7a2730969f0a23
Opcode Fuzzy Hash: d7d15ca5b36222417ba6a43bf8b462638834c1046e458072353cafc882181cb3
Instruction Fuzzy Hash: BCF04F35240214AFEB120FA6EC8DE673BADFF8A755F040029F945D6150CA61AC41DB60

Function 00344B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00344AD0), ref: 00344B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00344B57

Strings

GetNativeSystemInfo, xrefs: 00344B51
kernel32.dll, xrefs: 00344B40

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 6dfdf27229594947d2f66b2f87cc7798faf2c81e2954a06524ef53cbbf3c3c61
Instruction ID: 583d505e3d7a543390b1f12b9c8322af0a65bb62758155b0255515b24d0155b6
Opcode Fuzzy Hash: 6dfdf27229594947d2f66b2f87cc7798faf2c81e2954a06524ef53cbbf3c3c61
Instruction Fuzzy Hash: 3AD0EC74A10712CFDB229B31D818F4676D9AF05351B15883DD486D6160D770E880C755

Function 003BEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003BEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 003BEE4B

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Process32NextW.KERNEL32(00000000,?), ref: 003BEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 003BEF1A

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 0dc41aee43acec5ae1ab278b924bbbb6a20b9d2200c8af5c01315ea902163a2a
Instruction ID: e0d9cda8edfa72ccdc341621971c3f01904e52ccf831e88a6a73e30ab07ace28
Opcode Fuzzy Hash: 0dc41aee43acec5ae1ab278b924bbbb6a20b9d2200c8af5c01315ea902163a2a
Instruction Fuzzy Hash: DB516E71504311AFD322EF24CC85EABB7E8EF94714F10482DF5959A2A2EB70E904CB92

Function 0039E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0039E628

Strings

|, xrefs: 0039E658
(, xrefs: 0039E66E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 5e92eafcdaf3427713f146abefb16abbb63c05446da4f5a9066e72235f17f47e
Instruction ID: 48a8c3d03459a13af4b1324e2e581aebc9817e1016b86322546e2142bf6c06a4
Opcode Fuzzy Hash: 5e92eafcdaf3427713f146abefb16abbb63c05446da4f5a9066e72235f17f47e
Instruction Fuzzy Hash: 9D323575A007059FDB29CF59C48196AB7F0FF48320B16C56EE89ADB7A1EB70E941CB40

Function 003B22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003B180A,00000000), ref: 003B23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 003B2418

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 58384b2f5d4bd974f82cc8905fd9e73b48eccc7cd3b75b933245c7814fdaa794
Instruction ID: 340effd3e2195669e26a47a13efb15d172eb3d8c1b4dfc7017b67b19466dc8de
Opcode Fuzzy Hash: 58384b2f5d4bd974f82cc8905fd9e73b48eccc7cd3b75b933245c7814fdaa794
Instruction Fuzzy Hash: 74410375A00209BFEB129F96DC81EFFB7FCEB40318F10412AFB05A6940DA75AE419660

Function 003AB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003AB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003AB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003AB3EA

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a8e4ac7a48814c3b48885f075d1b3a2e5723744257d156e8c8165b010ad281de
Instruction ID: 4f4cf10a1668df735ce2aa66d2c2b5ed09551e36809f52fbb1c1f88c3378b771
Opcode Fuzzy Hash: a8e4ac7a48814c3b48885f075d1b3a2e5723744257d156e8c8165b010ad281de
Instruction Fuzzy Hash: F2214A35A00108EFCB01EFA5D885AAEBBF8FF49310F1480AAE905AB251CB31A915CB50

Function 003987E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00360DB6: std::exception::exception.LIBCMT ref: 00360DEC
Part of subcall function 00360DB6: __CxxThrowException@8.LIBCMT ref: 00360E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0039882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00398858
GetLastError.KERNEL32 ref: 00398865

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 89b2ce01c783ea662aca3b82cafb28b86ade3fc275b2d941c740aa6dd5f66eea
Instruction ID: b6253fb34156ff0c18bbc780e7d8689c50d7887a44df6744afb8c37c2cc347a7
Opcode Fuzzy Hash: 89b2ce01c783ea662aca3b82cafb28b86ade3fc275b2d941c740aa6dd5f66eea
Instruction Fuzzy Hash: 73118CB2914204AFEB19DFA4DC86D6BBBFDFB45710B20852EF45697241EB30BC408B60

Function 0039874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00398774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0039878B
FreeSid.ADVAPI32(?), ref: 0039879B

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5d1b9ff6b09f8cea617652660a49daa9f8382c34d27752835a41ea7a53d8b296
Instruction ID: 7bb7792eb57a3071366bfb6d80b8ce9481546e8e87c444381a243db257db4195
Opcode Fuzzy Hash: 5d1b9ff6b09f8cea617652660a49daa9f8382c34d27752835a41ea7a53d8b296
Instruction Fuzzy Hash: BCF03775A11208BFDF00DFE49C89EBEBBBDEF08701F1044A9A901E2181E6716A048B50

Function 003A8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 003A889B

Part of subcall function 0036520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003A8F6E,00000000,?,?,?,?,003A911F,00000000,?), ref: 00365213
Part of subcall function 0036520A: __aulldiv.LIBCMT ref: 00365233

Strings

0e@, xrefs: 003A8892

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0e@
API String ID: 2893107130-3044860656
Opcode ID: 7d057725d77fc37a8757de344a27fa1aa65f35205f7e216064d8e5f3b0293379
Instruction ID: f70d9ea28d30d17f97a80810b282382ab59756bfa5b6cd6144bf6d9e409c79a9
Opcode Fuzzy Hash: 7d057725d77fc37a8757de344a27fa1aa65f35205f7e216064d8e5f3b0293379
Instruction Fuzzy Hash: 1121AF326256108BC72ACF29D841A52B7E5EBA5311B698E6CD0F6CF2C0CE34A905CB94

Function 003AC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003AC6FB
FindClose.KERNEL32(00000000), ref: 003AC72B

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 0ba1bb2c969c7dfcf2ba0e2404e9a5d78059d2fe7d83226a6e75d13cafecba8c
Instruction ID: 42b89b097316f5538b354cb3d8b9a137904ec3fe6c02b6ed1aa24553936cd8bc
Opcode Fuzzy Hash: 0ba1bb2c969c7dfcf2ba0e2404e9a5d78059d2fe7d83226a6e75d13cafecba8c
Instruction Fuzzy Hash: 13115E766106049FDB11DF29D845A2AF7E9EF85324F01851EF9AADB291DB30B805CB81

Function 003AA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,003B9468,?,003CFB84,?), ref: 003AA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,003B9468,?,003CFB84,?), ref: 003AA0A9

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a40b32980b09dca819941e9230022f64f80accb988017cd8cc9506319175128f
Instruction ID: a8c631cd6317b46f900ec334f69b71b5558781ba4549c91cced70d0bc39358fe
Opcode Fuzzy Hash: a40b32980b09dca819941e9230022f64f80accb988017cd8cc9506319175128f
Instruction Fuzzy Hash: EEF0823651522DBBDB629FA4CC48FEA776DFF09361F008165F909D6181D730A944CBA1

Function 003981CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00398309), ref: 003981E0
CloseHandle.KERNEL32(?,?,00398309), ref: 003981F2

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 48d24f682b7f8a80025616b51800e70f2d25b5a9034813f14dce7f8e9c395702
Instruction ID: ffc842f8062377361415e973faf860366a6a90fb3d44e1eff63b95ec1e193ddc
Opcode Fuzzy Hash: 48d24f682b7f8a80025616b51800e70f2d25b5a9034813f14dce7f8e9c395702
Instruction Fuzzy Hash: EBE0B672010A20AEEB272B60EC09D777BAEEF44310B148829B8A6C4475DB62AC91DB14

Function 0036A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00368D57,?,?,?,00000001), ref: 0036A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0036A163

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 80066a17d61224719bcfd67e7de031ed731fc0b2a70e43f52ccc3a4479637432
Instruction ID: 9662621202b121151370905b5c84057a9e8589d17773eeed5b99fff3742932b4
Opcode Fuzzy Hash: 80066a17d61224719bcfd67e7de031ed731fc0b2a70e43f52ccc3a4479637432
Instruction Fuzzy Hash: 47B09235054248BFCA022B91EC09F883F6EEB84BA2F404020FA0DC4060CB6266508B91

Function 0036F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a81d0d585199ab859bd360904c7c3add7fa6e340ca80e9e1806c6e1aba9732d
Instruction ID: b293a8bced93cd39bcede41ba292ba0a6ebf58d1c918d5af701560acced2801b
Opcode Fuzzy Hash: 7a81d0d585199ab859bd360904c7c3add7fa6e340ca80e9e1806c6e1aba9732d
Instruction Fuzzy Hash: 6832F426D2AF414DD7239634E832335A38DAFB73D5F55D737E81AB5AA9EB28C4834100

Function 0037242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a6c46a8d3d2d29eef4a73a0f2e8b1af26d2654e412811a61722057259f76e6b
Instruction ID: 2a729c34657995584f8fce06ebaf5143415579a231e174854d7f9fd1b56be413
Opcode Fuzzy Hash: 4a6c46a8d3d2d29eef4a73a0f2e8b1af26d2654e412811a61722057259f76e6b
Instruction Fuzzy Hash: 42B1F120E2AF414DD72396399931336BB5CAFBB2D5F52D71BFC2A74E22EB2185834141

Function 003A4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003A4C4A

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 51cec7d80d6afed14f237c0ac160ef401231e93478a246643e3b8a5a98886aa5
Instruction ID: 4cafddca28b932fca62f5dfe0c4293384709dea2d1d20985f2a2b9c47c628475
Opcode Fuzzy Hash: 51cec7d80d6afed14f237c0ac160ef401231e93478a246643e3b8a5a98886aa5
Instruction Fuzzy Hash: 4DD05E9916520978EC1E0720AE0FF7A410CE3D37A2FD18149720ACA0C1FCD06C406130

Function 003987B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00398389), ref: 003987D1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 62fc4445b00a31f26f91c33b9f663af35fd553a28bdec64c6c741757f5c9415a
Instruction ID: e5519b0abcb716acfb599c30975b98c02981ffdb91e67160a53e5cc97ef2f8b7
Opcode Fuzzy Hash: 62fc4445b00a31f26f91c33b9f663af35fd553a28bdec64c6c741757f5c9415a
Instruction Fuzzy Hash: F3D05E3226050EAFEF019EA4DC01EBE3B6AEB04B01F408111FE15C50A1C775E835AB60

Function 0036A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0036A12A

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3a05c1f2d67906932a194d85ea3797e36fc41065210813540e99d53e520cab66
Instruction ID: 12ca8c5472b1c937089a1010175d978ca261ef9d24051b911c9533b9de4ddb52
Opcode Fuzzy Hash: 3a05c1f2d67906932a194d85ea3797e36fc41065210813540e99d53e520cab66
Instruction Fuzzy Hash: F1A0113000020CBB8A022B82EC08888BFAEEA802A0B008020F80C800228B32AA208A80

Function 00358808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 316002f89f9f53e2d1fea59798b575bdb7bcdab01980e690446c591b6dba4c3f
Instruction ID: 302e11464f74a596c43f0d280db53d0ec874520fc454104fdb86dc1350eacc6d
Opcode Fuzzy Hash: 316002f89f9f53e2d1fea59798b575bdb7bcdab01980e690446c591b6dba4c3f
Instruction Fuzzy Hash: EF221530A04546CBDF2B8B14C494B7C77B5FB01306F2A846ADD86AB9A2DB70DD9AC741

Function 003621C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 85380d2d9f2e3314a3db667886187a9941c31b42b9ae8fd72f1966be194b8039
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 1DC184362055930ADF6F463A847403FFAA15EA27B131F876DD8B3CB5D8EE20C965D620

Function 003625FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 46fd985755d35655771a00196b6f982ecd054c14570a801d2451a8b5b262341b
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 98C195322055930ADF6F463AC43443FBAA15EA27B131F876DD4B3DB1D9EE50C925E620

Function 00361978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 59bc2b18b820ebda61efb1d8ccc3551208d34ba4458734af85810cfbdba580bf
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 92C180322091930ADF6E463AC47413EFBA15EA27B131F876DD4B3CB1D8EE60C965D660

Function 01697680 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 9a85c15d30df190ca92566550650e117e396d58b837e4cf377f1d6a3bed6e452
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 1441D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 01697570 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 96b17a42e1b938d3a8fe315bbb9d4a537d2b16f3e4ea16ad533e6031ace3060c
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 57019278A11109EFCB84DF98C5909AEF7B9FB48310F208599D909A7301E730AE41DF90

Function 01697510 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 4b9a822be07e80cf693ead3f506e095d02c49f03556b09427788c31e19cde354
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 70019278A11109EFCB85DF98C5909AEF7B9FB48310F208599E819A7301E730AE41DF84

Function 01695ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355885515.0000000001694000.00000040.00000020.00020000.00000000.sdmp, Offset: 01694000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1694000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 003B7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003B785B
DeleteObject.GDI32(00000000), ref: 003B786D
DestroyWindow.USER32 ref: 003B787B
GetDesktopWindow.USER32 ref: 003B7895
GetWindowRect.USER32(00000000), ref: 003B789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003B79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003B79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7A35
GetClientRect.USER32(00000000,?), ref: 003B7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003B7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7ABB
GlobalLock.KERNEL32(00000000), ref: 003B7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7AD3
GlobalUnlock.KERNEL32(00000000), ref: 003B7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7AE3
GlobalFree.KERNEL32(00000000), ref: 003B7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003D2CAC,00000000), ref: 003B7B16
GlobalFree.KERNEL32(00000000), ref: 003B7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 003B7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 003B7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003B7D7A

Strings

DISPLAY, xrefs: 003B7BDD
static, xrefs: 003B7A75, 003B7BCC
AutoIt v3, xrefs: 003B7A2D
, xrefs: 003B7D00

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 8bbe73e111b253dc3188a2c8950c9fba4b7235d751a407b9727d7979d2591f78
Instruction ID: 1b7f74e86aad24c8ed5175a67d1a2130f0611f602eb1a5967ad2d162ad26fbb9
Opcode Fuzzy Hash: 8bbe73e111b253dc3188a2c8950c9fba4b7235d751a407b9727d7979d2591f78
Instruction Fuzzy Hash: AF026A71900115AFDB16DFA8DD89EAE7BB9EF88314F148169F905EB2A1C770AD01CB60

Function 003C356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,003CF910), ref: 003C3627
IsWindowVisible.USER32(?), ref: 003C364B

Strings

SENDCOMMANDID, xrefs: 003C39DA
SELECTSTRING, xrefs: 003C3806
GETLINECOUNT, xrefs: 003C38C6
GETLINE, xrefs: 003C399B
ISVISIBLE, xrefs: 003C3637
EDITPASTE, xrefs: 003C395F
ISENABLED, xrefs: 003C366B
CHECK, xrefs: 003C386D
FINDSTRING, xrefs: 003C3776
UNCHECK, xrefs: 003C3883
ISCHECKED, xrefs: 003C3839
GETCURRENTCOL, xrefs: 003C3928
CURRENTTAB, xrefs: 003C36BD
HIDEDROPDOWN, xrefs: 003C3700
TABRIGHT, xrefs: 003C369D
SHOWDROPDOWN, xrefs: 003C36E0
GETCURRENTLINE, xrefs: 003C38ED
ADDSTRING, xrefs: 003C3716
GETSELECTED, xrefs: 003C38A3
TABLEFT, xrefs: 003C3687
SETCURRENTSELECTION, xrefs: 003C37B6
DELSTRING, xrefs: 003C3749
GETCURRENTSELECTION, xrefs: 003C37E3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: a4fc63a3a559906b5355e4ab35e57c19c545d13e5d5e05eff0ee50e974e4181d
Instruction ID: f1085496e0613266114fdb343f93de4d2bbe539d113f7bcdbd25b77375f27df4
Opcode Fuzzy Hash: a4fc63a3a559906b5355e4ab35e57c19c545d13e5d5e05eff0ee50e974e4181d
Instruction Fuzzy Hash: 4ED159342043019BCA06EF10C852F6EB7E5AF95394F15846DF8869F7A2CB31EE0ACB41

Function 003CA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 003CA630
GetSysColorBrush.USER32(0000000F), ref: 003CA661
GetSysColor.USER32(0000000F), ref: 003CA66D
SetBkColor.GDI32(?,000000FF), ref: 003CA687
SelectObject.GDI32(?,00000000), ref: 003CA696
InflateRect.USER32(?,000000FF,000000FF), ref: 003CA6C1
GetSysColor.USER32(00000010), ref: 003CA6C9
CreateSolidBrush.GDI32(00000000), ref: 003CA6D0
FrameRect.USER32(?,?,00000000), ref: 003CA6DF
DeleteObject.GDI32(00000000), ref: 003CA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 003CA731
FillRect.USER32(?,?,00000000), ref: 003CA763
GetWindowLongW.USER32(?,000000F0), ref: 003CA78E

Part of subcall function 003CA8CA: GetSysColor.USER32(00000012), ref: 003CA903
Part of subcall function 003CA8CA: SetTextColor.GDI32(?,?), ref: 003CA907
Part of subcall function 003CA8CA: GetSysColorBrush.USER32(0000000F), ref: 003CA91D
Part of subcall function 003CA8CA: GetSysColor.USER32(0000000F), ref: 003CA928
Part of subcall function 003CA8CA: GetSysColor.USER32(00000011), ref: 003CA945
Part of subcall function 003CA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003CA953
Part of subcall function 003CA8CA: SelectObject.GDI32(?,00000000), ref: 003CA964
Part of subcall function 003CA8CA: SetBkColor.GDI32(?,00000000), ref: 003CA96D
Part of subcall function 003CA8CA: SelectObject.GDI32(?,?), ref: 003CA97A
Part of subcall function 003CA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 003CA999
Part of subcall function 003CA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003CA9B0
Part of subcall function 003CA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 003CA9C5
Part of subcall function 003CA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003CA9ED

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 5bf67d7c4f3f0c006d55b9a268a55a028e1fe330d00efb3c7ee9000c1976645e
Instruction ID: b853a638c549108308d87f039fc350f92147bf49ae5a85ad6d3ee60e56d8fdd3
Opcode Fuzzy Hash: 5bf67d7c4f3f0c006d55b9a268a55a028e1fe330d00efb3c7ee9000c1976645e
Instruction Fuzzy Hash: 66917B72008705AFC7129F64DC08E5B7BAEFF89325F144A2DFAA2D61A0D771E944CB52

Function 00342C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00342CA2
DeleteObject.GDI32(00000000), ref: 00342CE8
DeleteObject.GDI32(00000000), ref: 00342CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00342CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00342D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0037C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0037C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0037C89D

Part of subcall function 00341B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00342036,?,00000000,?,?,?,?,003416CB,00000000,?), ref: 00341B9A

SendMessageW.USER32(?,00001053), ref: 0037C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0037C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0037C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0037C912

Strings

0, xrefs: 0037C731

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 17250171daa06b551d17a61189ee2847752ce0c1d403addd7e562f5812d1be6e
Instruction ID: 00a7050c534aaf453d6ec070f0a15f44c43e06f7d8032e2456cc7940d8ef8ca3
Opcode Fuzzy Hash: 17250171daa06b551d17a61189ee2847752ce0c1d403addd7e562f5812d1be6e
Instruction Fuzzy Hash: B0129A30610201AFDB268F24C884BAABBE5FF05310F55956DF999DB662CB35FC42CB91

Function 003B74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 003B74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003B759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003B75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003B75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 003B7633
GetClientRect.USER32(00000000,?), ref: 003B763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 003B7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003B7692
GetStockObject.GDI32(00000011), ref: 003B76A2
SelectObject.GDI32(00000000,00000000), ref: 003B76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003B76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003B76BF
DeleteDC.GDI32(00000000), ref: 003B76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003B76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 003B770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 003B7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003B775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 003B776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 003B779B
GetStockObject.GDI32(00000011), ref: 003B77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003B77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003B77BB

Strings

DISPLAY, xrefs: 003B7688
static, xrefs: 003B767D, 003B7795
msctls_progress32, xrefs: 003B773C
AutoIt v3, xrefs: 003B762B

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 289825c0720cad17e6156c1ca83e08f7ae3a7d28116be7d8353d9b8eb45f92b5
Instruction ID: 062dfd013877b560d48c7b35fd47b4489ad88466e723d52f72f3bdcaa28143ab
Opcode Fuzzy Hash: 289825c0720cad17e6156c1ca83e08f7ae3a7d28116be7d8353d9b8eb45f92b5
Instruction Fuzzy Hash: 4AA16D71A00605BFEB159BA4DD4AFAB7BAAEF49714F004119FA14EB2E0C770AD00CF64

Function 003AAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003AAD1E
GetDriveTypeW.KERNEL32(?,003CFAC0,?,\\.\,003CF910), ref: 003AADFB
SetErrorMode.KERNEL32(00000000,003CFAC0,?,\\.\,003CF910), ref: 003AAF59

Strings

Removable, xrefs: 003AAE4D
FileBackedVirtual, xrefs: 003AAF28
SATA, xrefs: 003AAF0C
ATA, xrefs: 003AAED4
RAID, xrefs: 003AAEF7
RAMDisk, xrefs: 003AAE25
ATAPI, xrefs: 003AAECD
MMC, xrefs: 003AAF1A
SSD, xrefs: 003AAE86
SCSI, xrefs: 003AAEC6
SAS, xrefs: 003AAF05
iSCSI, xrefs: 003AAEFE
Fixed, xrefs: 003AAE43
PhysicalDrive, xrefs: 003AADA7
1394, xrefs: 003AAEDB
Virtual, xrefs: 003AAF21
Fibre, xrefs: 003AAEE9
USB, xrefs: 003AAEF0
Network, xrefs: 003AAE39
SSA, xrefs: 003AAEE2
\\.\, xrefs: 003AAD70
CDROM, xrefs: 003AAE2F
Unknown, xrefs: 003AAE1B, 003AAEBF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: ed584b06a404e6b9d02689a6c1eb271e32b7b169920adb9e1aa068590e5be02d
Instruction ID: 78aec563e34a3e3db0a56e43f58baadfc1fe70bac6e7fbaebbfed56ff6de2e8c
Opcode Fuzzy Hash: ed584b06a404e6b9d02689a6c1eb271e32b7b169920adb9e1aa068590e5be02d
Instruction Fuzzy Hash: 9C5190B2649A09AF8F1FEB14CD92CBD73A5EB0A700B204457E507AB691CB31AD05DB53

Function 003468DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00346931
__wcsnicmp.LIBCMT ref: 00346949
__wcsnicmp.LIBCMT ref: 00346961
__wcsnicmp.LIBCMT ref: 00346979
__wcsnicmp.LIBCMT ref: 00346991
__wcsnicmp.LIBCMT ref: 003469A9
__wcsnicmp.LIBCMT ref: 003469C1
__wcsnicmp.LIBCMT ref: 003469D5
__wcsnicmp.LIBCMT ref: 00346A16
__wcsnicmp.LIBCMT ref: 00346A2A
__wcsnicmp.LIBCMT ref: 00346A3E
__wcsnicmp.LIBCMT ref: 00346A52

Strings

#requireadmin, xrefs: 0034695B
Unterminated group of comments, xrefs: 0037E403
#include-once, xrefs: 0034698B
#comments-end, xrefs: 00346A38
Bad directive syntax error, xrefs: 0037E31A
#notrayicon, xrefs: 00346943
#comments-start, xrefs: 003469BB, 00346A10
#cs, xrefs: 003469CF, 00346A24
#include, xrefs: 003469A3
#OnAutoItStartRegister, xrefs: 00346973
Cannot parse #include, xrefs: 0037E3F0
#pragma compile, xrefs: 0034692B
#ce, xrefs: 00346A4C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 7b573027ae4702a2bee773c3408e809c74bf1d31a59888cab0c400d5bcea1605
Instruction ID: 085e1ea62f5966f1ca8e1ddb9331dacbd6fd7f86c3f57d3d482ccfdeb50ef907
Opcode Fuzzy Hash: 7b573027ae4702a2bee773c3408e809c74bf1d31a59888cab0c400d5bcea1605
Instruction Fuzzy Hash: 5881E9B16006056ADB23AF60EC43FBF37A8EF16700F048025F905AF196EB75EE45D662

Function 003C9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 003C9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 003C9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 003C9BA7

Strings

0, xrefs: 003C9BE4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: bf60f8f631730cba0bd92cf75bf461edd6c749c75406620487e9b38afe502550
Instruction ID: 97b2cfc095254da581e0f4cbf8ec2749fbf0aa798ff91393ef4b13bf2d75576a
Opcode Fuzzy Hash: bf60f8f631730cba0bd92cf75bf461edd6c749c75406620487e9b38afe502550
Instruction Fuzzy Hash: 2B02AC31108201AFE726CF24C849FAABBE9FF49314F06852EF999D62A1C735DD54CB52

Function 003CA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 003CA903
SetTextColor.GDI32(?,?), ref: 003CA907
GetSysColorBrush.USER32(0000000F), ref: 003CA91D
GetSysColor.USER32(0000000F), ref: 003CA928
CreateSolidBrush.GDI32(?), ref: 003CA92D
GetSysColor.USER32(00000011), ref: 003CA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 003CA953
SelectObject.GDI32(?,00000000), ref: 003CA964
SetBkColor.GDI32(?,00000000), ref: 003CA96D
SelectObject.GDI32(?,?), ref: 003CA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 003CA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003CA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 003CA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003CA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003CAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 003CAA32
DrawFocusRect.USER32(?,?), ref: 003CAA3D
GetSysColor.USER32(00000011), ref: 003CAA4B
SetTextColor.GDI32(?,00000000), ref: 003CAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003CAA67
SelectObject.GDI32(?,003CA5FA), ref: 003CAA7E
DeleteObject.GDI32(?), ref: 003CAA89
SelectObject.GDI32(?,?), ref: 003CAA8F
DeleteObject.GDI32(?), ref: 003CAA94
SetTextColor.GDI32(?,?), ref: 003CAA9A
SetBkColor.GDI32(?,?), ref: 003CAAA4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 006d13e800a50436dc8c66b4f080ed89d3e56b63901ded39ed715e55f30a2822
Instruction ID: 0aba533eccb89560bc015b1e960ed4537c1d7a8d5bab8894c0b88815b401e7d3
Opcode Fuzzy Hash: 006d13e800a50436dc8c66b4f080ed89d3e56b63901ded39ed715e55f30a2822
Instruction Fuzzy Hash: 2F512B71900618EFDB129FA4DC49EAE7BBAEB08320F154625F911EB2A1D771AD40DB90

Function 003C89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003C8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C8AD2
CharNextW.USER32(0000014E), ref: 003C8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003C8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003C8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003C8B86
SetWindowTextW.USER32(?,0000014E), ref: 003C8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003C8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 003C8C1F
_memset.LIBCMT ref: 003C8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003C8C8D
_memset.LIBCMT ref: 003C8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 003C8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 003C8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 003C8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 003C8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C8EB4
DrawMenuBar.USER32(?), ref: 003C8EC3
SetWindowTextW.USER32(?,0000014E), ref: 003C8EEB

Strings

0, xrefs: 003C8E55

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 42168d615b8aefad9d255c5b6748298f14e282e58faf855bd51ce6c286e2ff41
Instruction ID: 25344ef805854ad5aa27aba7a4de6f86f990aee3ae9c768e6a6a70c40089992e
Opcode Fuzzy Hash: 42168d615b8aefad9d255c5b6748298f14e282e58faf855bd51ce6c286e2ff41
Instruction Fuzzy Hash: 65E15B75900218AEDB229F64CC84FEE7BB9EF09710F11815EF915EA290DB709E81DF60

Function 003C488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003C49CA
GetDesktopWindow.USER32 ref: 003C49DF
GetWindowRect.USER32(00000000), ref: 003C49E6
GetWindowLongW.USER32(?,000000F0), ref: 003C4A48
DestroyWindow.USER32(?), ref: 003C4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003C4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003C4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003C4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 003C4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003C4B09
IsWindowVisible.USER32(?), ref: 003C4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003C4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003C4B58
GetWindowRect.USER32(?,?), ref: 003C4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 003C4B96
GetMonitorInfoW.USER32(00000000,?), ref: 003C4BB0
CopyRect.USER32(?,?), ref: 003C4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 003C4C32

Strings

0, xrefs: 003C4975
(, xrefs: 003C4BA3
tooltips_class32, xrefs: 003C4A96

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: c124fea1182b9f13efbeffd44bd55ebb6f450d223f8f15c4de2f1c252b69de8b
Instruction ID: 56e7237c23f119d6790b7104de168182d567e414a741727e16111e5922f687ee
Opcode Fuzzy Hash: c124fea1182b9f13efbeffd44bd55ebb6f450d223f8f15c4de2f1c252b69de8b
Instruction Fuzzy Hash: 19B15871604340AFDB06DF64C898F6ABBE9AF88314F00891DF999DB2A1D771EC05CB95

Function 003A449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 003A44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003A44D2
_wcscpy.LIBCMT ref: 003A4500
_wcscmp.LIBCMT ref: 003A450B
_wcscat.LIBCMT ref: 003A4521
_wcsstr.LIBCMT ref: 003A452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003A4548
_wcscat.LIBCMT ref: 003A4591
_wcscat.LIBCMT ref: 003A4598
_wcsncpy.LIBCMT ref: 003A45C3

Strings

StringFileInfo\, xrefs: 003A451B
\VarFileInfo\Translation, xrefs: 003A4540
04090000, xrefs: 003A457E
DefaultLangCodepage, xrefs: 003A45AB
%u.%u.%u.%u, xrefs: 003A4626

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: ff69dba5c01daed615c4881e462e830bd173fb0070c4f7a94c25b52a932ff229
Instruction ID: 0239960c095874f0559db2c14441ff8574abc295f4a180d294694a75e2627a2e
Opcode Fuzzy Hash: ff69dba5c01daed615c4881e462e830bd173fb0070c4f7a94c25b52a932ff229
Instruction Fuzzy Hash: 0A41F731A002047FDB17AB758C47EFF776CDF82710F00446AFA05EA192EB75AA0197A9

Function 003427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003428BC
GetSystemMetrics.USER32(00000007), ref: 003428C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003428EF
GetSystemMetrics.USER32(00000008), ref: 003428F7
GetSystemMetrics.USER32(00000004), ref: 0034291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00342939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00342949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0034297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00342990
GetClientRect.USER32(00000000,000000FF), ref: 003429AE
GetStockObject.GDI32(00000011), ref: 003429CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 003429D5

Part of subcall function 00342344: GetCursorPos.USER32(?), ref: 00342357
Part of subcall function 00342344: ScreenToClient.USER32(004057B0,?), ref: 00342374
Part of subcall function 00342344: GetAsyncKeyState.USER32(00000001), ref: 00342399
Part of subcall function 00342344: GetAsyncKeyState.USER32(00000002), ref: 003423A7

SetTimer.USER32(00000000,00000000,00000028,00341256), ref: 003429FC

Strings

AutoIt v3 GUI, xrefs: 00342974

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: f94866d7730cb827c780a50bd92f53e197a8741d290ead840e0bc1e6cb5cd94e
Instruction ID: 0480966192f2b4a4a9e1861e2bcbf8910786f59a559fd1a1d25d11a7922678f6
Opcode Fuzzy Hash: f94866d7730cb827c780a50bd92f53e197a8741d290ead840e0bc1e6cb5cd94e
Instruction Fuzzy Hash: 73B17D7160020ADFDB16EFA8CC45BAE7BB9FB48310F518129FA15EB290DB74A850CF54

Function 0039A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0039A47A
__swprintf.LIBCMT ref: 0039A51B
_wcscmp.LIBCMT ref: 0039A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0039A583
_wcscmp.LIBCMT ref: 0039A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0039A5F6
GetDlgCtrlID.USER32(?), ref: 0039A648
GetWindowRect.USER32(?,?), ref: 0039A67E
GetParent.USER32(?), ref: 0039A69C
ScreenToClient.USER32(00000000), ref: 0039A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0039A71D
_wcscmp.LIBCMT ref: 0039A731
GetWindowTextW.USER32(?,?,00000400), ref: 0039A757
_wcscmp.LIBCMT ref: 0039A76B

Part of subcall function 0036362C: _iswctype.LIBCMT ref: 00363634

Strings

%s%u, xrefs: 0039A515

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: b3da6c3cfd62abdc2121007177da8b53422183fefa59c181f0eabf3b52698550
Instruction ID: 48b6ef226fb5e130556d8dabd4b1a451a928b3f921b0c7138a5d0fd7a8f8ab2f
Opcode Fuzzy Hash: b3da6c3cfd62abdc2121007177da8b53422183fefa59c181f0eabf3b52698550
Instruction Fuzzy Hash: 21A1EF31204B06AFDB16DFA4C885FAAB7E8FF44314F008629F999C6190DB30E955CBD2

Function 0039AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0039AF18
_wcscmp.LIBCMT ref: 0039AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0039AF51
CharUpperBuffW.USER32(?,00000000), ref: 0039AF6E
_wcscmp.LIBCMT ref: 0039AF8C
_wcsstr.LIBCMT ref: 0039AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0039AFD5
_wcscmp.LIBCMT ref: 0039AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0039B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0039B055
_wcscmp.LIBCMT ref: 0039B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0039B08D
GetWindowRect.USER32(00000004,?), ref: 0039B0F6

Strings

ThumbnailClass, xrefs: 0039AFE0, 0039B060
@, xrefs: 0039AEF9

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 29b805c097c8434ae20ea2f267de2314d3bdb05a317783ab53f54274837f3cda
Instruction ID: 1157e603753ef71af6df9e5d7ff6acc8ab7409ba9b3eaf54923688716bc10065
Opcode Fuzzy Hash: 29b805c097c8434ae20ea2f267de2314d3bdb05a317783ab53f54274837f3cda
Instruction Fuzzy Hash: 8781E1711082059FDF02DF14D985FAABBECEF44314F04856AFD868A096DB30ED49CBA1

Function 003CC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

DragQueryPoint.SHELL32(?,?), ref: 003CC627

Part of subcall function 003CAB37: ClientToScreen.USER32(?,?), ref: 003CAB60
Part of subcall function 003CAB37: GetWindowRect.USER32(?,?), ref: 003CABD6
Part of subcall function 003CAB37: PtInRect.USER32(?,?,003CC014), ref: 003CABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 003CC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003CC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003CC6BE
_wcscat.LIBCMT ref: 003CC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 003CC705
SendMessageW.USER32(?,000000B0,?,?), ref: 003CC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 003CC735
SendMessageW.USER32(?,000000B1,?,?), ref: 003CC757
DragFinish.SHELL32(?), ref: 003CC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003CC851

Strings

@GUI_DRAGID, xrefs: 003CC7C9
pb@, xrefs: 003CC79B
@GUI_DRAGFILE, xrefs: 003CC800
@GUI_DROPID, xrefs: 003CC77E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb@
API String ID: 169749273-4025947017
Opcode ID: c8c53b73610f10fa865f64f4581e0e6f60ae117b0a688be5e77d0eb5be8012ee
Instruction ID: 5a8b1d16598a4cfc2812773d9fd7a52d09a46ca466512320537ed6e59cb07d6e
Opcode Fuzzy Hash: c8c53b73610f10fa865f64f4581e0e6f60ae117b0a688be5e77d0eb5be8012ee
Instruction Fuzzy Hash: 47616271508304AFC702EF64DC85EAFBBE9EF89710F00092EF595DA1A1DB70A949CB52

Function 0039ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0039AC33

Strings

LAST, xrefs: 0039ABF8
CLASSNAME=, xrefs: 0039AC70
ALL, xrefs: 0039ACC7
[REGEXPTITLE:, xrefs: 0039AC5B
[LAST, xrefs: 0039ACE0
[CLASS:, xrefs: 0039AC83
[ALL, xrefs: 0039ACD9
[HANDLE:, xrefs: 0039AC3F
[ACTIVE, xrefs: 0039AC20
REGEXP=, xrefs: 0039AC48
HANDLE=, xrefs: 0039AC2C
ACTIVE, xrefs: 0039AC0E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 1deda77ee8576233fbc3eb85a35e34c96a501abc4ad67bda402c44d6d41b17ae
Instruction ID: 3228463c45aba816e77f5f34b689aaf44d84edbdd488293e26ffc04deeb016e1
Opcode Fuzzy Hash: 1deda77ee8576233fbc3eb85a35e34c96a501abc4ad67bda402c44d6d41b17ae
Instruction Fuzzy Hash: 1731B031948609ABDF13FA60DE03EFE77A8AB10750F210128F501BD1D6EB517F148A92

Function 003B4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 003B5013
LoadCursorW.USER32(00000000,00007F00), ref: 003B501E
LoadCursorW.USER32(00000000,00007F03), ref: 003B5029
LoadCursorW.USER32(00000000,00007F8B), ref: 003B5034
LoadCursorW.USER32(00000000,00007F01), ref: 003B503F
LoadCursorW.USER32(00000000,00007F81), ref: 003B504A
LoadCursorW.USER32(00000000,00007F88), ref: 003B5055
LoadCursorW.USER32(00000000,00007F80), ref: 003B5060
LoadCursorW.USER32(00000000,00007F86), ref: 003B506B
LoadCursorW.USER32(00000000,00007F83), ref: 003B5076
LoadCursorW.USER32(00000000,00007F85), ref: 003B5081
LoadCursorW.USER32(00000000,00007F82), ref: 003B508C
LoadCursorW.USER32(00000000,00007F84), ref: 003B5097
LoadCursorW.USER32(00000000,00007F04), ref: 003B50A2
LoadCursorW.USER32(00000000,00007F02), ref: 003B50AD
LoadCursorW.USER32(00000000,00007F89), ref: 003B50B8
GetCursorInfo.USER32(?), ref: 003B50C8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 44092b76e2756ad7faee56fdf335d07ed7bf3eca9c1c678fff9ea388d694ee98
Instruction ID: c6c075561976878960f4d8771deca6c7979fa71bdbc1c826c1d2ad7f320f3aa6
Opcode Fuzzy Hash: 44092b76e2756ad7faee56fdf335d07ed7bf3eca9c1c678fff9ea388d694ee98
Instruction Fuzzy Hash: 3131E5B1E4831D6ADF119FB68C8999FBFE8FF04754F50452AE50DE7280DA78A5008F91

Function 003CA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003CA259
DestroyWindow.USER32(?,?), ref: 003CA2D3

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003CA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003CA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003CA382
DestroyWindow.USER32(00000000), ref: 003CA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00340000,00000000), ref: 003CA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003CA3F4
GetDesktopWindow.USER32 ref: 003CA40D
GetWindowRect.USER32(00000000), ref: 003CA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003CA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003CA444

Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC

Strings

0, xrefs: 003CA26F
tooltips_class32, xrefs: 003CA346, 003CA3D4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 4e999e06d5de6f711affb55374230faf22710f20e9771201c0c05e0cf4933495
Instruction ID: 183132c8d9a2896082bb3c631a674adf18de68d922a99f7545d9d89c4496c256
Opcode Fuzzy Hash: 4e999e06d5de6f711affb55374230faf22710f20e9771201c0c05e0cf4933495
Instruction Fuzzy Hash: 14717971140608AFDB26DF28CC49F6A7BEAFB88304F05452DF985DB2A0C770A916CB56

Function 003C4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003C4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C446F

Strings

EXPAND, xrefs: 003C4521
GETTOTALCOUNT, xrefs: 003C4456
GETTEXT, xrefs: 003C45C2
COLLAPSE, xrefs: 003C44B5
GETITEMCOUNT, xrefs: 003C4551
CHECK, xrefs: 003C448F
EXISTS, xrefs: 003C44D8
UNCHECK, xrefs: 003C464B
SELECT, xrefs: 003C4620
GETSELECTED, xrefs: 003C457F
ISCHECKED, xrefs: 003C45F2

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: ff135646ea64d742b0de6bb2c30e9d0f4ee2b654aea090bed5d6064214882b65
Instruction ID: cfd4dd0522a18af5a5a3148432155313e98cc461b321a095b079440829a9f678
Opcode Fuzzy Hash: ff135646ea64d742b0de6bb2c30e9d0f4ee2b654aea090bed5d6064214882b65
Instruction Fuzzy Hash: 9C916A346043019BCB1AEF14C462B6EB7E5AF95350F05886DF8969F7A2CB31ED09CB81

Function 003CB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003CB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003C91C2), ref: 003CB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003CB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003CB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003CB9C3
FreeLibrary.KERNEL32(?), ref: 003CB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003CB9DF
DestroyIcon.USER32(?,?,?,?,?,003C91C2), ref: 003CB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003CBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003CBA17

Part of subcall function 00362EFD: __wcsicmp_l.LIBCMT ref: 00362F86

Strings

.icl, xrefs: 003CB82A
.exe, xrefs: 003CB84A
.dll, xrefs: 003CB86D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: dffa24c4be865476f5c8d847b1198d224fa9b0ccf8fd291a79a1e9b15e19b1d4
Instruction ID: c3c0064c6fe6fbc1c652d918c54cf99c157e67cb56553d6fccab72a675704863
Opcode Fuzzy Hash: dffa24c4be865476f5c8d847b1198d224fa9b0ccf8fd291a79a1e9b15e19b1d4
Instruction Fuzzy Hash: C861D171900619BEEB16DF64CC42FBEBBACEB08710F10851AF915DA1D0DB75AD90DBA0

Function 003ADC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003ADCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 003ADCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003ADCF8
__wsplitpath.LIBCMT ref: 003ADD56
_wcscat.LIBCMT ref: 003ADD6E
_wcscat.LIBCMT ref: 003ADD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003ADD95
SetCurrentDirectoryW.KERNEL32(?), ref: 003ADDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 003ADDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 003ADDFC
_wcscpy.LIBCMT ref: 003ADE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003ADE47

Strings

*.*, xrefs: 003ADE02

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 4cc0fb581aacdbaa737fc4aacfe1b00d1e45b7322d6801b5365ec20a52b9151f
Instruction ID: 3fe3d4ea73ed8142a04f012710914f426d3c004e5303dbee1870d6d86999ffaa
Opcode Fuzzy Hash: 4cc0fb581aacdbaa737fc4aacfe1b00d1e45b7322d6801b5365ec20a52b9151f
Instruction Fuzzy Hash: 43615B765042059FCB11EF64C844EAFB3E8FF8A310F04491AE99ACB651EB71E945CB91

Function 003A9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 003A9C7F

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003A9CA0
__swprintf.LIBCMT ref: 003A9CF9
__swprintf.LIBCMT ref: 003A9D12
_wprintf.LIBCMT ref: 003A9DB9
_wprintf.LIBCMT ref: 003A9DD7

Strings

Line %d (File "%s"):, xrefs: 003A9CF3, 003A9D0C
Incorrect parameters to object property !, xrefs: 003A9D5B
"%s" (%d) : ==> %s:%s%s, xrefs: 003A9DB4
"%s" (%d) : ==> %s:, xrefs: 003A9DD2
Error: , xrefs: 003A9D81
^ ERROR , xrefs: 003A9D4E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: aa24c326e5db4f1c97c8657c990cca9ceeaccf320d4ff0e69df596c2a6c1e667
Instruction ID: d06bfc425346c61ffa784ce47626ef51327dba480ff63e1e0d3ef21a20c5d2d0
Opcode Fuzzy Hash: aa24c326e5db4f1c97c8657c990cca9ceeaccf320d4ff0e69df596c2a6c1e667
Instruction Fuzzy Hash: F3516F32900509AACF16EBE0DD86EEEB7B8EF14300F500066F505BA1A2DB312E59DF60

Function 003AA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

CharLowerBuffW.USER32(?,?), ref: 003AA3CB
GetDriveTypeW.KERNEL32 ref: 003AA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AA4C5

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

Strings

set cd door , xrefs: 003AA466
closed, xrefs: 003AA3DF, 003AA3E8
close, xrefs: 003AA3D1
close cd wait, xrefs: 003AA4B0
type cdaudio alias cd wait, xrefs: 003AA443
open , xrefs: 003AA427
wait, xrefs: 003AA482
open, xrefs: 003AA3F2

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: e12dec79803c084425436099f91c8b1ea324f22b5aabebed772ccc30e8ce9c13
Instruction ID: 5aa47db62b82950c659fd395d2a142e193fd78b1ec176f3cffce7cb69bf0a28c
Opcode Fuzzy Hash: e12dec79803c084425436099f91c8b1ea324f22b5aabebed772ccc30e8ce9c13
Instruction Fuzzy Hash: 43517E725047059FC706EF25C88196BB3E8FF89758F00886DF88A9B261DB71ED09CB42

Function 0039F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0037E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0039F8DF
LoadStringW.USER32(00000000,?,0037E029,00000001), ref: 0039F8E8

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0037E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0039F90A
LoadStringW.USER32(00000000,?,0037E029,00000001), ref: 0039F90D
__swprintf.LIBCMT ref: 0039F95D
__swprintf.LIBCMT ref: 0039F96E
_wprintf.LIBCMT ref: 0039FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0039FA2E

Strings

Line %d (File "%s"):, xrefs: 0039F957
%s (%d) : ==> %s: %s %s, xrefs: 0039FA12
^ ERROR, xrefs: 0039F9C3
Line %d:, xrefs: 0039F968
Error: , xrefs: 0039F9E5

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 9fd7f431e8feedaca91b7663eead8c19e4169352323a145673c2d4930300b859
Instruction ID: df5d78ffaae86d917c1d9f96064fb28c13f1e18e3e7b7d7a57eeedd94d1e7d9c
Opcode Fuzzy Hash: 9fd7f431e8feedaca91b7663eead8c19e4169352323a145673c2d4930300b859
Instruction Fuzzy Hash: 5F410D72904109AACF16FBE4DD86EEEB7B8AF14300F500465F505BA0A2EB356F49CB61

Function 003CBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003C9207,?,?), ref: 003CBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003C9207,?,?,00000000,?), ref: 003CBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003C9207,?,?,00000000,?), ref: 003CBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,003C9207,?,?,00000000,?), ref: 003CBA85
GlobalLock.KERNEL32(00000000), ref: 003CBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003C9207,?,?,00000000,?), ref: 003CBA9D
GlobalUnlock.KERNEL32(00000000), ref: 003CBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,003C9207,?,?,00000000,?), ref: 003CBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003C9207,?,?,00000000,?), ref: 003CBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,003D2CAC,?), ref: 003CBAD7
GlobalFree.KERNEL32(00000000), ref: 003CBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 003CBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 003CBB36
DeleteObject.GDI32(00000000), ref: 003CBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003CBB74

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 78f3dae36036702a7d6605aa74f8695ad0b6ed2e66f80fa9f9b0a0a48d813a49
Instruction ID: f17f1f23f5016b651718aa676f461824e69454b8fafde4d7b65d1377944e0f9c
Opcode Fuzzy Hash: 78f3dae36036702a7d6605aa74f8695ad0b6ed2e66f80fa9f9b0a0a48d813a49
Instruction Fuzzy Hash: DE410579600208AFDB129F65DC89EABBBBDFB89711F114069F945D7260D730AE01DB60

Function 003AD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 003ADA10
_wcscat.LIBCMT ref: 003ADA28
_wcscat.LIBCMT ref: 003ADA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003ADA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 003ADA63
GetFileAttributesW.KERNEL32(?), ref: 003ADA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 003ADA95
SetCurrentDirectoryW.KERNEL32(?), ref: 003ADAA7

Strings

*.*, xrefs: 003ADAE6

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: a3dee539afa816c6f8e5ee59dd9a5bab61587d1ad305d082f3481aee25e31950
Instruction ID: a147f1384ad4c9e0bda992e79599c35190caae1f2717e6e647e7d0ca4cde7864
Opcode Fuzzy Hash: a3dee539afa816c6f8e5ee59dd9a5bab61587d1ad305d082f3481aee25e31950
Instruction Fuzzy Hash: CA8181715043419FCB66DF64C844AAFB7E8EF8A710F15882EF88ACB651E730E945CB52

Function 003CC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003CC1FC
GetFocus.USER32 ref: 003CC20C
GetDlgCtrlID.USER32(00000000), ref: 003CC217
_memset.LIBCMT ref: 003CC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003CC36D
GetMenuItemCount.USER32(?), ref: 003CC38D
GetMenuItemID.USER32(?,00000000), ref: 003CC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003CC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003CC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003CC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003CC489

Strings

0, xrefs: 003CC33A

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: e12a653cd5278948153ee3d6ed9676e212381d3ef9fdb0001a30998ddfd03f0d
Instruction ID: 9f60d047ff7c8a1f2cbd4361442619ca38d2c1c3063172e8a893ed9d31e8d84b
Opcode Fuzzy Hash: e12a653cd5278948153ee3d6ed9676e212381d3ef9fdb0001a30998ddfd03f0d
Instruction Fuzzy Hash: 7E8177712183019FDB16DF15D894E6BBBE9EB88314F00892EF999D7291C730ED05CB52

Function 003B731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003B738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003B739B
CreateCompatibleDC.GDI32(?), ref: 003B73A7
SelectObject.GDI32(00000000,?), ref: 003B73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 003B7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 003B7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 003B7468
SelectObject.GDI32(00000006,?), ref: 003B7470
DeleteObject.GDI32(?), ref: 003B7479
DeleteDC.GDI32(00000006), ref: 003B7480
ReleaseDC.USER32(00000000,?), ref: 003B748B

Strings

(, xrefs: 003B7410

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ed707fbdf1c521996c6b154485b1c223e99ecb933ad381d5bda68ef65a4858fb
Instruction ID: ea61deead637a89b3266803787d9e08cba0bc8a4f49f147af36d3c8bdc7ae06f
Opcode Fuzzy Hash: ed707fbdf1c521996c6b154485b1c223e99ecb933ad381d5bda68ef65a4858fb
Instruction Fuzzy Hash: 69514C75904309EFCB16CFA9CC85EAEBBB9EF88710F148429FA5997610C731A9408B90

Function 00346A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00360957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00346B0C,?,00008000), ref: 00360973

Part of subcall function 00344750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00344743,?,?,003437AE,?), ref: 00344770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00346BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00346CFA

Part of subcall function 0034586D: _wcscpy.LIBCMT ref: 003458A5

Part of subcall function 0036363D: _iswctype.LIBCMT ref: 00363645

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 0037E421
Error opening the file, xrefs: 0037E43D, 0037E4B8
Bad directive syntax error, xrefs: 0037E79D
EA06, xrefs: 0037E452
>>>AUTOIT SCRIPT<<<, xrefs: 0037E496
AU3!, xrefs: 00346B61
Unterminated string, xrefs: 0037E7E4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 8d6eb1c66658066cb39b6b8ff8534abe16e4a2f01fcb4d75c85f13e4804e8a09
Instruction ID: 60b0c3633761e779dcabc906f9e037a826e1f75196ee75168d2bfb7d448c6bdf
Opcode Fuzzy Hash: 8d6eb1c66658066cb39b6b8ff8534abe16e4a2f01fcb4d75c85f13e4804e8a09
Instruction Fuzzy Hash: B802A1315083409FC726EF24C891AAFBBE5EF99314F10491DF4999B2A2DB34E949CB53

Function 003A2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 003A2DDD
GetMenuItemCount.USER32(00405890), ref: 003A2E66
DeleteMenu.USER32(00405890,00000005,00000000,000000F5,?,?), ref: 003A2EF6
DeleteMenu.USER32(00405890,00000004,00000000), ref: 003A2EFE
DeleteMenu.USER32(00405890,00000006,00000000), ref: 003A2F06
DeleteMenu.USER32(00405890,00000003,00000000), ref: 003A2F0E
GetMenuItemCount.USER32(00405890), ref: 003A2F16
SetMenuItemInfoW.USER32(00405890,00000004,00000000,00000030), ref: 003A2F4C
GetCursorPos.USER32(?), ref: 003A2F56
SetForegroundWindow.USER32(00000000), ref: 003A2F5F
TrackPopupMenuEx.USER32(00405890,00000000,?,00000000,00000000,00000000), ref: 003A2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003A2F7E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 2de90735afc916d3f085f8f94331c9d9605d670844d441b4b4bcfa56a3028687
Instruction ID: b65d0e660c3b6908785824a2ad278cb162583e289ec5dd8fbfd5ef4dd1780123
Opcode Fuzzy Hash: 2de90735afc916d3f085f8f94331c9d9605d670844d441b4b4bcfa56a3028687
Instruction Fuzzy Hash: 5171B270600205BEEB269F58DC45FABBF69FF06364F144216F625AA1E1C7716C60DB90

Function 003B88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003B88D7
CoInitialize.OLE32(00000000), ref: 003B8904
CoUninitialize.OLE32 ref: 003B890E
GetRunningObjectTable.OLE32(00000000,?), ref: 003B8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 003B8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003D2C0C), ref: 003B8B6F
CoGetObject.OLE32(?,00000000,003D2C0C,?), ref: 003B8B92
SetErrorMode.KERNEL32(00000000), ref: 003B8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003B8C25
VariantClear.OLEAUT32(?), ref: 003B8C35

Strings

,,=, xrefs: 003B88C1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,=
API String ID: 2395222682-2941206825
Opcode ID: 83621b4678e4821fe6ba61ac336e4cd3c0c2b9bb4386185faf3f7850498704ac
Instruction ID: e868af2f9449b5f5743bb1f1d60f29dfe71fd8bd64660629035f618a37d67052
Opcode Fuzzy Hash: 83621b4678e4821fe6ba61ac336e4cd3c0c2b9bb4386185faf3f7850498704ac
Instruction Fuzzy Hash: 0CC104B1608305AFC702DF64C88496BBBE9FF89748F00495DFA8A9B251DB71ED05CB52

Function 003977DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

_memset.LIBCMT ref: 0039786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003978A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003978BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003978D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00397902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0039792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00397935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0039793A

Strings

\CLSID, xrefs: 00397822
SOFTWARE\Classes\, xrefs: 0039780C
\IPC$, xrefs: 00397882

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 6fab71c79cfb133adea5565e42b9c8890ab49cd7f87f3de72e0998739bc5d4de
Instruction ID: b5a9df7422a49eba2d4d1085ec9c50316877ab9f3fdf9ce01c311910e6d79f6b
Opcode Fuzzy Hash: 6fab71c79cfb133adea5565e42b9c8890ab49cd7f87f3de72e0998739bc5d4de
Instruction Fuzzy Hash: 5841DA72C1462DABCF22EBA4DC85DEDB7B9FF04750F414069E915AB1A1DB316D08CB90

Function 003C0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BFDAD,?,?), ref: 003C0E31

Strings

HKEY_CURRENT_CONFIG, xrefs: 003C0EEE
HKCR, xrefs: 003C0ED9
HKEY_LOCAL_MACHINE, xrefs: 003C0E9A
HKLM, xrefs: 003C0EAF
HKEY_CLASSES_ROOT, xrefs: 003C0EC4
HKCU, xrefs: 003C0F21
HKEY_CURRENT_USER, xrefs: 003C0F10
HKEY_USERS, xrefs: 003C0F32
HKU, xrefs: 003C0F43
HKCC, xrefs: 003C0EFF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: b3a3acecb730c2e9db847ef1fd28780e9b40c54ca102d5bb9807471018430565
Instruction ID: 9a00ae2e7d37060d315e90b973c980a99b478621e51a909da028d119bee59392
Opcode Fuzzy Hash: b3a3acecb730c2e9db847ef1fd28780e9b40c54ca102d5bb9807471018430565
Instruction Fuzzy Hash: 78415C3650028ACBCF1BEF50D892BEF3764AF21340F154419FC959B2A6DB30AD5ACB60

Function 0039F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0037E2A0,00000010,?,Bad directive syntax error,003CF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0039F7C2
LoadStringW.USER32(00000000,?,0037E2A0,00000010), ref: 0039F7C9

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

_wprintf.LIBCMT ref: 0039F7FC
__swprintf.LIBCMT ref: 0039F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0039F88D

Strings

., xrefs: 0039F873
Line %d (File "%s"):, xrefs: 0039F833
%s (%d) : ==> %s.: %s %s, xrefs: 0039F7F7
Error: , xrefs: 0039F85B
Line %d:, xrefs: 0039F818

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: c6fc4ee84afc586e0b8d4fc48e605840af564879fd065a4a58ef7bbbfbc70c6b
Instruction ID: c676967b94f8f4c4b720691f07f72d65a06cfb32ca1645801d3d8d66eef3068c
Opcode Fuzzy Hash: c6fc4ee84afc586e0b8d4fc48e605840af564879fd065a4a58ef7bbbfbc70c6b
Instruction Fuzzy Hash: 2A213E3290421EAFCF17AF90CC4AEEE7779BF18300F044465F515AA0A2DB71AA18DB50

Function 003A52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

Part of subcall function 00347924: _memmove.LIBCMT ref: 003479AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003A5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003A5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003A5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003A5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003A537A

Strings

play PlayMe wait, xrefs: 003A5364
status PlayMe mode, xrefs: 003A532B
close PlayMe, xrefs: 003A5341, 003A536E
play PlayMe, xrefs: 003A5375
alias PlayMe, xrefs: 003A5309
open , xrefs: 003A52DF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 44750db9bb879232e8efeb8c98eb24503fee9da31d72fcd652b40114f992f895
Instruction ID: 484252ee1ad452a8d6c0b46a3db1ccb8b7fb9fd42969710b192f0bb65af8baec
Opcode Fuzzy Hash: 44750db9bb879232e8efeb8c98eb24503fee9da31d72fcd652b40114f992f895
Instruction Fuzzy Hash: 80119431A5012D79DB26F762CC4AEFF7BBCEBD2B40F000429B511AA0D1EFA02D04C9A0

Function 003A46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003A46D2
gethostname.WSOCK32(?,00000100), ref: 003A46EC
gethostbyname.WSOCK32(?), ref: 003A46F9
_wcscpy.LIBCMT ref: 003A4721
_memmove.LIBCMT ref: 003A4734
inet_ntoa.WSOCK32(?), ref: 003A473F
_strcat.LIBCMT ref: 003A474D
_wcscpy.LIBCMT ref: 003A4764
WSACleanup.WSOCK32 ref: 003A4772
_wcscpy.LIBCMT ref: 003A4780

Strings

0.0.0.0, xrefs: 003A471B

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 252b8bb41932ff6c082486af4fa6b2a83487aaed37735caa3f80244ea290f988
Instruction ID: c1ca54b317f1237c84f903de9ae544267bf96922dacffe001c6b7921b4cb12cf
Opcode Fuzzy Hash: 252b8bb41932ff6c082486af4fa6b2a83487aaed37735caa3f80244ea290f988
Instruction Fuzzy Hash: BC11D531504114AFCB16AB309C46EEA77BCEB43711F0581B6F555D6091EFB29D818760

Function 003A4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003A4F7A

Part of subcall function 0036049F: timeGetTime.WINMM(?,7608B400,00350E7B), ref: 003604A3

Sleep.KERNEL32(0000000A), ref: 003A4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 003A4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003A4FEC
SetActiveWindow.USER32 ref: 003A500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003A5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 003A5038
Sleep.KERNEL32(000000FA), ref: 003A5043
IsWindow.USER32 ref: 003A504F
EndDialog.USER32(00000000), ref: 003A5060

Strings

BUTTON, xrefs: 003A4FDE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 49a622af651f7b1490aac3945cd74f8182c4e76cbaf90f0e5cace3bbce4fc272
Instruction ID: 0c4af173f652fe2e60c341650bfd648482eb9fd4ec959b021ea9eca28dfab552
Opcode Fuzzy Hash: 49a622af651f7b1490aac3945cd74f8182c4e76cbaf90f0e5cace3bbce4fc272
Instruction Fuzzy Hash: 24218170205605BFE7139F20FE89E263BAEEB86749F061038F106D52B1CBB19D609F65

Function 003AD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

CoInitialize.OLE32(00000000), ref: 003AD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003AD67D
SHGetDesktopFolder.SHELL32(?), ref: 003AD691
CoCreateInstance.OLE32(003D2D7C,00000000,00000001,003F8C1C,?), ref: 003AD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003AD74C
CoTaskMemFree.OLE32(?,?), ref: 003AD7A4
_memset.LIBCMT ref: 003AD7E1
SHBrowseForFolderW.SHELL32(?), ref: 003AD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003AD840
CoTaskMemFree.OLE32(00000000), ref: 003AD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003AD87E
CoUninitialize.OLE32(00000001,00000000), ref: 003AD880

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: a55a22fa2b29995e3c80f358e85d6a26ed58f92c764da88a87441445a9ee9c6a
Instruction ID: 491a315195de51b31f6fc0bc004f02903d5183a3cd448daf0bcf02d85191da8a
Opcode Fuzzy Hash: a55a22fa2b29995e3c80f358e85d6a26ed58f92c764da88a87441445a9ee9c6a
Instruction Fuzzy Hash: 22B1FA75A00109AFDB05DFA4C889EAEBBF9FF49304F148469E90ADB261DB31ED41CB50

Function 0039C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0039C283
GetWindowRect.USER32(00000000,?), ref: 0039C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0039C2F3
GetDlgItem.USER32(?,00000002), ref: 0039C2FE
GetWindowRect.USER32(00000000,?), ref: 0039C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0039C364
GetDlgItem.USER32(?,000003E9), ref: 0039C372
GetWindowRect.USER32(00000000,?), ref: 0039C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0039C3C6
GetDlgItem.USER32(?,000003EA), ref: 0039C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0039C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0039C3FE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b78ae0ea75e682d74c65d3ff3a96b2a340042ab13007e1ae0047397fac85d229
Instruction ID: 4165305b74f439ec945acedc083afcd5280860adf923a89363d4e2b14f6e17ba
Opcode Fuzzy Hash: b78ae0ea75e682d74c65d3ff3a96b2a340042ab13007e1ae0047397fac85d229
Instruction Fuzzy Hash: B6514E71B10205AFDF19CFA9DD99EAEBBBAEB88710F14852DF515D7290D770AD008B10

Function 0034201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00341B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00342036,?,00000000,?,?,?,?,003416CB,00000000,?), ref: 00341B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003420D3
KillTimer.USER32(-00000001,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0034216E
DestroyAcceleratorTable.USER32(00000000), ref: 0037BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003416CB,00000000,?,?,00341AE2,?,?), ref: 0037BD0A
DeleteObject.GDI32(00000000), ref: 0037BD1C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 516e1575af72b03777e960b811bb51c17de735356632651c1f0fc8fb6013d682
Instruction ID: 17555bf521f8a46a53e562194c4e03ad711e2f879e9ed45f5393c9efa8414972
Opcode Fuzzy Hash: 516e1575af72b03777e960b811bb51c17de735356632651c1f0fc8fb6013d682
Instruction Fuzzy Hash: 8B616832100A10DFDB37AF14DA48B2BB7F6FB40316F918529E546ABA60C774B891DF54

Function 003421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 003425DB: GetWindowLongW.USER32(?,000000EB), ref: 003425EC

GetSysColor.USER32(0000000F), ref: 003421D3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: be06da1ad8080fd9cea4520ac7167fc424d62250d39c1a8d1fe8a7aef03bd212
Instruction ID: be86ec5145b063d98bef77f5641fcbbcc064999d1590c9c8f9d140691787faba
Opcode Fuzzy Hash: be06da1ad8080fd9cea4520ac7167fc424d62250d39c1a8d1fe8a7aef03bd212
Instruction Fuzzy Hash: 1841C431000554DFDB635F28EC88BBA3BAAEB06331F598265FE659E1E1C771AC41DB21

Function 003AA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,003CF910), ref: 003AA90B
GetDriveTypeW.KERNEL32(00000061,003F89A0,00000061), ref: 003AA9D5
_wcscpy.LIBCMT ref: 003AA9FF

Strings

removable, xrefs: 003AA93D
fixed, xrefs: 003AA953
cdrom, xrefs: 003AA927
all, xrefs: 003AA911
unknown, xrefs: 003AA996
ramdisk, xrefs: 003AA97F
network, xrefs: 003AA969

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 06bdf1b5f374b6a7d0d4a5da5b0387757bae1b4733c5221a5f61cd8e7b475627
Instruction ID: 55b80bd0b453ffb13622150ea97b62481f932e370d0e81e91cc7fc6ba4be47c0
Opcode Fuzzy Hash: 06bdf1b5f374b6a7d0d4a5da5b0387757bae1b4733c5221a5f61cd8e7b475627
Instruction Fuzzy Hash: AE51BE325087059FC706EF14C892AAFB7E9EF86340F01482DF5959B2A2DB71ED09CA53

Function 00349837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00349862
__swprintf.LIBCMT ref: 003498AC
__i64tow.LIBCMT ref: 0037F5E6

Strings

True, xrefs: 0037F5A7
%.15g, xrefs: 003498A6
0x%p, xrefs: 0037F5C8
False, xrefs: 0037F5AE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 32c699d04b2e8ab25bdc16b8cb07251d3706a5ccbe08f7ffd87342042c4844a6
Instruction ID: 7650405ea6f02e3db15d176c0e2266ba7a3c5a49eb8e67bf7a39ccd09f1a0660
Opcode Fuzzy Hash: 32c699d04b2e8ab25bdc16b8cb07251d3706a5ccbe08f7ffd87342042c4844a6
Instruction Fuzzy Hash: 3541C771604609AFDB26DF38D842F7B73E8FF46310F20846EE549DF295EA35A9418B10

Function 003C7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C716A
CreateMenu.USER32 ref: 003C7185
SetMenu.USER32(?,00000000), ref: 003C7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C7221
IsMenu.USER32(?), ref: 003C7237
CreatePopupMenu.USER32 ref: 003C7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003C726E
DrawMenuBar.USER32 ref: 003C7276

Strings

0, xrefs: 003C7160
F, xrefs: 003C7262

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: c9ff0a714225e88eb7b4ddb7995775d4b4045bc64c5a7e89993d6ca7b141bd83
Instruction ID: 197ea64df4543893cb0cb2f54e73674332effbce5606847c29a5af8e52f63b7b
Opcode Fuzzy Hash: c9ff0a714225e88eb7b4ddb7995775d4b4045bc64c5a7e89993d6ca7b141bd83
Instruction Fuzzy Hash: 50412276A01205AFDB22DF64D988F9ABBB9FB49350F154429FE05A7360D731A910CF90

Function 003C74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003C755E
CreateCompatibleDC.GDI32(00000000), ref: 003C7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003C7578
SelectObject.GDI32(00000000,00000000), ref: 003C7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 003C758B
DeleteDC.GDI32(00000000), ref: 003C7594
GetWindowLongW.USER32(?,000000EC), ref: 003C759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003C75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003C75BE

Strings

static, xrefs: 003C74F6

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 35707571c8a4049822fee9f570a8ef02d74fd7ad13b332d8c5e0d62159997c64
Instruction ID: b047481bed092e0247e89491e51342982fa342ec871465ee2714490fde789d12
Opcode Fuzzy Hash: 35707571c8a4049822fee9f570a8ef02d74fd7ad13b332d8c5e0d62159997c64
Instruction Fuzzy Hash: 28314772104214AFDF129F64DC09FEA3B6EEF0A764F110228FA15E61A0C731EC21DBA4

Function 00366E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00366E3E

Part of subcall function 00368B28: __getptd_noexit.LIBCMT ref: 00368B28

__gmtime64_s.LIBCMT ref: 00366ED7
__gmtime64_s.LIBCMT ref: 00366F0D
__gmtime64_s.LIBCMT ref: 00366F2A
__allrem.LIBCMT ref: 00366F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00366F9C
__allrem.LIBCMT ref: 00366FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00366FD1
__allrem.LIBCMT ref: 00366FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00367006
__invoke_watson.LIBCMT ref: 00367077

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 63fe0e407e3f9aab3eab1a28dc02c798cc23de3780d2f8a4bca129e48f47208b
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 0C712776A00717ABD726EF78DC42B6AB3A8AF04364F10C229F514DB285E775ED0087D0

Function 003A2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A2542
GetMenuItemInfoW.USER32(00405890,000000FF,00000000,00000030), ref: 003A25A3
SetMenuItemInfoW.USER32(00405890,00000004,00000000,00000030), ref: 003A25D9
Sleep.KERNEL32(000001F4), ref: 003A25EB
GetMenuItemCount.USER32(?), ref: 003A262F
GetMenuItemID.USER32(?,00000000), ref: 003A264B
GetMenuItemID.USER32(?,-00000001), ref: 003A2675
GetMenuItemID.USER32(?,?), ref: 003A26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003A2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A2735

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: eacb7c5234d182423b62311f994b890ee150f8377103e118a06ed4f75eaea941
Instruction ID: b95a47205276f14b23710dedd83759b433c2717eb894ffcb2b8d2a58c8f537c5
Opcode Fuzzy Hash: eacb7c5234d182423b62311f994b890ee150f8377103e118a06ed4f75eaea941
Instruction Fuzzy Hash: 68617E70901249AFDB13CF68DD88DBFBBB9FB46304F150069E941A7261D771AE05DB21

Function 003C6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003C6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003C6FA8
GetWindowLongW.USER32(?,000000F0), ref: 003C6FCC
_memset.LIBCMT ref: 003C6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003C6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003C7067

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 075c66e2b664a909f7cf6d3d82a08d62941d820e9db9917ec5f6f3382156b4aa
Instruction ID: dbe5d898dfed1ecdeb4e1bf761b0374dd5cb07be4e9d7bb459d2d9923ed2c70c
Opcode Fuzzy Hash: 075c66e2b664a909f7cf6d3d82a08d62941d820e9db9917ec5f6f3382156b4aa
Instruction Fuzzy Hash: DC612575900208AFDB12DFA4CD81FAE77B8EB09710F14416AFA14EB2A1C771AD51DFA4

Function 00396B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00396BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00396C18
VariantInit.OLEAUT32(?), ref: 00396C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00396C4A
VariantCopy.OLEAUT32(?,?), ref: 00396C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00396CB1
VariantClear.OLEAUT32(?), ref: 00396CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00396CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00396CDC
VariantClear.OLEAUT32(?), ref: 00396CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00396CF9

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0dec09fe181b2ef052c1e603d985c41d434d0c30935b3177feb7863866e665c4
Instruction ID: 5be6d5ba901adb7eaa02ecac96095fdce9503d7d0304b3853425f9c758982808
Opcode Fuzzy Hash: 0dec09fe181b2ef052c1e603d985c41d434d0c30935b3177feb7863866e665c4
Instruction Fuzzy Hash: BC415E71A002199FCF06EFA9D845DAEBBB9EF08354F008069F955EB261DB30A945CF90

Function 003B5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003B5793
inet_addr.WSOCK32(?,?,?), ref: 003B57D8
gethostbyname.WSOCK32(?), ref: 003B57E4
IcmpCreateFile.IPHLPAPI ref: 003B57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003B5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003B5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 003B58ED
WSACleanup.WSOCK32 ref: 003B58F3

Strings

Ping, xrefs: 003B5816

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: fee3a3a5c803eba42662a53d0ee11d40e5af9739ca437157202d692ca17612c6
Instruction ID: 36628747b76c664398c8cba7019e1e6cd326a5a44e9901fac8e7e1c7e45239e1
Opcode Fuzzy Hash: fee3a3a5c803eba42662a53d0ee11d40e5af9739ca437157202d692ca17612c6
Instruction Fuzzy Hash: 955171316047009FDB12EF25DC46B6AB7E8EF48714F05492AFA56DB6A1DB70E800DF52

Function 003AB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003AB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003AB546
GetLastError.KERNEL32 ref: 003AB550
SetErrorMode.KERNEL32(00000000,READY), ref: 003AB5BD

Strings

INVALID, xrefs: 003AB58F
READY, xrefs: 003AB596
UNKNOWN, xrefs: 003AB575
READONLY, xrefs: 003AB588
NOTREADY, xrefs: 003AB57C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b6f8e34d88b4a5e424b242ebfb3cfb3ae1afd7dc4995968ffc70fbab0e14bd60
Instruction ID: 5a170e2afe5cb79cc1f410d4ac8b507a33b49f07de32578dc28d46858039c882
Opcode Fuzzy Hash: b6f8e34d88b4a5e424b242ebfb3cfb3ae1afd7dc4995968ffc70fbab0e14bd60
Instruction Fuzzy Hash: 83316035E002099FCB16DBA8C845EBEBBB8EF4B310F154166E505DB292DB71AA42CB51

Function 00398F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 0039AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0039AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00399014
GetDlgCtrlID.USER32 ref: 0039901F
GetParent.USER32 ref: 0039903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0039903E
GetDlgCtrlID.USER32(?), ref: 00399047
GetParent.USER32(?), ref: 00399063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00399066

Strings

ComboBox, xrefs: 00398F9C
ListBox, xrefs: 00398FD1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 028bcc1afa895cf7558a128a14ce5fe5208b21f52ddda1d60f0377bf9b0ba568
Instruction ID: 88f8004a481a7719fa3215d966ffea81ec4db5a320d420626277568bf7e54843
Opcode Fuzzy Hash: 028bcc1afa895cf7558a128a14ce5fe5208b21f52ddda1d60f0377bf9b0ba568
Instruction Fuzzy Hash: 65219B75E00108BFDF06ABA4CC85EFEB7B9EF49310F10415AF5619B2A1DB755825DB20

Function 0039907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 0039AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0039AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003990FD
GetDlgCtrlID.USER32 ref: 00399108
GetParent.USER32 ref: 00399124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00399127
GetDlgCtrlID.USER32(?), ref: 00399130
GetParent.USER32(?), ref: 0039914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0039914F

Strings

ComboBox, xrefs: 00399087
ListBox, xrefs: 003990BC

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: d9f9c754aded1eed0e0b049011167e0a2afef0ffcccd79c83c0ac35501a48a4d
Instruction ID: d533b781a16a531ce7c48b61d68e13a2f4a44f2f6cd4130a96457888641bf104
Opcode Fuzzy Hash: d9f9c754aded1eed0e0b049011167e0a2afef0ffcccd79c83c0ac35501a48a4d
Instruction Fuzzy Hash: 1621B675A00109BFDF02ABA4CC85EFEBBB9EF49300F10411AF5519B3A2DB755815DB21

Function 00399163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0039916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00399184
_wcscmp.LIBCMT ref: 00399196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00399211

Strings

list, xrefs: 003991F3
largeicons, xrefs: 003991A5
SHELLDLL_DefView, xrefs: 00399190
smallicons, xrefs: 003991D9
details, xrefs: 003991BF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 47e2321728f7c5905ccca153fb94f611036dee6de87c5ca409acf2ebb4c37486
Instruction ID: 958137ad29088aa597d343349a24efbb244c0353144134d7e801d2812c651800
Opcode Fuzzy Hash: 47e2321728f7c5905ccca153fb94f611036dee6de87c5ca409acf2ebb4c37486
Instruction Fuzzy Hash: 3311CA3A24870BB9FE232728DC06EF7379C9B15760B21442BFA00E54D6EFA268615A54

Function 003A7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 003A7A6C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: ba922e6f54af62a9efe27091a41e9b0bb2160f4016f2710affb0ad50c4ded1aa
Instruction ID: 9ec6aa3c4f5a3f4968195dc38e9f37546e79b260b056a7e05e5c3a3dcff87197
Opcode Fuzzy Hash: ba922e6f54af62a9efe27091a41e9b0bb2160f4016f2710affb0ad50c4ded1aa
Instruction Fuzzy Hash: 4EB16C71A0421A9FDB12DFA4CCC5BBEB7B9EF0A321F254429E541EB251D734E941CBA0

Function 003A11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003A11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,003A0268,?,00000001), ref: 003A1204
GetWindowThreadProcessId.USER32(00000000), ref: 003A120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0268,?,00000001), ref: 003A121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 003A122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0268,?,00000001), ref: 003A1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003A0268,?,00000001), ref: 003A1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003A0268,?,00000001), ref: 003A129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003A0268,?,00000001), ref: 003A12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003A0268,?,00000001), ref: 003A12BC

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2d9c64ab200b4c0040f7c00c7f2642a0b09440c2e626c767293be912c76fde93
Instruction ID: 5a0588a36a2950158dc77ca2d6fdd3fedcd0209b6c42dc3b055e3ed5334bf36b
Opcode Fuzzy Hash: 2d9c64ab200b4c0040f7c00c7f2642a0b09440c2e626c767293be912c76fde93
Instruction Fuzzy Hash: 0D310F75600204FFFB229F50EE88F6A37AEEB56351F124525FE01E62A0D3B4ED508B64

Function 0034FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0034FAA6
OleUninitialize.OLE32(?,00000000), ref: 0034FB45
UnregisterHotKey.USER32(?), ref: 0034FC9C
DestroyWindow.USER32(?), ref: 003845D6
FreeLibrary.KERNEL32(?), ref: 0038463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00384668

Strings

close all, xrefs: 0034FAA1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2b4eb1ff056c197fad66da1551912d746f9de48832986b9231f5a2254fc4ed2b
Instruction ID: 43795fb01d298621d0bcee262aa5de89b0003b1220b3bdbb19fbad8c2f7fb1fc
Opcode Fuzzy Hash: 2b4eb1ff056c197fad66da1551912d746f9de48832986b9231f5a2254fc4ed2b
Instruction Fuzzy Hash: 19A14A31701212CFCB2AEF14C995E69F7A5AF05710F5542ADE80AAF662DB30ED16CF90

Function 003B9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003B9167
VariantInit.OLEAUT32(?), ref: 003B9238
VariantInit.OLEAUT32(?), ref: 003B9339
VariantClear.OLEAUT32(?), ref: 003B9343
VariantClear.OLEAUT32(?), ref: 003B93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 003B931C
,,=, xrefs: 003B91E5
Null Object assignment in FOR..IN loop, xrefs: 003B91C8, 003B92F6, 003B93AE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,=$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1434771687
Opcode ID: 925ff1cc4f11a455b0cdd31462d037e00887768e1fb18218f7e2ba93e803a917
Instruction ID: 798e4cd7f962c8520993221db61e8b4b8d15652c12db27229424a761ea8fa032
Opcode Fuzzy Hash: 925ff1cc4f11a455b0cdd31462d037e00887768e1fb18218f7e2ba93e803a917
Instruction Fuzzy Hash: E0919131E00219ABDF26CFA5C848FEEBBB8EF45714F11855AF715AB680D7709940CBA0

Function 0039A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0039A439), ref: 0039A377

Strings

REGEXPCLASS, xrefs: 0039A13C
TEXT, xrefs: 0039A2AE
INSTANCE, xrefs: 0039A285
CLASS, xrefs: 0039A0F6
NAME, xrefs: 0039A1A9
CLASSNN, xrefs: 0039A119

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 020269696cb43aec0efd8b5daaf4cecb5e5004d752ed3febd03666b0ed0d75c3
Instruction ID: 07f0b68ce8287894ca591130f96b3d54b7c24f8a825259240fc0200ed506960c
Opcode Fuzzy Hash: 020269696cb43aec0efd8b5daaf4cecb5e5004d752ed3febd03666b0ed0d75c3
Instruction Fuzzy Hash: 7691DC31A00A05ABCF0ADFA0C482BEEF7B4FF04300F558619D999AB151DF316959DBD1

Function 00342E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00342EAE

Part of subcall function 00341DB3: GetClientRect.USER32(?,?), ref: 00341DDC
Part of subcall function 00341DB3: GetWindowRect.USER32(?,?), ref: 00341E1D
Part of subcall function 00341DB3: ScreenToClient.USER32(?,?), ref: 00341E45

GetDC.USER32 ref: 0037CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0037CD45
SelectObject.GDI32(00000000,00000000), ref: 0037CD53
SelectObject.GDI32(00000000,00000000), ref: 0037CD68
ReleaseDC.USER32(?,00000000), ref: 0037CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0037CDFB

Strings

U, xrefs: 0037CCD0

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 2ef8cb3185eeb1811fc3a47d0db025cf735c96a51c2cc229f32bb19a3887a791
Instruction ID: 0221af811a786119a7463e76097216f0e1b82a47c5c8ce44678cd3910ecde29b
Opcode Fuzzy Hash: 2ef8cb3185eeb1811fc3a47d0db025cf735c96a51c2cc229f32bb19a3887a791
Instruction Fuzzy Hash: B771AE31400205DFCF339F64C884AAA7BB9FF48310F15926AFD59AA2A6D7359C91DF50

Function 003B1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003B1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003B1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 003B1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003B1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003B1B10
InternetCloseHandle.WININET(00000000), ref: 003B1B57

Part of subcall function 003B2483: GetLastError.KERNEL32(?,?,003B1817,00000000,00000000,00000001), ref: 003B2498
Part of subcall function 003B2483: SetEvent.KERNEL32(?,?,003B1817,00000000,00000000,00000001), ref: 003B24AD

Strings

, xrefs: 003B1B01

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 23d043cba992f983dc4c258d3f1c3d356dfcc4956042b8bce81c99dd2e78a462
Instruction ID: a4a34ef105e501ae5773a6214d96e9e054a0b6d00b182ea77a6bdfec85250619
Opcode Fuzzy Hash: 23d043cba992f983dc4c258d3f1c3d356dfcc4956042b8bce81c99dd2e78a462
Instruction Fuzzy Hash: D8414DB1501219BFEB139F50CC99FFB7BADEF08358F00412AFA059A541E774AE449BA0

Function 003B8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,003CF910), ref: 003B8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003CF910), ref: 003B8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003B8ED6
SysFreeString.OLEAUT32(?), ref: 003B8F00

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 8f4ebdf74c55a8732c66954c8095178c25c08231149ece2d9f91fe89ed2fdf9e
Instruction ID: b23eb544ad94820b923d08d7eca3585479d68ae775ab5dc144f87692344c387b
Opcode Fuzzy Hash: 8f4ebdf74c55a8732c66954c8095178c25c08231149ece2d9f91fe89ed2fdf9e
Instruction Fuzzy Hash: 36F12971A00209AFCF15EF94C884EEEB7B9FF45318F118459FA05AB651DB31AE46CB60

Function 003BF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003BF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003BF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003BF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003BFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003BFA7C
CloseHandle.KERNEL32(?), ref: 003BFAAB
CloseHandle.KERNEL32(?), ref: 003BFB22

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 40a6e42e7e1223f406c62726caeebd13ff507519f42cb037649fc43bff7e0a64
Instruction ID: 21b2f44802acf69b1498bdbe576dbe430373731d82a19ce56c533b7a91b4d4db
Opcode Fuzzy Hash: 40a6e42e7e1223f406c62726caeebd13ff507519f42cb037649fc43bff7e0a64
Instruction Fuzzy Hash: A6E1B0316042009FC716EF24C881BABBBE5EF85354F14896DF9898F6A2CB31EC45CB52

Function 003A4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003A3697,?), ref: 003A468B

Part of subcall function 003A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003A3697,?), ref: 003A46A4

Part of subcall function 003A4A31: GetFileAttributesW.KERNEL32(?,003A370B), ref: 003A4A32

lstrcmpiW.KERNEL32(?,?), ref: 003A4D40
_wcscmp.LIBCMT ref: 003A4D5A
MoveFileW.KERNEL32(?,?), ref: 003A4D75

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 001e1bf4c21efc4a5ed4c10b0cc7b2cee662c904b21ffe588e41ad7e7665caba
Instruction ID: 066db907b4a049e6b9965aef3b795f04260a724be72ef9d53b715bfda007ad78
Opcode Fuzzy Hash: 001e1bf4c21efc4a5ed4c10b0cc7b2cee662c904b21ffe588e41ad7e7665caba
Instruction Fuzzy Hash: F15142B24083459BC726DBA4D8819DFB3ECEF85350F00492EB689D7152EF74A588C766

Function 003C8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003C86FF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: d9c336331cc541fb5a09b59166bb8e598e72f72f4e39956e69e661631b75921b
Instruction ID: 138a0bf4eae0496724fbb0b30a5a08715e4e853e7bb5f33ea3fb1b2de587047a
Opcode Fuzzy Hash: d9c336331cc541fb5a09b59166bb8e598e72f72f4e39956e69e661631b75921b
Instruction Fuzzy Hash: 9451B430500244BEEF229F24DC89FAD7BA9EB05354F604129FA55EA5E1DF71AF90CB50

Function 00342B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0037C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0037C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0037C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0037C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0037C370
DestroyIcon.USER32(00000000), ref: 0037C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0037C39C
DestroyIcon.USER32(?), ref: 0037C3AB

Part of subcall function 003CA4AF: DeleteObject.GDI32(00000000), ref: 003CA4E8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 8eae9e03a64244dd1420a4c54238fbe9467afcb725071159542003b2da885d2b
Instruction ID: ade7a3a8ba4f054f1c346ed12cdcd494993c424a91d54bebbeaac32fae347e2d
Opcode Fuzzy Hash: 8eae9e03a64244dd1420a4c54238fbe9467afcb725071159542003b2da885d2b
Instruction Fuzzy Hash: 7E517974610609AFDB26DF64CC45FAB3BE9EB48310F108528F906EB690DB74AC90DB50

Function 0039966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0039A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0039A84C
Part of subcall function 0039A82C: GetCurrentThreadId.KERNEL32 ref: 0039A853
Part of subcall function 0039A82C: AttachThreadInput.USER32(00000000,?,00399683,?,00000001), ref: 0039A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0039968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003996AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003996AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 003996B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003996D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003996D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 003996E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003996F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003996FB

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d13ff05b74cb0929c2b1d5aaf21dc4c67b145bc5702b1f378da925339d7f741f
Instruction ID: d98b9d8387680f67b0c8184e557c781eccd922c245372264010a9e1db2b7f416
Opcode Fuzzy Hash: d13ff05b74cb0929c2b1d5aaf21dc4c67b145bc5702b1f378da925339d7f741f
Instruction Fuzzy Hash: C411E571910618BEFA116F64DC49F6A7F1EDB4C7A0F110426F644EB0A0C9F36C10DBA4

Function 00398921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0039853C,00000B00,?,?), ref: 0039892A
HeapAlloc.KERNEL32(00000000,?,0039853C,00000B00,?,?), ref: 00398931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0039853C,00000B00,?,?), ref: 00398946
GetCurrentProcess.KERNEL32(?,00000000,?,0039853C,00000B00,?,?), ref: 0039894E
DuplicateHandle.KERNEL32(00000000,?,0039853C,00000B00,?,?), ref: 00398951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0039853C,00000B00,?,?), ref: 00398961
GetCurrentProcess.KERNEL32(0039853C,00000000,?,0039853C,00000B00,?,?), ref: 00398969
DuplicateHandle.KERNEL32(00000000,?,0039853C,00000B00,?,?), ref: 0039896C
CreateThread.KERNEL32(00000000,00000000,00398992,00000000,00000000,00000000), ref: 00398986

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 034178ec0add21d3795b2578758f94fa96d73fb49c28f931d2ba2cf3f24a9dd6
Instruction ID: 851cd210e0dd647218f7a7b8beb83b1870f77d049a1ea7b617cf5c20434be439
Opcode Fuzzy Hash: 034178ec0add21d3795b2578758f94fa96d73fb49c28f931d2ba2cf3f24a9dd6
Instruction Fuzzy Hash: 8B01BBB5240308FFE711ABA5DC4DF6B7BADEB89711F448421FA05DB1A1CA71AC00CB20

Function 003B9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 003B9B7B
NULL Pointer assignment, xrefs: 003B9BA4, 003B9EC8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ef43df0c63e5acb21ef089391854cf4e56906d16e2f99d1119167a015263d179
Instruction ID: 1c024927c8ed11a1bf86b45d717d40a5aea64f677e4ca4cd68e93801e4857db9
Opcode Fuzzy Hash: ef43df0c63e5acb21ef089391854cf4e56906d16e2f99d1119167a015263d179
Instruction Fuzzy Hash: FEC19171A002199FDF11DF59D884BEEB7F9AB48318F15846AEB05AB681E770ED40CB90

Function 003B975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0039710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?,?,?,00397455), ref: 00397127
Part of subcall function 0039710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?,?), ref: 00397142
Part of subcall function 0039710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?,?), ref: 00397150
Part of subcall function 0039710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?), ref: 00397160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 003B9806
_memset.LIBCMT ref: 003B9813
_memset.LIBCMT ref: 003B9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 003B9982
CoTaskMemFree.OLE32(?), ref: 003B998D

Strings

NULL Pointer assignment, xrefs: 003B99DB

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: ffbe5e7b7b30800ebb7b72485a0fc9c22648a8294ae901fad6c5a712beb4563f
Instruction ID: bfc0f7e8c2a373f0233293b2a665d716dbc4c844936917b0f669a89b05e91b1a
Opcode Fuzzy Hash: ffbe5e7b7b30800ebb7b72485a0fc9c22648a8294ae901fad6c5a712beb4563f
Instruction Fuzzy Hash: 3F914A71D00228EBDB12DFA5DC41EDEBBB9EF08714F10415AF619AB291DB716A44CFA0

Function 003C6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003C6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 003C6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003C6E52
_wcscat.LIBCMT ref: 003C6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 003C6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003C6EF2

Strings

SysListView32, xrefs: 003C6DF6

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: cef7f1fa037530a91df6903c7403c0dcc2876a200b1e6ea12f012a743147bafb
Instruction ID: 65bd245b03065eaffcb2e3f40e658f98ee270559023286ff572d3836e5f1fa4c
Opcode Fuzzy Hash: cef7f1fa037530a91df6903c7403c0dcc2876a200b1e6ea12f012a743147bafb
Instruction Fuzzy Hash: E2418175A00348AFDB229F64CC86FEE77E9EF08350F11442EF545E7291D6729D848B60

Function 003BE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 003A3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 003A3C7A
Part of subcall function 003A3C55: Process32FirstW.KERNEL32(00000000,?), ref: 003A3C88
Part of subcall function 003A3C55: CloseHandle.KERNEL32(00000000), ref: 003A3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BE9A4
GetLastError.KERNEL32 ref: 003BE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 003BE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 003BEA63
GetLastError.KERNEL32(00000000), ref: 003BEA6E
CloseHandle.KERNEL32(00000000), ref: 003BEAA3

Strings

SeDebugPrivilege, xrefs: 003BE9C2

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 036a273c620e56d8e32156473674f6a83e9ff9b9fbacd77fba88ff930c8ee019
Instruction ID: ce7bbfed17c9b6a77b97161935c940b6bb9573fef6c45b031da628d3ff6f9d83
Opcode Fuzzy Hash: 036a273c620e56d8e32156473674f6a83e9ff9b9fbacd77fba88ff930c8ee019
Instruction Fuzzy Hash: B141B1312002009FDB12EF28CC96FAEBBE9AF41314F048419FA029F2D2CB75E804CB91

Function 003A2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003A3033

Strings

info, xrefs: 003A2FD4
stop, xrefs: 003A3004
warning, xrefs: 003A301C
question, xrefs: 003A2FEC
blank, xrefs: 003A2FB5

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a8c8304c8257f440c045441e4b9bf04e2a0b3939b0c3317ca81b976dc39b159c
Instruction ID: 227a865b8769703e0b7cbdda83d35f6c805613fcda0774b9d0f3c74275f8fa14
Opcode Fuzzy Hash: a8c8304c8257f440c045441e4b9bf04e2a0b3939b0c3317ca81b976dc39b159c
Instruction Fuzzy Hash: 6D11273534874ABEE71BDB18DC42CAB7B9CDF17360F21402AFA05AA181DB71AF4056A1

Function 003A42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003A4312
LoadStringW.USER32(00000000), ref: 003A4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003A432F
LoadStringW.USER32(00000000), ref: 003A4336
_wprintf.LIBCMT ref: 003A435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003A437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003A4357

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 0b00bd2486e6844e4bc4a80e64d3e60ac6d50ebe811a0d394cbd584bdc49e01d
Instruction ID: c5f8bbf88470f99a6b88b27953208bfcbf79a9cef841a66cfc19a1f6a4242933
Opcode Fuzzy Hash: 0b00bd2486e6844e4bc4a80e64d3e60ac6d50ebe811a0d394cbd584bdc49e01d
Instruction Fuzzy Hash: 990162F6900208BFEB52ABA0DD89EF7776CDB08300F0005A5B745E6051EA756E954B74

Function 003CD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

GetSystemMetrics.USER32(0000000F), ref: 003CD47C
GetSystemMetrics.USER32(0000000F), ref: 003CD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 003CD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003CD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003CD716
ShowWindow.USER32(00000003,00000000), ref: 003CD735
InvalidateRect.USER32(?,00000000,00000001), ref: 003CD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 003CD77D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 73fda0e1e69f5ad070fa247140701fb4124f4bfab8045a302fb9af118724e6cb
Instruction ID: 0a80f03da053b2bdd44a64c2e1cccfc2d99468236810353a22535ec9df483b0e
Opcode Fuzzy Hash: 73fda0e1e69f5ad070fa247140701fb4124f4bfab8045a302fb9af118724e6cb
Instruction Fuzzy Hash: 9BB17971600225AFDF16CF68C985BAA7BB1BF44701F098079FD48EA695DB34AD50CB90

Function 00342A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0037C1C7,00000004,00000000,00000000,00000000), ref: 00342ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0037C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00342B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0037C1C7,00000004,00000000,00000000,00000000), ref: 0037C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0037C1C7,00000004,00000000,00000000,00000000), ref: 0037C286

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 56e7d850df2997e18a974218ff0275915716892efd6cb6abf17bba80891322ef
Instruction ID: dd32e05bcba1d104ed7ac11883357ef170d1a075de52fc9b482a50db2e7a6e65
Opcode Fuzzy Hash: 56e7d850df2997e18a974218ff0275915716892efd6cb6abf17bba80891322ef
Instruction Fuzzy Hash: 7E410B316146809ECB379B288C8CB6B7BDAEB45300F95C81DF44BAE961CA75B845D711

Function 003A70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003A70DD

Part of subcall function 00360DB6: std::exception::exception.LIBCMT ref: 00360DEC
Part of subcall function 00360DB6: __CxxThrowException@8.LIBCMT ref: 00360E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003A7114
EnterCriticalSection.KERNEL32(?), ref: 003A7130
_memmove.LIBCMT ref: 003A717E
_memmove.LIBCMT ref: 003A719B
LeaveCriticalSection.KERNEL32(?), ref: 003A71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003A71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 003A71DE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 1ba8bd0950c665fb5d40fcd6208a46027a8c7637445f2ccff80d7303e9e5cb44
Instruction ID: f7387647d9c8bcc3a7d233fe54b793fbe1847e9e26815bff9828ff97b5547903
Opcode Fuzzy Hash: 1ba8bd0950c665fb5d40fcd6208a46027a8c7637445f2ccff80d7303e9e5cb44
Instruction Fuzzy Hash: 21316D75900205EFCB06DFA4DC86EAFB7B9EF45310F1481B5E904EB246DB30AA10CBA0

Function 003C61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003C61EB
GetDC.USER32(00000000), ref: 003C61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003C61FE
ReleaseDC.USER32(00000000,00000000), ref: 003C620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003C6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003C6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003C902A,?,?,000000FF,00000000,?,000000FF,?), ref: 003C6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003C62B1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 999a8ac61cb536eaf1df8ac85787bf78de2236f9fcb8eca03461dc1bde07fe23
Instruction ID: de0db65f86ffed5b0b18f40f21292657b1129b8ea61dd25e3c83d9b8601b28f8
Opcode Fuzzy Hash: 999a8ac61cb536eaf1df8ac85787bf78de2236f9fcb8eca03461dc1bde07fe23
Instruction Fuzzy Hash: 5E314F72101214BFEB128F50CC8AFEA3BAEEF49765F054065FE48DA291C675AC51CB64

Function 0039BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0039BBC4
_memcmp.LIBCMT ref: 0039BBE6
_memcmp.LIBCMT ref: 0039BBFE
_memcmp.LIBCMT ref: 0039BC11
_memcmp.LIBCMT ref: 0039BC2B
_memcmp.LIBCMT ref: 0039BC3E
_memcmp.LIBCMT ref: 0039BC56
_memcmp.LIBCMT ref: 0039BC71

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a8ef88c1a00a2ee9d5cc1b230fa33d3e5420aa9b97449359d7d2086e5ade354c
Instruction ID: 371fbe598280f1ea57a5767b2f1f2d5c1327497e7c315e8d9214f80d51d1c451
Opcode Fuzzy Hash: a8ef88c1a00a2ee9d5cc1b230fa33d3e5420aa9b97449359d7d2086e5ade354c
Instruction Fuzzy Hash: 0021A7A26012057BEA076612BE42FFBF36D9E603C8F098021FD049B68BEF54DE1185B1

Function 003AEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

Part of subcall function 0035FC86: _wcscpy.LIBCMT ref: 0035FCA9

_wcstok.LIBCMT ref: 003AEC94
_wcscpy.LIBCMT ref: 003AED23
_memset.LIBCMT ref: 003AED56

Strings

X, xrefs: 003AED93

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: d39a440ff5fed004650e8a8148028cf4430da9c14af8e6644b9eeb87d69fb6ba
Instruction ID: c81d6ee07a9233681d789ce918d6c9ee11bedddf5c590abacb322ab55fd61942
Opcode Fuzzy Hash: d39a440ff5fed004650e8a8148028cf4430da9c14af8e6644b9eeb87d69fb6ba
Instruction Fuzzy Hash: 7FC15B716087009FC766EF24C885A6AB7E4EF85310F01492DF8999F2A2DB71EC45CB82

Function 003B6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003B6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003B6C21
WSAGetLastError.WSOCK32(00000000), ref: 003B6C34
htons.WSOCK32(?,?,?,00000000,?), ref: 003B6CEA
inet_ntoa.WSOCK32(?), ref: 003B6CA7

Part of subcall function 0039A7E9: _strlen.LIBCMT ref: 0039A7F3
Part of subcall function 0039A7E9: _memmove.LIBCMT ref: 0039A815

_strlen.LIBCMT ref: 003B6D44
_memmove.LIBCMT ref: 003B6DAD

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 34b88c90dadfb9f790d6674f9c7f6f436ce539a6dd278c33c3c0dc50de43fc5e
Instruction ID: 48926cfb1bae8bc0d1c15cc650fbc91a6955937b89ec5af6abf78233caf91d04
Opcode Fuzzy Hash: 34b88c90dadfb9f790d6674f9c7f6f436ce539a6dd278c33c3c0dc50de43fc5e
Instruction Fuzzy Hash: A7819D71604200ABC712EB24CC86FABB7E9AF84718F144A1DFA559F293DB74AD05CB91

Function 00341424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7c62057d4f1fb004d4c4afa8cd903f41f9375637c2f9f1c9d37f83d4e3b665
Instruction ID: 06d4ae3ce82088368f10aefacf55c1b70daef003674bf6f8229b592c3b486884
Opcode Fuzzy Hash: 5c7c62057d4f1fb004d4c4afa8cd903f41f9375637c2f9f1c9d37f83d4e3b665
Instruction Fuzzy Hash: F7717A30900509EFCB16CF99CC89EBEBBB9FF85314F158159F915AA251C734AA91CBA0

Function 003CB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01605808), ref: 003CB3EB
IsWindowEnabled.USER32(01605808), ref: 003CB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003CB4DB
SendMessageW.USER32(01605808,000000B0,?,?), ref: 003CB512
IsDlgButtonChecked.USER32(?,?), ref: 003CB54F
GetWindowLongW.USER32(01605808,000000EC), ref: 003CB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003CB589

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 328b04e1f18b541abf65acf2ff8d4fb301943fe7c9c8b78566aaf2fe0614a597
Instruction ID: 255aea1f59b2bc5fc4c4abd1273194c1f5c8485ce050c62797a5ab2c0e11fccf
Opcode Fuzzy Hash: 328b04e1f18b541abf65acf2ff8d4fb301943fe7c9c8b78566aaf2fe0614a597
Instruction Fuzzy Hash: 1171A034608644EFDB269F65C896FBAFBB9EF09300F15406DE945D72A2CB31AC50DB50

Function 003BF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003BF448
_memset.LIBCMT ref: 003BF511
ShellExecuteExW.SHELL32(?), ref: 003BF556

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

Part of subcall function 0035FC86: _wcscpy.LIBCMT ref: 0035FCA9

GetProcessId.KERNEL32(00000000), ref: 003BF5CD
CloseHandle.KERNEL32(00000000), ref: 003BF5FC

Strings

@, xrefs: 003BF525

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: aa994f7568c81e3dbbf36fb3f9d94091b2b5faaa606d20a4c1f14df0d959929b
Instruction ID: eabca6fe3aa22660c87c79f4a4fb657c08863e4e819a9d31426f7a288a77ea7b
Opcode Fuzzy Hash: aa994f7568c81e3dbbf36fb3f9d94091b2b5faaa606d20a4c1f14df0d959929b
Instruction Fuzzy Hash: EB61BD75A006189FCB16DF68C881AAEBBF5FF49314F11806AE819AF751CB30AD41CB80

Function 003A0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003A0F8C
GetKeyboardState.USER32(?), ref: 003A0FA1
SetKeyboardState.USER32(?), ref: 003A1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 003A1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 003A104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 003A1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003A10B8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cf854c31ca6a169bf82c9ee500e14fefd5c0b2bc09a85bf95e5cc8ecc456da37
Instruction ID: 64550a555d20f47cce4f2cc7bb4dbc6e32855bd6c5ffe0b1bd6801de037ffa8f
Opcode Fuzzy Hash: cf854c31ca6a169bf82c9ee500e14fefd5c0b2bc09a85bf95e5cc8ecc456da37
Instruction Fuzzy Hash: 6A51E3A05047D53DFB3782348C19BBABFA99B07304F098589E1D59A8D3C2D9ECD8D751

Function 003A0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003A0DA5
GetKeyboardState.USER32(?), ref: 003A0DBA
SetKeyboardState.USER32(?), ref: 003A0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003A0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003A0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003A0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003A0EC9

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5f7c454ccb05221c6f57e7b836471d9b8ff98b61f65c13fe014e7ed6c0874ac8
Instruction ID: 18ab18860e1ea6baef845cf6cb642b09e5e3c0df9aa2051149fb0e602cd71837
Opcode Fuzzy Hash: 5f7c454ccb05221c6f57e7b836471d9b8ff98b61f65c13fe014e7ed6c0874ac8
Instruction Fuzzy Hash: EB51E4A1544BD53DFB3B87748C55F7ABEA9DB07300F088889E1D49A8C2D395EC98E750

Function 003A55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003A560A
_wcsncpy.LIBCMT ref: 003A563F
_wcsncpy.LIBCMT ref: 003A5671
_wcsncpy.LIBCMT ref: 003A56A4
_wcsncpy.LIBCMT ref: 003A56E6
_wcsncpy.LIBCMT ref: 003A5720
_wcsncpy.LIBCMT ref: 003A574F

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 92c5e092d48397e7f98f5afac69c0d36716b531c98fe12720ccc2dd58b98494d
Instruction ID: 38bec1c6b5d8ab4f0620b28d571002c2d164baed600709c427645d3353319f57
Opcode Fuzzy Hash: 92c5e092d48397e7f98f5afac69c0d36716b531c98fe12720ccc2dd58b98494d
Instruction Fuzzy Hash: 1941A265C1061876CB13EBF48C869CFB3B8DF06310F50C966E609E7265EB35A245C7AA

Function 0039D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0039D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0039D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0039D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0039D69D

Strings

DllGetClassObject, xrefs: 0039D610
,,=, xrefs: 0039D578

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,=$DllGetClassObject
API String ID: 753597075-4126740902
Opcode ID: 6658a01decbb5eade28b4d0ce0fc86a2ef74728db69a83d48c2064a1b33ba15f
Instruction ID: 9a6761c2772a3f77d1fa871767dc8a4d407a988db77effac4057804441390d0a
Opcode Fuzzy Hash: 6658a01decbb5eade28b4d0ce0fc86a2ef74728db69a83d48c2064a1b33ba15f
Instruction Fuzzy Hash: 394160B2600204EFDF16DF64C885A9ABBB9EF54310F5681A9ED09DF205D7B1DD44CBA0

Function 003A3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003A466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003A3697,?), ref: 003A468B

Part of subcall function 003A466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003A3697,?), ref: 003A46A4

lstrcmpiW.KERNEL32(?,?), ref: 003A36B7
_wcscmp.LIBCMT ref: 003A36D3
MoveFileW.KERNEL32(?,?), ref: 003A36EB
_wcscat.LIBCMT ref: 003A3733
SHFileOperationW.SHELL32(?), ref: 003A379F

Strings

\*.*, xrefs: 003A372D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 5035849113202a4da89976479bb34354592ea9c287a744217ebedb040c333631
Instruction ID: b8797dd1c8585e70bd020582186319eeca5304427de2fcf101f0769369441f87
Opcode Fuzzy Hash: 5035849113202a4da89976479bb34354592ea9c287a744217ebedb040c333631
Instruction Fuzzy Hash: A4415D71508344AEC757EF64C4819DFB7ECEF8A380F44092EB49AC7261EA35D689C752

Function 003C7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C7351
IsMenu.USER32(?), ref: 003C7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003C73B1
DrawMenuBar.USER32 ref: 003C73C4

Strings

0, xrefs: 003C729E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: c724f626829a3f4cad20ad4132c9fb20299250292259e07e24bc0595a65c03f3
Instruction ID: f02686e6f52cddc0714018bf2c67bc20c09d5d97696330e9ade4d216e1c3161b
Opcode Fuzzy Hash: c724f626829a3f4cad20ad4132c9fb20299250292259e07e24bc0595a65c03f3
Instruction Fuzzy Hash: E0412579A04248AFDB21DF50D884E9ABBF9FB09350F258529FD15EB290D730AD50DF90

Function 003C0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 003C0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C0FFE
FreeLibrary.KERNEL32(00000000), ref: 003C10B5

Part of subcall function 003C0FA5: RegCloseKey.ADVAPI32(?), ref: 003C101B
Part of subcall function 003C0FA5: FreeLibrary.KERNEL32(?), ref: 003C106D
Part of subcall function 003C0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003C1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 003C1058

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f346392252f6f8a3a3a769714a6a962040bdadc3a3cfbb0fa7947aa8613539f8
Instruction ID: b57682f76aab3b2169a8ce314267065265ca9a75342ad71a851385976df7f538
Opcode Fuzzy Hash: f346392252f6f8a3a3a769714a6a962040bdadc3a3cfbb0fa7947aa8613539f8
Instruction Fuzzy Hash: 62310C71901119BFDB16DB90DC89EFFB7BCEF09300F004169E512E2151EA75AE89ABA0

Function 003C62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003C62EC
GetWindowLongW.USER32(01605808,000000F0), ref: 003C631F
GetWindowLongW.USER32(01605808,000000F0), ref: 003C6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003C6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003C63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 003C63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003C63DB

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 71c3d853eefee305252e9dc9b61cec1b54e99826b4924a48f841180b27f85164
Instruction ID: 834a83bcbd4e6c28b0b769ca64b92cfec298d61bfe5730a54cd21a681af6ac6b
Opcode Fuzzy Hash: 71c3d853eefee305252e9dc9b61cec1b54e99826b4924a48f841180b27f85164
Instruction Fuzzy Hash: E6311139644290AFDB22DF18EC86F5937E5FB4A714F1A41A8F900DF2B2CB71AC509B50

Function 0039DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0039DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0039DB54
SysAllocString.OLEAUT32(00000000), ref: 0039DB57
SysAllocString.OLEAUT32(?), ref: 0039DB75
SysFreeString.OLEAUT32(?), ref: 0039DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0039DBA3
SysAllocString.OLEAUT32(?), ref: 0039DBB1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2c3ee6685de6d8e375636c0d17f917ee4886307a11231fe632d204ec4b07a189
Instruction ID: de2cc6aebe650d9f1841b7d8cb1d1079a99d73e678d015a4a8add84fc02b9800
Opcode Fuzzy Hash: 2c3ee6685de6d8e375636c0d17f917ee4886307a11231fe632d204ec4b07a189
Instruction Fuzzy Hash: 7E21D332600219AFDF11EFB9DC89CBB73ADEB08360B028526F918DB260D674EC418760

Function 003B6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003B7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 003B7DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003B61C6
WSAGetLastError.WSOCK32(00000000), ref: 003B61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003B620E
connect.WSOCK32(00000000,?,00000010), ref: 003B6217
WSAGetLastError.WSOCK32 ref: 003B6221
closesocket.WSOCK32(00000000), ref: 003B624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003B6263

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 0f63d15b122b2d7050993ac5ad595f68fb8c09077c5e37b64a4cd5c251e648e4
Instruction ID: 9f00c9eac411e8bde8e6e907046b8e49f33744f897be218b2c04860e6dca2801
Opcode Fuzzy Hash: 0f63d15b122b2d7050993ac5ad595f68fb8c09077c5e37b64a4cd5c251e648e4
Instruction Fuzzy Hash: 1E31A431600208AFEF12AF24CC86FBE77ADEF45754F054429FA05DB692CB74AC048B61

Function 0039F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0039F671
__wcsnicmp.LIBCMT ref: 0039F692
__wcsnicmp.LIBCMT ref: 0039F6AC

Strings

#requireadmin, xrefs: 0039F68C
#OnAutoItStartRegister, xrefs: 0039F6A6
#notrayicon, xrefs: 0039F669

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 608c99f49de9510a74e715c9e96923447bf4fa57075705e528adb98a23f222a9
Instruction ID: 68450bdf58f6b946a74bd6241e21dd4626de650702a56184147160c3e3eff4d0
Opcode Fuzzy Hash: 608c99f49de9510a74e715c9e96923447bf4fa57075705e528adb98a23f222a9
Instruction Fuzzy Hash: 4F2149722046116EDB23AA34AC03EB773DCDF56390F15843AF845CB191EB61ED41C295

Function 0039DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0039DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0039DC2F
SysAllocString.OLEAUT32(00000000), ref: 0039DC32
SysAllocString.OLEAUT32 ref: 0039DC53
SysFreeString.OLEAUT32 ref: 0039DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0039DC76
SysAllocString.OLEAUT32(?), ref: 0039DC84

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ad8acc61906b0e8cd9a5c6e8a0c5af536bdeb596aa80b92f301ed4e4317678e1
Instruction ID: d7dd417132eb4917b569416991c0f78fcbe29850b3526511e6362fc5c52d2c59
Opcode Fuzzy Hash: ad8acc61906b0e8cd9a5c6e8a0c5af536bdeb596aa80b92f301ed4e4317678e1
Instruction Fuzzy Hash: 12218335604204BF9F15EFA9DC89DAB77EDEB08360B118125F915CB260DAB0EC41CB64

Function 003C75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003C7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003C763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003C764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003C7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003C7665

Strings

Msctls_Progress32, xrefs: 003C7603

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3ee37def9a711f11e0dca229b8fb449013bf33dcae3ebea90ffeecd716896092
Instruction ID: 194aca5528048c633491e0b1bd696eebc99a0efcf942370ddd1123b70135d53b
Opcode Fuzzy Hash: 3ee37def9a711f11e0dca229b8fb449013bf33dcae3ebea90ffeecd716896092
Instruction Fuzzy Hash: 0C1186B215011DBFEF159F64CC85EE77F5DEF08798F114115BA44A6050C672AC21DBA4

Function 00369AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00369AE6

Part of subcall function 00363187: EncodePointer.KERNEL32(00000000), ref: 0036318A
Part of subcall function 00363187: __initp_misc_winsig.LIBCMT ref: 003631A5
Part of subcall function 00363187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00369EA0
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00369EB4
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00369EC7
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00369EDA
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00369EED
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00369F00
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00369F13
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00369F26
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00369F39
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00369F4C
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00369F5F
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00369F72
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00369F85
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00369F98
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00369FAB
Part of subcall function 00363187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00369FBE

__mtinitlocks.LIBCMT ref: 00369AEB
__mtterm.LIBCMT ref: 00369AF4

Part of subcall function 00369B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00369AF9,00367CD0,003FA0B8,00000014), ref: 00369C56
Part of subcall function 00369B5C: _free.LIBCMT ref: 00369C5D
Part of subcall function 00369B5C: DeleteCriticalSection.KERNEL32(02@,?,?,00369AF9,00367CD0,003FA0B8,00000014), ref: 00369C7F

__calloc_crt.LIBCMT ref: 00369B19
__initptd.LIBCMT ref: 00369B3B
GetCurrentThreadId.KERNEL32 ref: 00369B42

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: b1c03f55a597296bb4a153a9caa6c20ea7389d55f19e7512783c3388f5bca958
Instruction ID: 151dd6f3b79746348cfb8b0a1e52b23807c6815a05d321c9b3726d15bdc18197
Opcode Fuzzy Hash: b1c03f55a597296bb4a153a9caa6c20ea7389d55f19e7512783c3388f5bca958
Instruction Fuzzy Hash: F0F0623250971159EA277B74BC0375A269DDF02734F21C62BF450CA0DAEF7094414160

Function 003CB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003CB644
_memset.LIBCMT ref: 003CB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00406F20,00406F64), ref: 003CB682
CloseHandle.KERNEL32 ref: 003CB694

Strings

o@, xrefs: 003CB63E
do@, xrefs: 003CB64D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: o@$do@
API String ID: 3277943733-129461833
Opcode ID: fde221d828e6c92d3a7aca4eb7efbe09f05a6c650b1cea1cc2ff2dd27acc3380
Instruction ID: 58a3d92cd6c2a13b1f5d2fc31f7b4d4533f24bee871a2eb62a7280cd69608c1f
Opcode Fuzzy Hash: fde221d828e6c92d3a7aca4eb7efbe09f05a6c650b1cea1cc2ff2dd27acc3380
Instruction Fuzzy Hash: C7F0FEB25403067EE2117765BC06FBB7A9DEB09795F028031BA0AF9196DB765C2087AC

Function 0036406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00363F85), ref: 00364085
GetProcAddress.KERNEL32(00000000), ref: 0036408C
EncodePointer.KERNEL32(00000000), ref: 00364097
DecodePointer.KERNEL32(00363F85), ref: 003640B2

Strings

RoUninitialize, xrefs: 00364074
combase.dll, xrefs: 00364080

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 4775ddb550a28a425729351f3a9145c9eda64578ba87a1e632f40e390fa2a173
Instruction ID: 24402bb8bfb72211142273a4164d60ed17a2848369e37926acaebacdcafcc74e
Opcode Fuzzy Hash: 4775ddb550a28a425729351f3a9145c9eda64578ba87a1e632f40e390fa2a173
Instruction Fuzzy Hash: A0E09274981200AFEB12AF61EE09B467AAEB718743F154435F111E91A0CFB656048B18

Function 003A64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A660B
_memmove.LIBCMT ref: 003A6546

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

_memmove.LIBCMT ref: 003A65B9
_memmove.LIBCMT ref: 003A66A0
_memmove.LIBCMT ref: 003A66B9
_memmove.LIBCMT ref: 003A66D5

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
Instruction ID: 8ff70186d5936da298381f278c7f5b673d80cd7ead626fe7162adae50148c43e
Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
Instruction Fuzzy Hash: F061793090065A9BCF17EF64CC82ABF37A9EF4A308F094919F8595F1A2DB35E915CB50

Function 003C01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 003C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BFDAD,?,?), ref: 003C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003C0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003C0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 003C038C
RegCloseKey.ADVAPI32(00000000), ref: 003C0399

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 253528392d0ef4209490b9193ba461bf51a25ddac8a2be45f2afa6792f9e1e88
Instruction ID: 4c3a56406c8ffe4e0ce27c650e117ecd3d10fe43908f8773367e59fa040e47c7
Opcode Fuzzy Hash: 253528392d0ef4209490b9193ba461bf51a25ddac8a2be45f2afa6792f9e1e88
Instruction Fuzzy Hash: A6513731208240AFC716EF64C885E6FBBE9FF89714F04491DF5958B2A2DB31E905CB52

Function 003C5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 003C57FB
GetMenuItemCount.USER32(00000000), ref: 003C5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003C585A
GetMenuItemID.USER32(?,?), ref: 003C58C9
GetSubMenu.USER32(?,?), ref: 003C58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 003C5928

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9ad1ff3bd25067f0c990030bfd1ab78df9597078a9f1546b98098ca4a8fe1f76
Instruction ID: 162d588baeb01828b7600537bc19a63ebe098b80ec58203b7a4d34aae1376ee8
Opcode Fuzzy Hash: 9ad1ff3bd25067f0c990030bfd1ab78df9597078a9f1546b98098ca4a8fe1f76
Instruction Fuzzy Hash: 58515B31E00A15AFCF16EF64C845EAEB7B5EF48320F114069E806EB351CB75BE818B90

Function 0039EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0039EF06
VariantClear.OLEAUT32(00000013), ref: 0039EF78
VariantClear.OLEAUT32(00000000), ref: 0039EFD3
_memmove.LIBCMT ref: 0039EFFD
VariantClear.OLEAUT32(?), ref: 0039F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0039F078

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 5756f13310bccf14ddb384477d76ef14b0ac6f08f4553369dec0bbf9a5a166bc
Instruction ID: 7a35f5d995c0ac27335a7a58ed45bc80bc81253bbedcc89bbeeded9ccebec2da
Opcode Fuzzy Hash: 5756f13310bccf14ddb384477d76ef14b0ac6f08f4553369dec0bbf9a5a166bc
Instruction Fuzzy Hash: 465168B5A00209EFCB15DF58C880AAAB7B9FF4C314F15856AE959DB301E735E911CBA0

Function 003A220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A22A3
IsMenu.USER32(00000000), ref: 003A22C3
CreatePopupMenu.USER32 ref: 003A22F7
GetMenuItemCount.USER32(000000FF), ref: 003A2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003A2386

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 45cb421193cdce6d9c1f55aa1add518e93c70bd4e16d2736529b73e1cfc21bd9
Instruction ID: 7430671c24e8b5ed4fcdad0280fbafc6394564f600de0aaf701ccfd623c790b0
Opcode Fuzzy Hash: 45cb421193cdce6d9c1f55aa1add518e93c70bd4e16d2736529b73e1cfc21bd9
Instruction Fuzzy Hash: FC51983460020AEFDF26CF68C888BAEBBF9EF47314F154229E851AB2D0D7759904CB51

Function 00341765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0034179A
GetWindowRect.USER32(?,?), ref: 003417FE
ScreenToClient.USER32(?,?), ref: 0034181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0034182C
EndPaint.USER32(?,?), ref: 00341876

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0108e5aeb9e0c21d04e1b79d729c54d245060166f70a1b1179051d267ba3c555
Instruction ID: bb344da1bb468e1da3465bca1ce24902c3e2791dbb219fc9d884eaf13d898f7d
Opcode Fuzzy Hash: 0108e5aeb9e0c21d04e1b79d729c54d245060166f70a1b1179051d267ba3c555
Instruction Fuzzy Hash: EF418F31104A04AFD712DF25C884FAB7BE9EB49724F144669F998DB1A1C730A885DB62

Function 003CB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004057B0,00000000,01605808,?,?,004057B0,?,003CB5A8,?,?), ref: 003CB712
EnableWindow.USER32(00000000,00000000), ref: 003CB736
ShowWindow.USER32(004057B0,00000000,01605808,?,?,004057B0,?,003CB5A8,?,?), ref: 003CB796
ShowWindow.USER32(00000000,00000004,?,003CB5A8,?,?), ref: 003CB7A8
EnableWindow.USER32(00000000,00000001), ref: 003CB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 003CB7EF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 506ce6000701c89baed31d73fc50a075f4a7c9191ae55d615e526f7d2c25c8aa
Instruction ID: 50835289e1f23436f68cbe1947e45ed6abf2346f6ec270d4f892dd930ad6c5d0
Opcode Fuzzy Hash: 506ce6000701c89baed31d73fc50a075f4a7c9191ae55d615e526f7d2c25c8aa
Instruction Fuzzy Hash: BD412834600240AFDB26DF24C49AF94BBA1FF45350F1981A9ED48CF6A2C731AC56CB61

Function 003B709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,003B4E41,?,?,00000000,00000001), ref: 003B70AC

Part of subcall function 003B39A0: GetWindowRect.USER32(?,?), ref: 003B39B3

GetDesktopWindow.USER32 ref: 003B70D6
GetWindowRect.USER32(00000000), ref: 003B70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003B710F

Part of subcall function 003A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A52BC

GetCursorPos.USER32(?), ref: 003B713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003B7199

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: debbdde7eb32d9fae3202d72b51172fd962f3caf6126dccfda8cf355742e85ea
Instruction ID: f9b1bc79556e3ad5a63cb950e107a851b169f88f747c8368c6d7cdc51d6481f5
Opcode Fuzzy Hash: debbdde7eb32d9fae3202d72b51172fd962f3caf6126dccfda8cf355742e85ea
Instruction Fuzzy Hash: B531A172509305AFD721DF14C849F9BB7AAFBC9314F000919F68597191CB70EA09CBA2

Function 00398879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003980A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003980C0
Part of subcall function 003980A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003980CA
Part of subcall function 003980A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003980D9
Part of subcall function 003980A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003980E0
Part of subcall function 003980A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003980F6

GetLengthSid.ADVAPI32(?,00000000,0039842F), ref: 003988CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003988D6
HeapAlloc.KERNEL32(00000000), ref: 003988DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 003988F6
GetProcessHeap.KERNEL32(00000000,00000000,0039842F), ref: 0039890A
HeapFree.KERNEL32(00000000), ref: 00398911

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 130a8610648f42ce9a49214d4b9cce840f9edf5e0aefbdd3725ec6f09c6e49c5
Instruction ID: 8661dee3f94b4e7f2f1da579d4a9683f4f8ab6f69b079e0dbb9bd07fc6d6eacd
Opcode Fuzzy Hash: 130a8610648f42ce9a49214d4b9cce840f9edf5e0aefbdd3725ec6f09c6e49c5
Instruction Fuzzy Hash: F5117F71511609FFDF129FA4DC09FBE7BADEB86315F154029E845D7210CB32A944DB60

Function 003985B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003985E2
OpenProcessToken.ADVAPI32(00000000), ref: 003985E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003985F8
CloseHandle.KERNEL32(00000004), ref: 00398603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00398632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00398646

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: daa14c661247b0ecb7483cb44c2cccf0d1a1e0ccd646cc3cd5fd3dc38793d764
Instruction ID: 8683c495b74c872aa4341a01941fdb0bec93e2e37d3567226fe91898d1af2644
Opcode Fuzzy Hash: daa14c661247b0ecb7483cb44c2cccf0d1a1e0ccd646cc3cd5fd3dc38793d764
Instruction Fuzzy Hash: 881147B2500249AFDF029FA4DD49FEA7BADEB49344F054065FE05A2160C6729D64EB60

Function 0039B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0039B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0039B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0039B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0039B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0039B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0039B7FE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 4bd69b129ea2b368b9699c00ee7320426be47bd8b84b68608f68d53688da4a46
Instruction ID: 267cf66d62a28af620f77d2b63760bd111dbfa897bcccb69a5dd0b8e5c6b1a60
Opcode Fuzzy Hash: 4bd69b129ea2b368b9699c00ee7320426be47bd8b84b68608f68d53688da4a46
Instruction Fuzzy Hash: 68017175A00219BFEF119BE69D45E5EBFADEF48711F004065FA04E7291D631AC10CF90

Function 00360162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00360193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0036019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003601A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003601B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 003601B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 003601C1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 36b21cb38d18cfcdb9ba8da48c04f66594a0e8074fa55569bd02ce2e8fdf2828
Instruction ID: 6d8291223c248a1e40a0e8ccb5bc3aebd7abba42d72e2ef283b63d481a51eb77
Opcode Fuzzy Hash: 36b21cb38d18cfcdb9ba8da48c04f66594a0e8074fa55569bd02ce2e8fdf2828
Instruction Fuzzy Hash: E3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A864CBE5

Function 003A53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003A53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003A540F
GetWindowThreadProcessId.USER32(?,?), ref: 003A541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003A543E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9d149093bf145d8b7bba84d53f60a666f140736e3c78ec1369470fc798dd56f1
Instruction ID: 3ab8c71ac920b7e17b54dfd0832011a50286e04ab5f6848cfd2d161847f9abc6
Opcode Fuzzy Hash: 9d149093bf145d8b7bba84d53f60a666f140736e3c78ec1369470fc798dd56f1
Instruction Fuzzy Hash: 4EF03032241558BFE7225BA2DC0EEEF7B7DEFCAB11F040169FA05D1051D7A12A1187B5

Function 003A7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003A7243
EnterCriticalSection.KERNEL32(?,?,00350EE4,?,?), ref: 003A7254
TerminateThread.KERNEL32(00000000,000001F6,?,00350EE4,?,?), ref: 003A7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00350EE4,?,?), ref: 003A726E

Part of subcall function 003A6C35: CloseHandle.KERNEL32(00000000,?,003A727B,?,00350EE4,?,?), ref: 003A6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 003A7281
LeaveCriticalSection.KERNEL32(?,?,00350EE4,?,?), ref: 003A7288

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 11b71ad913164b06b22495bab7836c5dfe75dcf7182f101acb3e2503e37234bf
Instruction ID: 14b4ddf1fade90ce303a5de8a90e7adf1b6a1686d65e0e562a5dc9ed05add198
Opcode Fuzzy Hash: 11b71ad913164b06b22495bab7836c5dfe75dcf7182f101acb3e2503e37234bf
Instruction Fuzzy Hash: C1F03A3A540612AFE7131B64ED8CEDA773EEF45712F150932F602D50A0CB766801CB50

Function 00398992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0039899D
UnloadUserProfile.USERENV(?,?), ref: 003989A9
CloseHandle.KERNEL32(?), ref: 003989B2
CloseHandle.KERNEL32(?), ref: 003989BA
GetProcessHeap.KERNEL32(00000000,?), ref: 003989C3
HeapFree.KERNEL32(00000000), ref: 003989CA

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 3bf8de92c5b4ece72babe45ba2712b70bba24c8275e1a0b29f6fdfed18b5e38f
Instruction ID: 2b54b5f2ea5485ab74f8bfab3cac73a19d546e8d02d729d5aecd0aec00f3796d
Opcode Fuzzy Hash: 3bf8de92c5b4ece72babe45ba2712b70bba24c8275e1a0b29f6fdfed18b5e38f
Instruction Fuzzy Hash: D5E05276104505FFDA022FE6EC0CD5ABB6EFB89762B548632F219C1470CB32A461DB50

Function 00397530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 003976EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 00397702
CLSIDFromProgID.OLE32(?,?,00000000,003CFB80,000000FF,?,00000000,00000800,00000000,?,003D2C7C,?), ref: 00397727
_memcmp.LIBCMT ref: 00397748

Strings

,,=, xrefs: 0039753D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,=
API String ID: 314563124-2941206825
Opcode ID: 15d5c619430c0e9eb80e5a0d9a7deae6c5c663ec617f47d3041ab09ce90d47d8
Instruction ID: 2f8199459b4b68227ff3cd27c7b874f22e1ead26db16a9615d44dbf56e00dffe
Opcode Fuzzy Hash: 15d5c619430c0e9eb80e5a0d9a7deae6c5c663ec617f47d3041ab09ce90d47d8
Instruction Fuzzy Hash: E281E975A10109EFCF05DFA4C984EEEB7B9FF89315F204558E506AB290DB71AE06CB60

Function 003B85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003B8613
CharUpperBuffW.USER32(?,?), ref: 003B8722
VariantClear.OLEAUT32(?), ref: 003B889A

Part of subcall function 003A7562: VariantInit.OLEAUT32(00000000), ref: 003A75A2
Part of subcall function 003A7562: VariantCopy.OLEAUT32(00000000,?), ref: 003A75AB
Part of subcall function 003A7562: VariantClear.OLEAUT32(00000000), ref: 003A75B7

Strings

Incorrect Parameter format, xrefs: 003B864B, 003B880D
AUTOIT.ERROR, xrefs: 003B8728

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: bbd975554a4eff8f4481b59a14010a453bb410a5f7ebe5f1ef07e28f2bde630f
Instruction ID: 6eb84028c5ff028bc848a9c39d60ca1fd1d73924676f1c0d67cc92e38e569ca5
Opcode Fuzzy Hash: bbd975554a4eff8f4481b59a14010a453bb410a5f7ebe5f1ef07e28f2bde630f
Instruction Fuzzy Hash: F9918E716043019FC711DF24C48599BBBE8EF89718F14896EF98ACB761DB31E905CB51

Function 003A2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0035FC86: _wcscpy.LIBCMT ref: 0035FCA9

_memset.LIBCMT ref: 003A2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003A2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003A2C97

Strings

0, xrefs: 003A2B73

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: ed2501f65427b9d7eb44cd8310e0a54a49d65e6d75dac1f9438bd9368738f3ff
Instruction ID: 1f12dd542b580d265f00246200647d187b8ae9bcf1c4959ac2f0f65da508e850
Opcode Fuzzy Hash: ed2501f65427b9d7eb44cd8310e0a54a49d65e6d75dac1f9438bd9368738f3ff
Instruction Fuzzy Hash: 7051AC716083009FD72A9F2CC845A6FB7E8EF8A320F054A2DF895D7190DB74DD048B66

Function 00353137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00353277
_memmove.LIBCMT ref: 00353310
_free.LIBCMT ref: 00353336
_memmove.LIBCMT ref: 003533E9

Strings

3c5, xrefs: 00353225
_5, xrefs: 00353322

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c5$_5
API String ID: 2620147621-2150917133
Opcode ID: 5fda7ed535bef3a005af45b2b34e6c6cb5aa2505c5ec4d2feae671778797569d
Instruction ID: 56dc598cdc5da04ad3bf41a39b25cc4127b1666ec98dc8f7ba22f480954d4200
Opcode Fuzzy Hash: 5fda7ed535bef3a005af45b2b34e6c6cb5aa2505c5ec4d2feae671778797569d
Instruction Fuzzy Hash: 07517CB16087418FDB26CF29C481B6FBBE5BF85350F05892DE98987360D731E905CB82

Function 00356192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00356248
_memmove.LIBCMT ref: 003562E4
_memset.LIBCMT ref: 00356308

Strings

3c5, xrefs: 003562AF
ERCP, xrefs: 003561B3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c5$ERCP
API String ID: 2532777613-3339050422
Opcode ID: e7f46a3af0dc2dc31307e62e91cd710004bb4f924dda2b3e6f6630a104780c48
Instruction ID: 2a14e85183f511e7b8678312a8d59c28694fe9097911bbd7a3acfe8be7bffb19
Opcode Fuzzy Hash: e7f46a3af0dc2dc31307e62e91cd710004bb4f924dda2b3e6f6630a104780c48
Instruction Fuzzy Hash: 7A51A471900709DFDB26CF55C982BAAB7F8EF44315F61896EE94ACB260E770E944CB40

Function 003A2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003A27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 003A2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00405890,00000000), ref: 003A286B

Strings

0, xrefs: 003A27B5

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: f160113c850f5928b07de30967e08ad1dd7551c73170c52fc3ce47035c8b11f6
Instruction ID: 7b22dde29d72cf66eed6d8e46641c0f85c262d2adbffedcde6e8cf6f783dbc96
Opcode Fuzzy Hash: f160113c850f5928b07de30967e08ad1dd7551c73170c52fc3ce47035c8b11f6
Instruction Fuzzy Hash: A241AE702043019FDB22DF29C844F1BBBE8EF86314F05492DF9A59B291DB34E905CB52

Function 003BD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003BD7C5

Part of subcall function 0034784B: _memmove.LIBCMT ref: 00347899

Strings

winapi, xrefs: 003BD836
cdecl, xrefs: 003BD81C
none, xrefs: 003BD8A0
stdcall, xrefs: 003BD847

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 377f57c627c5103079115c3b5d075b35cd524d6ec01a5d107930107dc968dfba
Instruction ID: cd7e0d907dbb8505f1620c81506c4708d8e696ecd626028f6e33610189a6cbfe
Opcode Fuzzy Hash: 377f57c627c5103079115c3b5d075b35cd524d6ec01a5d107930107dc968dfba
Instruction Fuzzy Hash: 7F31B071904619AFCF06EF54CC519FEB3B5FF04324B10862AE965DBAD1EB31A905CB80

Function 00398E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 0039AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0039AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00398F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00398F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00398F57

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

Strings

ComboBox, xrefs: 00398E9E
ListBox, xrefs: 00398ED3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 0a74cc2618a65320fa086e911a2e3bd60427a5b1d2da1cda1d0f05a061c967a7
Instruction ID: 2071cddba539fac6d94faab47d53f16dedd2bc0111a07d1b75118ca5f0b37c58
Opcode Fuzzy Hash: 0a74cc2618a65320fa086e911a2e3bd60427a5b1d2da1cda1d0f05a061c967a7
Instruction Fuzzy Hash: A821F272A04104BFDF16ABA0DC46DFFB7A9DF46360F004519F4229B2E1DB3958099610

Function 003B182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003B184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003B1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003B18A2
InternetCloseHandle.WININET(00000000), ref: 003B18E9

Part of subcall function 003B2483: GetLastError.KERNEL32(?,?,003B1817,00000000,00000000,00000001), ref: 003B2498
Part of subcall function 003B2483: SetEvent.KERNEL32(?,?,003B1817,00000000,00000000,00000001), ref: 003B24AD

Strings

, xrefs: 003B1893

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 5cdf462af932d0ed1c201d721a592effc2c10669b3772e0fb176024175f35877
Instruction ID: 8bc697013161d6097a4e1d6d95a4cd22beb52239d4ec898395236e18fbb500e3
Opcode Fuzzy Hash: 5cdf462af932d0ed1c201d721a592effc2c10669b3772e0fb176024175f35877
Instruction Fuzzy Hash: 4E2180B2500208BFEB129F65DC95EFB77EDFB48748F10412AFA05E6940DB219E0557A1

Function 003C63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003C6461
LoadLibraryW.KERNEL32(?), ref: 003C6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003C647D
DestroyWindow.USER32(?), ref: 003C6485

Strings

SysAnimate32, xrefs: 003C643C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 31cecca665f09aa99ee9c4e8f7f493d10d86e98a1dbf8744027d24f42821afd8
Instruction ID: 9574cffaf37bb988e6d7db5d0b4a0654b50d64bf065f4cb954715e9138d74d33
Opcode Fuzzy Hash: 31cecca665f09aa99ee9c4e8f7f493d10d86e98a1dbf8744027d24f42821afd8
Instruction Fuzzy Hash: 48217972200205AFEF168F65DC82FBA37ADEF59328F114629FA10D61A0D631AC51A760

Function 003A6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003A6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A6DEF
GetStdHandle.KERNEL32(0000000C), ref: 003A6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003A6E3B

Strings

nul, xrefs: 003A6E36

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fcce2bb171d9fff67ed5f250f0286547538daaf14a46b000d23cf1ae71c92ef3
Instruction ID: b316f55a41ea991063d5a38d040f5c3aaa33687f0e1cc9128331e005232363d8
Opcode Fuzzy Hash: fcce2bb171d9fff67ed5f250f0286547538daaf14a46b000d23cf1ae71c92ef3
Instruction Fuzzy Hash: B5219274600209EFDB229F39DC06E9AB7F8EF46760F244A19FDA1D72D0D77099508B50

Function 003A6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003A6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003A6EBB
GetStdHandle.KERNEL32(000000F6), ref: 003A6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003A6F06

Strings

nul, xrefs: 003A6F01

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 5b7b46a912329500d73b10850eb926dd3eab1f6dc9c9aa662d03a55be030e5dd
Instruction ID: 9c3f8da36a0073aaa088bb4a1a4217de8ea173968173c1476acc0143205b5223
Opcode Fuzzy Hash: 5b7b46a912329500d73b10850eb926dd3eab1f6dc9c9aa662d03a55be030e5dd
Instruction Fuzzy Hash: A821A479500305AFDB229F69DD06E9AB7A8EF46730F280A19FDE0D72D0D770A850C750

Function 003AAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003AAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003AACA8
__swprintf.LIBCMT ref: 003AACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,003CF910), ref: 003AACFF

Strings

%lu, xrefs: 003AACBB

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d1eec44d99acd6ed73c4e4531df720adf28f39a8952c1a7304985605ce9fa7a1
Instruction ID: 162aa7e96f0debec0eabcb79561e3378122a9896b02fd65a61414e3febb56250
Opcode Fuzzy Hash: d1eec44d99acd6ed73c4e4531df720adf28f39a8952c1a7304985605ce9fa7a1
Instruction Fuzzy Hash: 25214135A00109AFCB11DF65C945EEFBBB8EF49714B004469F909DF252DB31EA41DB61

Function 003A1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0039FCED,?,003A0D40,?,00008000), ref: 003A115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0039FCED,?,003A0D40,?,00008000), ref: 003A1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0039FCED,?,003A0D40,?,00008000), ref: 003A118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0039FCED,?,003A0D40,?,00008000), ref: 003A11C1

Strings

@:, xrefs: 003A119D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @:
API String ID: 2875609808-4235850541
Opcode ID: 5d40fa137e91f4376e7ff9590863a7f710b54b9a7ed321da96f466982c3eed2f
Instruction ID: bdecc42890626f5b9540278b55fdb693c303f80ff36d5e0591980b51e0cd81eb
Opcode Fuzzy Hash: 5d40fa137e91f4376e7ff9590863a7f710b54b9a7ed321da96f466982c3eed2f
Instruction Fuzzy Hash: 1B113C35D0051DDBCF029FA5D849AEEBBBCFF0A711F054056EA81B6240CB70A550CB95

Function 003A1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003A1B19

Strings

REMOVE, xrefs: 003A1B1F
EXISTS, xrefs: 003A1B41
APPEND, xrefs: 003A1B52
KEYS, xrefs: 003A1B30

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 74efa7a6ca4d179e7e712f6d85371edfb40118cb34b8a05bc6636aead18ddd8c
Instruction ID: 487affc8532d210c6f7d49586e62e1d258df26b9f12334ee6fa775262d0a9d6b
Opcode Fuzzy Hash: 74efa7a6ca4d179e7e712f6d85371edfb40118cb34b8a05bc6636aead18ddd8c
Instruction Fuzzy Hash: C31161759101088FCF06EF94D8528FEB7B5FF26304F108465D864AB6A2EB326D06DB50

Function 003BEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003BEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 003BEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003BED6A
CloseHandle.KERNEL32(?), ref: 003BEDEB

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 42a21c7079fb16ad2d0dc5745126f589c56840367f2a27f2678289a7f8175731
Instruction ID: 254f07207cb2eb17df0dc32f1f8ac16fd5404933470b178df083d2578e37327b
Opcode Fuzzy Hash: 42a21c7079fb16ad2d0dc5745126f589c56840367f2a27f2678289a7f8175731
Instruction Fuzzy Hash: A48161716043009FD762EF28C886F6AB7E5AF48714F04881DF999DF692D7B1AC40CB91

Function 003C0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 003C0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003BFDAD,?,?), ref: 003C0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003C00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003C013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003C0183
RegCloseKey.ADVAPI32(?,?), ref: 003C01AF
RegCloseKey.ADVAPI32(00000000), ref: 003C01BC

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 6748ebc177dcac7acc0384a85ec566d7e2c2f21dd7b6c375da1cc424aa669f2b
Instruction ID: 26d0f9b68890bea5070d157b8fdd494f7506204a45866bce7e6387865ee0bec4
Opcode Fuzzy Hash: 6748ebc177dcac7acc0384a85ec566d7e2c2f21dd7b6c375da1cc424aa669f2b
Instruction Fuzzy Hash: 0F512871208244AFD716EF58C881F6AB7E9AF84714F44892DF5958B2A2DB31ED04CB52

Function 003BD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003BD927
GetProcAddress.KERNEL32(00000000,?), ref: 003BD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 003BD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 003BDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003BDA21

Part of subcall function 00345A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003A7896,?,?,00000000), ref: 00345A2C
Part of subcall function 00345A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003A7896,?,?,00000000,?,?), ref: 00345A50

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 162da61e8dbf40651d3f4804d262f1ed16f937ec514fb315b6de08fc170b69e1
Instruction ID: 9d05be4531f74492fbf7d3bb312983bdcd9254ec9c824b27ef81647a3e3452ae
Opcode Fuzzy Hash: 162da61e8dbf40651d3f4804d262f1ed16f937ec514fb315b6de08fc170b69e1
Instruction Fuzzy Hash: 43510635A00209DFCB02EFA8C4849ADB7F9FF09324B158165E959AB712E731AE45CF91

Function 003AE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003AE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003AE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003AE687

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003AE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003AE6B4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ec944c4702fd375ca572bf47d7e5167d83fef170c431b23d6d5b6a4cb479c45b
Instruction ID: 963834206c37697a3abe01c3b333e37354bceb65df6b5a4e0faba485e5807499
Opcode Fuzzy Hash: ec944c4702fd375ca572bf47d7e5167d83fef170c431b23d6d5b6a4cb479c45b
Instruction Fuzzy Hash: 5251E935A00205DFCB16EF64C985AAEBBF5EF49314F1484A9E819AF362CB31ED11DB50

Function 003CA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54fa6b466295744a11560565aabc86ab721187a08e79ec82a6272e215e70c2b
Instruction ID: 2d15fcdb67f0899445780538afdfb3c9ad7da964c2459625706d990d30927067
Opcode Fuzzy Hash: f54fa6b466295744a11560565aabc86ab721187a08e79ec82a6272e215e70c2b
Instruction Fuzzy Hash: 1C412B3590491CAFD712DF34CC48FA9BBA9EB09354F1A4169F916E72E0CB30AD41DB51

Function 00342344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00342357
ScreenToClient.USER32(004057B0,?), ref: 00342374
GetAsyncKeyState.USER32(00000001), ref: 00342399
GetAsyncKeyState.USER32(00000002), ref: 003423A7

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 843e141c87c986bcfb8a5d02c30484089b90eb374ae77894d82c6e5654f4abdd
Instruction ID: 5594e0a09d68c5e2775e65d64bca1ab41a33b7e3f07fa87682e43affb14a5620
Opcode Fuzzy Hash: 843e141c87c986bcfb8a5d02c30484089b90eb374ae77894d82c6e5654f4abdd
Instruction Fuzzy Hash: F5415339604119FFDF269F68C844BEABBB5FB05360F50435AF829AA190C734AD90DF91

Function 003963AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003963E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00396433
TranslateMessage.USER32(?), ref: 0039645C
DispatchMessageW.USER32(?), ref: 00396466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00396475

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 3cd9800362e2103502aecf467b49524db2178ab00db565447d3ac55ba0874f3e
Instruction ID: 4f3a5cf0ff737c61717842a8d09321f3b057436a63a8f742dbd5095e2103e396
Opcode Fuzzy Hash: 3cd9800362e2103502aecf467b49524db2178ab00db565447d3ac55ba0874f3e
Instruction Fuzzy Hash: 5E31E231A02602AFDF269FB1CD86FB77BACEB01300F114179E821D71A1E735A885DB60

Function 00398A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00398A30
PostMessageW.USER32(?,00000201,00000001), ref: 00398ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00398AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00398AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00398AF8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: b3b4c9a8baf76d25d08d469182736da4854758c5db0ecfb3be19ca2de82e8c4e
Instruction ID: 9e945881b265b744a906a0e4bd945e59ab424563adafa256a7f6cb4147398d81
Opcode Fuzzy Hash: b3b4c9a8baf76d25d08d469182736da4854758c5db0ecfb3be19ca2de82e8c4e
Instruction Fuzzy Hash: 7E31E071500219EFDF15CFA8DD4CA9E7BB9EB45315F11822AF925EB2D0C7B09910DB90

Function 0039B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0039B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0039B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0039B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0039B27F
_wcsstr.LIBCMT ref: 0039B289

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 3dc8c7931b56c18c0ac2c72bbcb5ec98a2fe6591f068daa6022a13fd8a229eb7
Instruction ID: ab19c3605d9d19b57e85c2bb9951442d53201c30377acd4a29b5b487c33514a6
Opcode Fuzzy Hash: 3dc8c7931b56c18c0ac2c72bbcb5ec98a2fe6591f068daa6022a13fd8a229eb7
Instruction Fuzzy Hash: F221D332204200AAEB165B79AD49E7FBBADDB49710F018529F845DA1A1EB61DC409760

Function 003CB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

GetWindowLongW.USER32(?,000000F0), ref: 003CB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003CB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003CB1CF
GetSystemMetrics.USER32(00000004), ref: 003CB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,003B0E90,00000000), ref: 003CB216

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: f444a4009958933d5d4fea5daf5092e16a2dcc8fc475d643a90494cdebb37781
Instruction ID: 7b2970c11407761a5cf081a8d5b898fdb59bb417ef9081fcdf094ddd9c8f165e
Opcode Fuzzy Hash: f444a4009958933d5d4fea5daf5092e16a2dcc8fc475d643a90494cdebb37781
Instruction Fuzzy Hash: 44216071910655AFCB12AF38DC15F6ABBA9EB05361F164B39BD22D71E0D7309C209B90

Function 00399307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00399320

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00399352
__itow.LIBCMT ref: 0039936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00399392
__itow.LIBCMT ref: 003993A3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 8b8c6067b82ef104a21574d4b9b411f838a406a4c0f97f6346070b4a0a96fd79
Instruction ID: 03263dd0565fd4796ea3754df75906b140acad81e2fbb5591d82ed483bb697d2
Opcode Fuzzy Hash: 8b8c6067b82ef104a21574d4b9b411f838a406a4c0f97f6346070b4a0a96fd79
Instruction Fuzzy Hash: A121B335700208ABDF13AE698CC5FAE7BADEB49710F04402AF905DB2D1D6B09D559791

Function 003B5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003B5A6E
GetForegroundWindow.USER32 ref: 003B5A85
GetDC.USER32(00000000), ref: 003B5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 003B5ACD
ReleaseDC.USER32(00000000,00000003), ref: 003B5B08

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 1dd7dc0d1cfcca7e63034143b46ebbceb043a0d1bc9cc84ebaa8595b182f2234
Instruction ID: ea2e48574e4b92ec645070bf53583cf9bbd625e99c43f505071d7ff05803bdc7
Opcode Fuzzy Hash: 1dd7dc0d1cfcca7e63034143b46ebbceb043a0d1bc9cc84ebaa8595b182f2234
Instruction Fuzzy Hash: 19216F75A00104AFD715EF65D884A9ABBE9EF48350F148479F949DB762DA70BD00CB90

Function 003412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0034134D
SelectObject.GDI32(?,00000000), ref: 0034135C
BeginPath.GDI32(?), ref: 00341373
SelectObject.GDI32(?,00000000), ref: 0034139C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d83611a286c5ece82ed0bc95bd76c4d1be058487a635785bd694ed79b19b325a
Instruction ID: d46698a71eba155f697b203f4ec51d9b4942b4f79c93a7cd227ca79e169a4829
Opcode Fuzzy Hash: d83611a286c5ece82ed0bc95bd76c4d1be058487a635785bd694ed79b19b325a
Instruction Fuzzy Hash: FB218631800A08DFDB12AF25DE08B6A7BE9FB00751F148225FC14AA5B0D370A9A1DF54

Function 003A4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003A4ABA
__beginthreadex.LIBCMT ref: 003A4AD8
MessageBoxW.USER32(?,?,?,?), ref: 003A4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003A4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003A4B0A

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 8cf44d40f38c20a74a444d958afb33be5efa3b8eefb0b3549dedf17e81b45966
Instruction ID: a14bba0dcfcc31dff3d4b2fa81e3f5591caeacb350cdbeb6b29ece34108bf84d
Opcode Fuzzy Hash: 8cf44d40f38c20a74a444d958afb33be5efa3b8eefb0b3549dedf17e81b45966
Instruction Fuzzy Hash: 6C110876904614BFD7029FA89C04E9B7FADEB86320F144269F814D3250D6B1D9008BB0

Function 00398202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0039821E
GetLastError.KERNEL32(?,00397CE2,?,?,?), ref: 00398228
GetProcessHeap.KERNEL32(00000008,?,?,00397CE2,?,?,?), ref: 00398237
HeapAlloc.KERNEL32(00000000,?,00397CE2,?,?,?), ref: 0039823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00398255

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 8ff524e1305342c2e4c756e202f39315497a16cf1657b97760c32a9fe1707dbf
Instruction ID: 4fbbc4a9ab03628de7c6c863c94d27809fb735506c6a208a8a62b313157b0e09
Opcode Fuzzy Hash: 8ff524e1305342c2e4c756e202f39315497a16cf1657b97760c32a9fe1707dbf
Instruction Fuzzy Hash: E1016971201604BFDF225FA6DC48D6B7FAEEF8A754B50082AF849C3220DA31AC10DB60

Function 0039710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?,?,?,00397455), ref: 00397127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?,?), ref: 00397142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?,?), ref: 00397150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?), ref: 00397160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00397044,80070057,?,?), ref: 0039716C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1ca06f4788235c48a8852f43f9d6172c705cb6f57c40417d2518b63e31c62ca8
Instruction ID: fe9fba931073874edbd7a800db87ad2db44d61f55fbecb75d66a1f4d06430689
Opcode Fuzzy Hash: 1ca06f4788235c48a8852f43f9d6172c705cb6f57c40417d2518b63e31c62ca8
Instruction Fuzzy Hash: 05017C76621204BFDB124F68DC44EAA7BAEEB44791F150064FD08D2260D731ED419BA0

Function 003A5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003A526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003A5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A52BC

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 179873f0531f03909182b92b0bfcac090c09237fa67fb35c4875e77afc804a3c
Instruction ID: a6b5b4bc975f417a13b03e5523ad343cc3ca62b7a166b107763a3f71aa11e585
Opcode Fuzzy Hash: 179873f0531f03909182b92b0bfcac090c09237fa67fb35c4875e77afc804a3c
Instruction Fuzzy Hash: 93015731D01A19DBCF02EFE4E848AEDBB7CFB0A311F460956E941F2140CB3065508BA1

Function 0039810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00398121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0039812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0039813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00398141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00398157

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 600764ac2f6f0cc5394f1faed5157ea3a9103a6fb602a7b5aa6feb589ded17cb
Instruction ID: 738d03bc0634a3d8a8ed229feedd446f793dfd6d2d3a6345f712e23f9509e6ce
Opcode Fuzzy Hash: 600764ac2f6f0cc5394f1faed5157ea3a9103a6fb602a7b5aa6feb589ded17cb
Instruction Fuzzy Hash: DCF06275200314BFEB121FA5EC88E6B3BADFF8AB54F040025F945C6150CB61ED41DB60

Function 0039C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0039C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0039C20E
MessageBeep.USER32(00000000), ref: 0039C226
KillTimer.USER32(?,0000040A), ref: 0039C242
EndDialog.USER32(?,00000001), ref: 0039C25C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b98d067d0e5f44269bbc8bec68de00d54677d0939999d1dca9492153716b29ed
Instruction ID: e1288944d4b030b72e4516487e9ec78eab9365ea2e9d62168db653b80c5fafa9
Opcode Fuzzy Hash: b98d067d0e5f44269bbc8bec68de00d54677d0939999d1dca9492153716b29ed
Instruction Fuzzy Hash: C101A230414308ABEF266B60ED4EF9677BDFB00B06F004669A5C2E14E1DBF0B9549B90

Function 003413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003413BF
StrokeAndFillPath.GDI32(?,?,0037B888,00000000,?), ref: 003413DB
SelectObject.GDI32(?,00000000), ref: 003413EE
DeleteObject.GDI32 ref: 00341401
StrokePath.GDI32(?), ref: 0034141C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f6cdc51a23f07ec54f880bcfa7635a89300a0c475115341f62003844a15ece43
Instruction ID: 9fa4076c9fb10f4e1b52a0d9d84e3cfff85b1172530a11dc5a91da709528c34b
Opcode Fuzzy Hash: f6cdc51a23f07ec54f880bcfa7635a89300a0c475115341f62003844a15ece43
Instruction Fuzzy Hash: CCF0FB31000B089FDB126F66ED4CB593BE9E700726F08C234E869981B1C73069A5DF14

Function 003AC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003AC432
CoCreateInstance.OLE32(003D2D6C,00000000,00000001,003D2BDC,?), ref: 003AC44A

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

CoUninitialize.OLE32 ref: 003AC6B7

Strings

.lnk, xrefs: 003AC3C6, 003AC3EE, 003AC3F8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 329f26b619709689e1a0f427d7fd0503e8ed7a0302262d77afc260c2e3be857c
Instruction ID: 357769e8a84e4e9839a11db91c9ff3d566a57d18de781722cfcb7047cfe0fac6
Opcode Fuzzy Hash: 329f26b619709689e1a0f427d7fd0503e8ed7a0302262d77afc260c2e3be857c
Instruction Fuzzy Hash: 83A12971104205AFD701EF54C881EAFB7E8EF99354F00492DF1569F1A2EB71EA49CB62

Function 00352CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00360DB6: std::exception::exception.LIBCMT ref: 00360DEC
Part of subcall function 00360DB6: __CxxThrowException@8.LIBCMT ref: 00360E01

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 00347A51: _memmove.LIBCMT ref: 00347AAB

__swprintf.LIBCMT ref: 00352ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00352D66

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 8c22e9e825c3d99657e00037da70c1b1a9167f081e36d4a7fa39453e8676366b
Instruction ID: 9fb74108f67fe48ff5fd323689e2355bbcd54214f6d79f17cdf8bdbdc81f3c5d
Opcode Fuzzy Hash: 8c22e9e825c3d99657e00037da70c1b1a9167f081e36d4a7fa39453e8676366b
Instruction Fuzzy Hash: F49137715082019BC716EF24C896D6BB7E8AF96710F01495EF8859F2A2EB20ED48CB52

Function 003AB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00344750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00344743,?,?,003437AE,?), ref: 00344770

CoInitialize.OLE32(00000000), ref: 003AB9BB
CoCreateInstance.OLE32(003D2D6C,00000000,00000001,003D2BDC,?), ref: 003AB9D4
CoUninitialize.OLE32 ref: 003AB9F1

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

Strings

.lnk, xrefs: 003AB99D, 003AB9AB

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 9163b4f61656c1485063c6d12f19631d9190645dce32eb0571cdb823ee5385e9
Instruction ID: 9af1facb08da29cf768984507df86c595c14a90b95b608d664bf2702bc5f09bf
Opcode Fuzzy Hash: 9163b4f61656c1485063c6d12f19631d9190645dce32eb0571cdb823ee5385e9
Instruction Fuzzy Hash: 69A155756043059FCB12DF14C484E6ABBE5FF8A314F058999F89A9B3A2CB31EC45CB91

Function 0039B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0039B4BE

Strings

Container, xrefs: 0039B43B
AutoIt3GUI, xrefs: 0039B436
%=, xrefs: 0039B561

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%=
API String ID: 3565006973-2852750407
Opcode ID: fb50cfe2df5df0379ca56385945136b0d56297f0f0859f06396093e1dea1447c
Instruction ID: 05fac280d76901f742fcdd069852ba4922257ae77cce5e8387d327a9c8828f88
Opcode Fuzzy Hash: fb50cfe2df5df0379ca56385945136b0d56297f0f0859f06396093e1dea1447c
Instruction Fuzzy Hash: 22915774200601EFDB15DF64D984B6ABBF9FF49710F20856EE94ACB6A1DB70E841CB60

Function 0036501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003650AD

Part of subcall function 003700F0: __87except.LIBCMT ref: 0037012B

Strings

pow, xrefs: 00365085, 003650A2

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: fa8f18962ab935085d3684ce1af04d4bb42820d595d611c3cf18936c7fb128ec
Instruction ID: 048d60513161a8e4605663dbbf9dfd6de1102a2c2d55232b50cc7cbf7ecbf47f
Opcode Fuzzy Hash: fa8f18962ab935085d3684ce1af04d4bb42820d595d611c3cf18936c7fb128ec
Instruction Fuzzy Hash: D0517B6591C502D6DB2B7724CD4137E2B98AB41700F20CD79E4D98A2AEEF38CDC49A86

Function 00388584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0038862B
_memmove.LIBCMT ref: 00388685

Strings

3c5, xrefs: 0038860C
_5, xrefs: 003886FF, 0038DFDC, 0038DFF8

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _memmove
String ID: 3c5$_5
API String ID: 4104443479-2150917133
Opcode ID: 135fc18bc5443ff0cff0ccced5be0ec7fcf5000b80389aacd4c676bdea870b42
Instruction ID: c993c63f916bdf8ce276a6c9d3a4a8f4a60fea1256d3a35886465fb5a20c3cad
Opcode Fuzzy Hash: 135fc18bc5443ff0cff0ccced5be0ec7fcf5000b80389aacd4c676bdea870b42
Instruction Fuzzy Hash: 9651AD709006099FCF26DF68C880AAEB7B5FF44304F608569E85AD7250EB30E995CB51

Function 003997F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00399296,?,?,00000034,00000800,?,00000034), ref: 003A14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0039983F

Part of subcall function 003A1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003992C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003A14B1

Part of subcall function 003A13DE: GetWindowThreadProcessId.USER32(?,?), ref: 003A1409
Part of subcall function 003A13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0039925A,00000034,?,?,00001004,00000000,00000000), ref: 003A1419
Part of subcall function 003A13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0039925A,00000034,?,?,00001004,00000000,00000000), ref: 003A142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003998AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003998F9

Strings

@, xrefs: 00399911

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: d2fc13337426619bca1710fe624c4994cda9a67c55795b32312223bc92803bc8
Instruction ID: e0727ad6d318a579a8a551650541454d21c1465e7c9e69be62dca2aec90632bb
Opcode Fuzzy Hash: d2fc13337426619bca1710fe624c4994cda9a67c55795b32312223bc92803bc8
Instruction Fuzzy Hash: A0412E76901218AFDF11DFA8CC86EDEBBB8EB09300F004199F955B7191DA716E45CBA1

Function 003C7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003CF910,00000000,?,?,?,?), ref: 003C79DF
GetWindowLongW.USER32 ref: 003C79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003C7A0C

Strings

SysTreeView32, xrefs: 003C79B1

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ff1d3f441174bf29a5682464da6e56e44f57cc001294ba8e376789c9fc9e1fbd
Instruction ID: cf0e6f66c2f956dea0f157216fd145ebaac05c29e825af3bd25033b0c696cdf3
Opcode Fuzzy Hash: ff1d3f441174bf29a5682464da6e56e44f57cc001294ba8e376789c9fc9e1fbd
Instruction Fuzzy Hash: 8F319C35204606AFDB129E38CC45FEB7BA9EB05324F218729F875E62E0D731ED519B50

Function 003C73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003C7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003C7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 003C7499

Strings

SysMonthCal32, xrefs: 003C742C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f9cdbd483152f0302c1bb9995c0680def87d59acc3b6a12a787fba1f1c72ad9d
Instruction ID: c268180a559df522a34bdddbe6362ee666e139ffd09c1d0bc62302cb931204e0
Opcode Fuzzy Hash: f9cdbd483152f0302c1bb9995c0680def87d59acc3b6a12a787fba1f1c72ad9d
Instruction Fuzzy Hash: E621A332500218AFDF168F65CC46FEA3B69EF48724F120118FE15AB1D0DA75AC51DBA0

Function 003C7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003C7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003C7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003C7C5F

Strings

msctls_updown32, xrefs: 003C7BC4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 8b69a0b5a40e288caccdc991db6d776098daf9baf8aaa76a4c6d2a85d2c1921a
Instruction ID: 88b2c70a0942ea5af5ee883c69d0b8a82c611e30943a9b27102308d46562daf2
Opcode Fuzzy Hash: 8b69a0b5a40e288caccdc991db6d776098daf9baf8aaa76a4c6d2a85d2c1921a
Instruction Fuzzy Hash: 04217CB5604209AFDB12EF24DCC1EA737EDEB4A3A4B154059FA05DB3A1CB31EC519B60

Function 003C6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003C6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003C6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003C6D70

Strings

Listbox, xrefs: 003C6D08

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 37184922ca4cd72b19edfdea8914cf295dbafbca5e26999c65496452e423476c
Instruction ID: b170f06ddc95423c9754cf58ddb065428ec7f8f7ccec4c15f6b8c0f9deb630f8
Opcode Fuzzy Hash: 37184922ca4cd72b19edfdea8914cf295dbafbca5e26999c65496452e423476c
Instruction Fuzzy Hash: 48219232610118BFDF128F54CC46FBB3BBEEF89750F018128F9459B1A0C671AC519BA0

Function 003B39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 003B3A66

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 003B3A58
, $, xrefs: 003B3AA6
%=, xrefs: 003B39F4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%=
API String ID: 3506404897-2298458297
Opcode ID: d3b6229309fbd6e42805e45c6ea439f066d3c243edb25007543f27338701a778
Instruction ID: 9d040fcc65525f7425d5709b134bd8d7b7220fb925453641da65cf8cea58079f
Opcode Fuzzy Hash: d3b6229309fbd6e42805e45c6ea439f066d3c243edb25007543f27338701a778
Instruction Fuzzy Hash: 59214F31A00229ABCF16EF64CC82AEE77B9EF44704F504455E655AF182DB30EA45CB61

Function 003C770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003C7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003C7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003C7794

Strings

msctls_trackbar32, xrefs: 003C7749

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: adef56747f464737239280110e3d62ce84248c30c8476464621f5bacb737e5b3
Instruction ID: 7efc3e7214984171dc2fa05d9ea25d9bc9c0763c84f6fa826391d38b74de3f14
Opcode Fuzzy Hash: adef56747f464737239280110e3d62ce84248c30c8476464621f5bacb737e5b3
Instruction Fuzzy Hash: BA11C172244208BAEF255F65CC05FEB7BADEF89B64F12412CFA45A6090C672A851DB20

Function 00366B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00366B93
__calloc_crt.LIBCMT ref: 00366BAC

Strings

?, xrefs: 00366BD1
@B@, xrefs: 00366BC3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __calloc_crt
String ID: ?$@B@
API String ID: 3494438863-2252957899
Opcode ID: 32dcfc551e799f9ee017bd6a722f09935fd8b3af9be7db14f8e2a0cab58a5e58
Instruction ID: 64b80cf317036a94e565a33652848b9efe20a31a0aa81464d97b978648aa1e59
Opcode Fuzzy Hash: 32dcfc551e799f9ee017bd6a722f09935fd8b3af9be7db14f8e2a0cab58a5e58
Instruction Fuzzy Hash: 1AF0FC75204612CBFB269F16BD53B632795EB057B0F10807EE200DF198EB3088404EC8

Function 00369B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00369B94

Part of subcall function 00369C0B: __mtinitlocknum.LIBCMT ref: 00369C1D
Part of subcall function 00369C0B: EnterCriticalSection.KERNEL32(00000000,?,00369A7C,0000000D), ref: 00369C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00369BA4

Part of subcall function 00369100: ___addlocaleref.LIBCMT ref: 0036911C
Part of subcall function 00369100: ___removelocaleref.LIBCMT ref: 00369127
Part of subcall function 00369100: ___freetlocinfo.LIBCMT ref: 0036913B

Strings

8?, xrefs: 00369B8A, 00369B9F, 00369BAB
8?, xrefs: 00369B85

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8?$8?
API String ID: 547918592-297661732
Opcode ID: 180f615ddfc6a34ac3d3791a404a0e2a59433e269b2f6f7a68ee062fd7433087
Instruction ID: 1e72c3896bad6232a75347ccc671decf004a29da13c23da6491dc7ef5803eecc
Opcode Fuzzy Hash: 180f615ddfc6a34ac3d3791a404a0e2a59433e269b2f6f7a68ee062fd7433087
Instruction Fuzzy Hash: 95E08671547304EDDB13BBA4690376826985B01721F21926BF1459A0D9CEB40800C517

Function 00344C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00344B83,?), ref: 00344C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00344C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00344C50
kernel32.dll, xrefs: 00344C3F

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: d6e5a52a7c2b38feba3214bacc8c4f9021145bc916e71412323b31a6471ac360
Instruction ID: c366d67e9c1ad5b4f48966bafa431a79e471356afeb7212800ff1455eab984e5
Opcode Fuzzy Hash: d6e5a52a7c2b38feba3214bacc8c4f9021145bc916e71412323b31a6471ac360
Instruction Fuzzy Hash: EAD0E230510722DFD7229B32D948A5AB6EAAF05351B1A883AD596DA160E670E8808B50

Function 00344C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00344BD0,?,00344DEF,?,004052F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00344C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00344C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00344C1D
kernel32.dll, xrefs: 00344C0C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 9202f615afad7dfb7f2c7c9f7dc95ae802f88eaf023d449b6d9ab43a951d72bd
Instruction ID: baf1ac128cbb0084d32918a0b95c088336dfc4086ba46cd5c2da2b17be4426ad
Opcode Fuzzy Hash: 9202f615afad7dfb7f2c7c9f7dc95ae802f88eaf023d449b6d9ab43a951d72bd
Instruction Fuzzy Hash: D8D0EC34911712DFD7226B71D948A46BADAAF09351B198839D486D6160E6B0E8808750

Function 003C0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,003C1039), ref: 003C0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003C0E07

Strings

advapi32.dll, xrefs: 003C0DF0
RegDeleteKeyExW, xrefs: 003C0E01

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 17c35c8ba652bbb0af646e260ad60b891578c352411e5e835e7f01e78ed131a9
Instruction ID: 40f495ecd5d21040abad901119ac65c64be28ca89447db23a6385dd672346867
Opcode Fuzzy Hash: 17c35c8ba652bbb0af646e260ad60b891578c352411e5e835e7f01e78ed131a9
Instruction Fuzzy Hash: 5CD0C730440B26CFC3268F70C808B82B2EAAF01342F068C3ED58AC6250E6B1E890CB00

Function 003B90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,003B8CF4,?,003CF910), ref: 003B90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003B9100

Strings

kernel32.dll, xrefs: 003B90E9
GetModuleHandleExW, xrefs: 003B90FA

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 6799de1106aea00e9e19fe94fa8b16739dd3075cdf548d551b767e7e5d310747
Instruction ID: 9a092e3a97e4c8b0be1cba5716677261c30fb965694bb10ee90a7f34c5868038
Opcode Fuzzy Hash: 6799de1106aea00e9e19fe94fa8b16739dd3075cdf548d551b767e7e5d310747
Instruction Fuzzy Hash: 1ED01235510713CFD7229F35D818A8676D9AF05355F17C83ED686D6550E770D880C750

Function 00381714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00381718
__swprintf.LIBCMT ref: 00381749

Strings

WIN_XPe, xrefs: 00381788
%.3d, xrefs: 00381723

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: d8141a40faa0de706e71d1a1e70f6ced8a90cb58832fc75a970d33ef97e21c02
Instruction ID: 56aa02e0484d2eef09490d1fbe076b753bb7f9fbc7a16a83824bba9f7eed09cf
Opcode Fuzzy Hash: d8141a40faa0de706e71d1a1e70f6ced8a90cb58832fc75a970d33ef97e21c02
Instruction Fuzzy Hash: 58D05B7280530DFAC703B790DC88DF9737CA708301F1408A6F506D2450E2359755E721

Function 0039717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79dcbc3c6dd72c7ab63ad74daa02b6b7cc95124651c2466eaf38570a327cf966
Instruction ID: f5608ae0a8132cbba4c3b146b08cb743de800313a5e1083e94e262625f31bd04
Opcode Fuzzy Hash: 79dcbc3c6dd72c7ab63ad74daa02b6b7cc95124651c2466eaf38570a327cf966
Instruction Fuzzy Hash: 5CC18F74A14216EFCF15CFA5C884EAEBBB9FF48704B158598E805EB291D730ED81DB90

Function 003BE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 003BE0BE
CharLowerBuffW.USER32(?,?), ref: 003BE101

Part of subcall function 003BD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003BD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 003BE301
_memmove.LIBCMT ref: 003BE314

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 335ac58b7abc15c08d6f7f0d5a0538c3365f61134e4b6d29553906511ac56d63
Instruction ID: 28037a5debc48757bfd3caabb34ab3677c0c1caf8d8a7f5490259d0a735892c6
Opcode Fuzzy Hash: 335ac58b7abc15c08d6f7f0d5a0538c3365f61134e4b6d29553906511ac56d63
Instruction Fuzzy Hash: 18C18A756043018FC706DF28C480AAABBE4FF89718F14896EF999DB751D731E946CB81

Function 003B8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003B80C3
CoUninitialize.OLE32 ref: 003B80CE

Part of subcall function 0039D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0039D5D4

VariantInit.OLEAUT32(?), ref: 003B80D9
VariantClear.OLEAUT32(?), ref: 003B83AA

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 27391ac7e7d18538839fab8c996123e96e75b840b8bbfa96537e42a23684c03c
Instruction ID: 7242b5c63156a5ced368d34e3ef9314b0c4ae2419f8548ddb1c8a3b16d7b30c6
Opcode Fuzzy Hash: 27391ac7e7d18538839fab8c996123e96e75b840b8bbfa96537e42a23684c03c
Instruction Fuzzy Hash: B4A114796047019FCB12DF18C481B6AB7E8BF89758F044859FA9A9B7A1CB30FD05CB42

Function 0039687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0039688E
SysAllocString.OLEAUT32(00000000), ref: 00396937
VariantCopy.OLEAUT32 ref: 00396966
VariantClear.OLEAUT32(?), ref: 0039698D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 02a471bc7138667961353942b6499366c9314a85bb25767908ce7091fa981464
Instruction ID: 24dd4f2827c7bbea7b8a95806fa4a0c5a432223b06d5bfeccbc660fb00c2e124
Opcode Fuzzy Hash: 02a471bc7138667961353942b6499366c9314a85bb25767908ce7091fa981464
Instruction Fuzzy Hash: 1B519FB46053429EDF26AF65D893A2EB3E9AF45310F20D81FE596DF691DB70DC408701

Function 003A955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00344EE5: _fseek.LIBCMT ref: 00344EFD

Part of subcall function 003A9734: _wcscmp.LIBCMT ref: 003A9824
Part of subcall function 003A9734: _wcscmp.LIBCMT ref: 003A9837

_free.LIBCMT ref: 003A96A2
_free.LIBCMT ref: 003A96A9
_free.LIBCMT ref: 003A9714

Part of subcall function 00362D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00369A24), ref: 00362D69
Part of subcall function 00362D55: GetLastError.KERNEL32(00000000,?,00369A24), ref: 00362D7B

_free.LIBCMT ref: 003A971C

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
Instruction ID: 8b9e6cdc09a13df20e59730b8a578242d044ba17cbe27736caa3a7a45e06bd59
Opcode Fuzzy Hash: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
Instruction Fuzzy Hash: 255141B1D14258AFDF259F64CC81B9EBBB9EF49300F1044AEF509AB251DB715A80CF58

Function 003C97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0160E4E0,?), ref: 003C9863
ScreenToClient.USER32(00000002,00000002), ref: 003C9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 003C9903

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 23e21837df05d16f4f54a16cadc8685f1f84f4ee7e062d62d3f4071ecc8e74ae
Instruction ID: d1ff54d14d87b40e3bcbafc4b6a1be5622d64f998fcda07d35be112822aa8590
Opcode Fuzzy Hash: 23e21837df05d16f4f54a16cadc8685f1f84f4ee7e062d62d3f4071ecc8e74ae
Instruction Fuzzy Hash: 90513C35A00208AFDF11DF14C988FAE7BB6EB45360F12816EF855EB2A0D731AD51CB90

Function 00399A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00399AD2
__itow.LIBCMT ref: 00399B03

Part of subcall function 00399D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00399DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00399B6C
__itow.LIBCMT ref: 00399BC3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: b52bd9cf0c062f2f563e662bfc3b819a9893dd7a698a0f71633ec1c26e660cdf
Instruction ID: 712ee08d2a45e1e9a8bf36ad046105ea34807776624b4e73d52a27043ce5031c
Opcode Fuzzy Hash: b52bd9cf0c062f2f563e662bfc3b819a9893dd7a698a0f71633ec1c26e660cdf
Instruction Fuzzy Hash: 1C414275A00209ABDF16DF58D845BEE7BF9EF44710F00005AF905AB291DB74AD44CBA1

Function 003B69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 003B69D1
WSAGetLastError.WSOCK32(00000000), ref: 003B69E1

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003B6A45
WSAGetLastError.WSOCK32(00000000), ref: 003B6A51

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b31d73defebea35515a6ed3ec4449a466a705f8a9b6e88a728db87cd7fdda166
Instruction ID: bef1fdbfefc541ee550e1303bab2e74d0bc79f6c9943ad00b7266fae182ecc02
Opcode Fuzzy Hash: b31d73defebea35515a6ed3ec4449a466a705f8a9b6e88a728db87cd7fdda166
Instruction Fuzzy Hash: CC4181757402006FEB62AF28CC87F6A77E99F05B14F048419FA59AF2D3DA75AD008791

Function 003B641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003CF910), ref: 003B64A7
_strlen.LIBCMT ref: 003B64D9

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: efe8485d5fde338d126681be8542db7bb61bcbac32c0fcbd110704aee140b449
Instruction ID: 61291daa4f25d835a6803420a49ed5abdc7d832a692dfa95ab2f2d4c8f5c5a8f
Opcode Fuzzy Hash: efe8485d5fde338d126681be8542db7bb61bcbac32c0fcbd110704aee140b449
Instruction Fuzzy Hash: F541A231A00104ABCB26EBA4DC96FEEB7A9AF45314F108156F9159F693DB34AD10CB50

Function 003AB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003AB89E
GetLastError.KERNEL32(?,00000000), ref: 003AB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003AB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003AB915

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: a39e4c7ec2f976bb8818e918a88bb4c1ab569fd1dc1a93b6e4a17948fe456eb4
Instruction ID: 1e4103a8518df4550255ae826f7751b3aedd3528d3c37ea0dea5bc02fcbcf3e1
Opcode Fuzzy Hash: a39e4c7ec2f976bb8818e918a88bb4c1ab569fd1dc1a93b6e4a17948fe456eb4
Instruction Fuzzy Hash: 1C411D39600550DFCB22EF19C445A5ABBE5EF8A310F158099ED4A9F362CB35FD01CB91

Function 003C8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003C88DE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9a201cc266573506ca78aba4ea3b086448ccbb94c0a286f432232aa09222f12d
Instruction ID: 225eb077ce900852dcdaeb96ffb4104273c478331252c07e69c4a44269104222
Opcode Fuzzy Hash: 9a201cc266573506ca78aba4ea3b086448ccbb94c0a286f432232aa09222f12d
Instruction Fuzzy Hash: CE31D434600208AFEB229F58CC45FB977A9EB09310F55452AFA11E76A1CF71EF409B56

Function 003CAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 003CAB60
GetWindowRect.USER32(?,?), ref: 003CABD6
PtInRect.USER32(?,?,003CC014), ref: 003CABE6
MessageBeep.USER32(00000000), ref: 003CAC57

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3dc8e1acb05f815682cb3c8c13833921bbc055a2a9b84df0f91011ab6c75d517
Instruction ID: 0750e255a790f915995ac6ecd9c9ce0bb285925239b5614b11382e76a5f8bc6d
Opcode Fuzzy Hash: 3dc8e1acb05f815682cb3c8c13833921bbc055a2a9b84df0f91011ab6c75d517
Instruction Fuzzy Hash: E94149316009199FCB12EF58D884F69BBFAFB49318F19C1A9E815DB260D730AD41CB92

Function 003A0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003A0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 003A0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003A0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003A0BFB

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 67cf02a265650068b4baad37977fb12eb648e2479061cf662491ffd9b022b20e
Instruction ID: c9bdd38f6f6f6eb581cab52928f7fd32c400f39b2d04f7c3ff13b86c5d028747
Opcode Fuzzy Hash: 67cf02a265650068b4baad37977fb12eb648e2479061cf662491ffd9b022b20e
Instruction Fuzzy Hash: D3313A30E40218AEFF3B8B258D09BFABBAAEB47318F04435AE591961D1C375D9409775

Function 003A0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 003A0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 003A0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 003A0CE1
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 003A0D33

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1e4fc330342d4e2c71f0cbc6302a27745246bbef7baee6681a3b763521d5aed0
Instruction ID: cafd62066dd45ab20ca57d8de63e41213300a23ffaee4d1e0b3b79fab764b7a4
Opcode Fuzzy Hash: 1e4fc330342d4e2c71f0cbc6302a27745246bbef7baee6681a3b763521d5aed0
Instruction Fuzzy Hash: 473149319402186FFF3B8B658C04BFEBBAAEB47320F04432AE4959A1D1C3399D558752

Function 003761C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003761FB
__isleadbyte_l.LIBCMT ref: 00376229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00376257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0037628D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 415b520b8fc3586b3627d5baa6c926b8506654287a7d09bd609ecefc3a18394d
Instruction ID: a83b810835cd3f65c9e3a1a6421f37b2d875e41580a74d42bc2e31c356b6c5e0
Opcode Fuzzy Hash: 415b520b8fc3586b3627d5baa6c926b8506654287a7d09bd609ecefc3a18394d
Instruction Fuzzy Hash: 3831D431600A45AFDF339F65CC5ABBA7BB9FF41310F168428E81897192D735D950DB50

Function 003C4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003C4F02

Part of subcall function 003A3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003A365B
Part of subcall function 003A3641: GetCurrentThreadId.KERNEL32 ref: 003A3662
Part of subcall function 003A3641: AttachThreadInput.USER32(00000000,?,003A5005), ref: 003A3669

GetCaretPos.USER32(?), ref: 003C4F13
ClientToScreen.USER32(00000000,?), ref: 003C4F4E
GetForegroundWindow.USER32 ref: 003C4F54

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: e5f8dc702ff60a3a5bdf09feab78cd67b1e7c97fb8cd13f6b68a629cf668567b
Instruction ID: 4ebcbc7e7bb98f010325d767fd9ee7dd31adee3c74b6532620aca75627ba1d6f
Opcode Fuzzy Hash: e5f8dc702ff60a3a5bdf09feab78cd67b1e7c97fb8cd13f6b68a629cf668567b
Instruction Fuzzy Hash: FE311C71D00108AFDB01EFA9C985EEFB7FDEF99304F10446AE415EB251DA71AE458BA0

Function 003CC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

GetCursorPos.USER32(?), ref: 003CC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0037B9AB,?,?,?,?,?), ref: 003CC4E7
GetCursorPos.USER32(?), ref: 003CC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0037B9AB,?,?,?), ref: 003CC56E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: e49590f4db61f01e5e20169c930182b98e1f68fa9be6e648b35e9037446ca18f
Instruction ID: c190a3580473d84fac2c0976573ef9de9a9f4d4990937b3ed4f86cc65c6ddc91
Opcode Fuzzy Hash: e49590f4db61f01e5e20169c930182b98e1f68fa9be6e648b35e9037446ca18f
Instruction Fuzzy Hash: 89319335510018AFCB169F59C858EAB7BBAEB0A310F454069F909DB2A1CB31AD50DFA4

Function 00398656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0039810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00398121
Part of subcall function 0039810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0039812B
Part of subcall function 0039810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0039813A
Part of subcall function 0039810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00398141
Part of subcall function 0039810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00398157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003986A3
_memcmp.LIBCMT ref: 003986C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003986FC
HeapFree.KERNEL32(00000000), ref: 00398703

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6ee1e2bdc9bc4c7bceeaee5502049a96c0f4656eee077bd56a5f87ced6e6357c
Instruction ID: e35cf7d5c08a4ff7a078ac8a934d677a9dbc00836dd8fbe1d3ac8041babd5497
Opcode Fuzzy Hash: 6ee1e2bdc9bc4c7bceeaee5502049a96c0f4656eee077bd56a5f87ced6e6357c
Instruction Fuzzy Hash: 9F219D72E40109EFDF11DFA8C949BEEB7B9EF86304F198059E544AB240DB31AE05CB90

Function 0036098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 003609AE

Part of subcall function 00345A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003A7896,?,?,00000000), ref: 00345A2C
Part of subcall function 00345A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003A7896,?,?,00000000,?,?), ref: 00345A50

_fprintf.LIBCMT ref: 003609E5
OutputDebugStringW.KERNEL32(?), ref: 00395DBB

Part of subcall function 00364AAA: _flsall.LIBCMT ref: 00364AC3

__setmode.LIBCMT ref: 00360A1A

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 2c31477ea2653e5a9f0574e619bda3ff2eba3c0875e7227a340362ec041ed66f
Instruction ID: 050e48632b58f1400798344f993d46b5e056d86b869de414a7748ae62f4e8f31
Opcode Fuzzy Hash: 2c31477ea2653e5a9f0574e619bda3ff2eba3c0875e7227a340362ec041ed66f
Instruction Fuzzy Hash: 961105329042046FDB07B7B49C479BE7BA9DF46320F248056F2055F192EF21585247A5

Function 003B1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003B17A3

Part of subcall function 003B182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003B184C
Part of subcall function 003B182D: InternetCloseHandle.WININET(00000000), ref: 003B18E9

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: bfc95d0e6113a64ddc9ad0b3a53133a640890752d51b5aa86bce20fd034cad02
Instruction ID: abb17ad7ef1dd5d54374559c0a4afd4002f6827ac47341ba779f6fd501f0d802
Opcode Fuzzy Hash: bfc95d0e6113a64ddc9ad0b3a53133a640890752d51b5aa86bce20fd034cad02
Instruction Fuzzy Hash: A6218032600605BFEB139F60DC11FFABBAEFB48714F50412AFB15DA950DB71A82197A0

Function 003A3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,003CFAC0), ref: 003A3A64
GetLastError.KERNEL32 ref: 003A3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 003A3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003CFAC0), ref: 003A3ADF

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ed19ba9f66bc4d2f948bc19ca765310b7411e93a434d864520fa8f90dfa6344d
Instruction ID: 4941184b98a2d5daf53ef22b95d53079d45672c7d5412edb0076789fa2f4846e
Opcode Fuzzy Hash: ed19ba9f66bc4d2f948bc19ca765310b7411e93a434d864520fa8f90dfa6344d
Instruction Fuzzy Hash: 5721A7755082159F8311DF28C8818ABBBE8FF56364F104A2DF4D9CB2A2D731EE45CB52

Function 003750E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00375101

Part of subcall function 0036571C: __FF_MSGBANNER.LIBCMT ref: 00365733
Part of subcall function 0036571C: __NMSG_WRITE.LIBCMT ref: 0036573A
Part of subcall function 0036571C: RtlAllocateHeap.NTDLL(015F0000,00000000,00000001,00000000,?,?,?,00360DD3,?), ref: 0036575F

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: cf5b6fd3159d1f22bdfd228e99a9a6ba25d0985dcdd7c3a669dca285c341f8ba
Instruction ID: 02d99fcdbdebf287ddf14e0f2c5aa7b2c7ffce20e8aafe72c87f60e4753b0322
Opcode Fuzzy Hash: cf5b6fd3159d1f22bdfd228e99a9a6ba25d0985dcdd7c3a669dca285c341f8ba
Instruction Fuzzy Hash: D911E372500A15AFCF372F70AC05B6E3B9C9B04362F61C629F90C9A254DEB889408794

Function 003B6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00345A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003A7896,?,?,00000000), ref: 00345A2C
Part of subcall function 00345A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003A7896,?,?,00000000,?,?), ref: 00345A50

gethostbyname.WSOCK32(?,?,?), ref: 003B6399
WSAGetLastError.WSOCK32(00000000), ref: 003B63A4
_memmove.LIBCMT ref: 003B63D1
inet_ntoa.WSOCK32(?), ref: 003B63DC

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: fd2baf512e567a941fe3b533942567e194b6fa8da89a5a8fd3cdb1c843ad7f21
Instruction ID: 53f864d451924378cf871ea09ee9c770157349f7b3ca4434d41b45b3e46f781f
Opcode Fuzzy Hash: fd2baf512e567a941fe3b533942567e194b6fa8da89a5a8fd3cdb1c843ad7f21
Instruction Fuzzy Hash: 05115E32900109AFCB06FBA4DD46DEEB7B9EF08314B144065F506EF162DB31AE14DB61

Function 00398B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00398B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00398B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00398B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00398BA4

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b1a5f12190042a69b6844b4e9d4fc15efa43e8c24839080110274dea7f6e9ccb
Instruction ID: f01c84ff28bbfb7e6d5b3c0a45b7c66a416b413b7134d7db7b9854ab2f34e009
Opcode Fuzzy Hash: b1a5f12190042a69b6844b4e9d4fc15efa43e8c24839080110274dea7f6e9ccb
Instruction Fuzzy Hash: 9B110A7A901218BFEF11DB95C885E9DBBB8EB49710F244095E900B7250DA716E11DB94

Function 00341290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00342612: GetWindowLongW.USER32(?,000000EB), ref: 00342623

DefDlgProcW.USER32(?,00000020,?), ref: 003412D8
GetClientRect.USER32(?,?), ref: 0037B5FB
GetCursorPos.USER32(?), ref: 0037B605
ScreenToClient.USER32(?,?), ref: 0037B610

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 7feb374552b38fb7184ec106ac83baeba051276fad98f17bca4ddc9e46733133
Instruction ID: 93b39b192860411239dbd01e1a2374304baa07debb1460146254df38475b4dcd
Opcode Fuzzy Hash: 7feb374552b38fb7184ec106ac83baeba051276fad98f17bca4ddc9e46733133
Instruction Fuzzy Hash: 3C113A35600519EFCB12EF98D889DFE77F9EB05300F404866FA41EB140D770BA919BA5

Function 0039D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0039D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0039D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0039D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0039D897

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 0f8d76de69e275e7aab28a8f8c8187053847c864639a14316fcb1fb7b9117d0d
Instruction ID: 2cb5305799123c1b9f69fac2f322c161aec9d71ad019d14f60bcb1f8e6039bd3
Opcode Fuzzy Hash: 0f8d76de69e275e7aab28a8f8c8187053847c864639a14316fcb1fb7b9117d0d
Instruction Fuzzy Hash: CE116175609305EFEB218FA1DC0AF93BBFCEB00B00F108569A516D6451D7B0E5499BA1

Function 00376FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00376FDB

Part of subcall function 003776C2: __fltout2.LIBCMT ref: 003776EB

__cftog_l.LIBCMT ref: 00377001
__cftoe_l.LIBCMT ref: 00377033

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: fcab8033ce09ea5ba8d7ba139b5e7447f35dde372033eb0792ddb109996f6aca
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 94014B7244814EBBCF275F84CC01CEE3F66BB18350B598425FA1C59031D23AD9B1AB81

Function 003CB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003CB2E4
ScreenToClient.USER32(?,?), ref: 003CB2FC
ScreenToClient.USER32(?,?), ref: 003CB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003CB33B

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0fffd6e3103c00fc83a180d3860de646b2de76d4f076a2345225becf2a1efebb
Instruction ID: d9e92a762e14fae332a6a2da7b130326837b9292709cb13d164907e2686bd1b4
Opcode Fuzzy Hash: 0fffd6e3103c00fc83a180d3860de646b2de76d4f076a2345225becf2a1efebb
Instruction Fuzzy Hash: D3114679D00249EFDB41DF99C444AEEFBB9FB08310F104166E914E3220D735AA659F50

Function 003A6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 003A6BE6

Part of subcall function 003A76C4: _memset.LIBCMT ref: 003A76F9

_memmove.LIBCMT ref: 003A6C09
_memset.LIBCMT ref: 003A6C16
LeaveCriticalSection.KERNEL32(?), ref: 003A6C26

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 9eb564b14e7ec81ac456356c7806ebccc0876fcb37b24481639cec9c29c9498e
Instruction ID: 2468fd1763c6fe3d8d5a9cf89ae81f2f72c1260c1775f5f88cda27510ac23444
Opcode Fuzzy Hash: 9eb564b14e7ec81ac456356c7806ebccc0876fcb37b24481639cec9c29c9498e
Instruction Fuzzy Hash: 45F0F47A100110ABCF066F55DC85E4ABB2AEF45361F04C065FE089E267D731E911DBB4

Function 00342218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00342231
SetTextColor.GDI32(?,000000FF), ref: 0034223B
SetBkMode.GDI32(?,00000001), ref: 00342250
GetStockObject.GDI32(00000005), ref: 00342258
GetWindowDC.USER32(?,00000000), ref: 0037BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0037BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0037BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0037BEC2
GetPixel.GDI32(00000000,?,?), ref: 0037BEE2
ReleaseDC.USER32(?,00000000), ref: 0037BEED

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 69524ebe985a81b0461679baeeba6f87802744e9b2479d769de7e1d3e50803f2
Instruction ID: e3e6f1cf09b470e85f8fb5dd22fed22dcf96fcf787627b40479315a359eafeab
Opcode Fuzzy Hash: 69524ebe985a81b0461679baeeba6f87802744e9b2479d769de7e1d3e50803f2
Instruction Fuzzy Hash: 9AE06D32104244EEDF225F64FC0DBD87F26EB05332F14C366FA69980E187B29980DB12

Function 00398712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0039871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,003982E6), ref: 00398722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003982E6), ref: 0039872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,003982E6), ref: 00398736

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 20f5c3db2adc456408fa669daa41e919a8edaf142259f63d146aa185f8e91818
Instruction ID: 90dc4f520553e9e7d1c2e20817f8f09a67a0afa5ce069de1c8249dedbc2b25a2
Opcode Fuzzy Hash: 20f5c3db2adc456408fa669daa41e919a8edaf142259f63d146aa185f8e91818
Instruction Fuzzy Hash: 08E08676611221AFDB215FF09D0CF567BAEFF51B91F154828B685CA040DA349445C750

Function 00346240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%=, xrefs: 0034624E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID:
String ID: %=
API String ID: 0-1420429418
Opcode ID: 770af8ba459eff81f44a871b07a7b8c2d85f9da11e5f00c5556efe3afa84b92f
Instruction ID: 7e99bea27c79d7d26a35b608d4c562a3c62ac9c9eae01a42b3eb1500c1b700c6
Opcode Fuzzy Hash: 770af8ba459eff81f44a871b07a7b8c2d85f9da11e5f00c5556efe3afa84b92f
Instruction Fuzzy Hash: 35B19175D001099BCF16EF94C8869EEBBF9EF46310F114126E506AF2A1DB34BE85CB52

Function 003BAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 003BAFAE

Strings

xb@, xrefs: 003BAFE4
xb@, xrefs: 003BB010

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: __itow_s
String ID: xb@$xb@
API String ID: 3653519197-193068574
Opcode ID: 4fe1b1f06a3039f3463d7508ce16b98eed697e8bbcd00f8c11c23c31da238079
Instruction ID: cf130a431081fa32d542cf100ce29665e81be60f3d9cfea41719a78a249951c1
Opcode Fuzzy Hash: 4fe1b1f06a3039f3463d7508ce16b98eed697e8bbcd00f8c11c23c31da238079
Instruction Fuzzy Hash: E6B17D70A00109EBCB15DF58C891EFABBF9EF59304F14805AFA459F692EB70E940CB60

Function 003AAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0035FC86: _wcscpy.LIBCMT ref: 0035FCA9

Part of subcall function 00349837: __itow.LIBCMT ref: 00349862
Part of subcall function 00349837: __swprintf.LIBCMT ref: 003498AC

__wcsnicmp.LIBCMT ref: 003AB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 003AB0F6

Strings

LPT, xrefs: 003AB027

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 2afaff1f0ae48d1ee439fd3c90745858346548b8c530161a5b4772d049d3ad13
Instruction ID: 80320b3dd8d4134037c193e7ecb8cd7c6b763c53bb6b238b0ed0777fc4a1def7
Opcode Fuzzy Hash: 2afaff1f0ae48d1ee439fd3c90745858346548b8c530161a5b4772d049d3ad13
Instruction Fuzzy Hash: 0A617275A00215AFCB16DF98C891EAEF7F8EF09310F11406AF956AF252D770AE44CB50

Function 00352957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00352968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00352981

Strings

@, xrefs: 00352975

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f373ef26e97f6374550ca042b9cce745b4251c8db1a278ae499aa1b01774a060
Instruction ID: c738f77436d9784bfa7bed5624420db3ce1830c5826191a85455ed0f702ec67d
Opcode Fuzzy Hash: f373ef26e97f6374550ca042b9cce745b4251c8db1a278ae499aa1b01774a060
Instruction Fuzzy Hash: 415156724087449BD321EF14D886BAFBBECFF85340F42885DF2D8491A1DB309568CB66

Function 003A9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00344F0B: __fread_nolock.LIBCMT ref: 00344F29

_wcscmp.LIBCMT ref: 003A9824
_wcscmp.LIBCMT ref: 003A9837

Strings

FILE, xrefs: 003A9770

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 681c06df677f1ca07e1a55f5521d20a932e8b5c3d74b93f04d96132b06f1db21
Instruction ID: 7be5b47c8076aed76a3bfe2899b4ab892e811eafab20ac1fe8bf1a3bfa6fa4b2
Opcode Fuzzy Hash: 681c06df677f1ca07e1a55f5521d20a932e8b5c3d74b93f04d96132b06f1db21
Instruction Fuzzy Hash: BB41B671A00209BADF229AA1CC45FEFB7FDDF86710F01447AF904BF181DA75A9048B61

Function 00380574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0038057F

Strings

Dd@, xrefs: 0034A317
Dd@, xrefs: 0034A151

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClearVariant
String ID: Dd@$Dd@
API String ID: 1473721057-3375393111
Opcode ID: 465c38df6d7f38610c92827cd3b99daa6c6aca72110f463a77fa5bce2f9e1947
Instruction ID: 82a6e0fc1be4b1297cda5d46830dbfd0139722c9f7740bf13c73f67e6da5184a
Opcode Fuzzy Hash: 465c38df6d7f38610c92827cd3b99daa6c6aca72110f463a77fa5bce2f9e1947
Instruction Fuzzy Hash: 205110786087018FD796DF18C580A1ABBF1FB88344F56886DF9868B321E331E885CF42

Function 003B258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003B259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003B25D4

Strings

|, xrefs: 003B25A5

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f7c36077387d65ea4cc9bcdd4501fea322f0d562f2d4a3308c8883e5a3ba6687
Instruction ID: 8d61da684235376ecf14f7ad134197e3e980e90a28f8568efc54656d88a1ab5c
Opcode Fuzzy Hash: f7c36077387d65ea4cc9bcdd4501fea322f0d562f2d4a3308c8883e5a3ba6687
Instruction Fuzzy Hash: F8312871800119ABCF02EFA1CC85EEFBFB8FF08350F104159F954AA162EB316956DB60

Function 003C7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 003C7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003C7B76

Strings

', xrefs: 003C7ACA

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: c28987faab0994beae231b40b29dd8383d792b8b052982a09796542b128ed5de
Instruction ID: df0b653b2632e66034f69cdacd122564b38b5547333f853cdd0b0fa448c25a6e
Opcode Fuzzy Hash: c28987faab0994beae231b40b29dd8383d792b8b052982a09796542b128ed5de
Instruction Fuzzy Hash: 9541D175A0520A9FDB15CF68C981BEABBB9FB08300F11416AED04EB391D771AD51CF90

Function 003C6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 003C6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003C6B53

Strings

static, xrefs: 003C6AB3

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: d15c561571bdf025e246b11b5984ac9c5ab610552f216114f417587dde239f7d
Instruction ID: 1bed7742868e5b2c53d68a0927d3d1aecccbf4a6b07b3eb1ef302fa0bd386d91
Opcode Fuzzy Hash: d15c561571bdf025e246b11b5984ac9c5ab610552f216114f417587dde239f7d
Instruction Fuzzy Hash: D4316D71200604AEDB129F69CC81FFB77A9FF48760F11862DF9A5D7190DA31AC91DB60

Function 003A28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003A294C

Strings

0, xrefs: 003A290A

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 64df23767e956f4574f858fea7c8ff06a788bf1d982e3b78acfd99780cf9596e
Instruction ID: 54fa2b38d5ad447a74ba631328609461c26903398d0540ee2c7ac1360d1f8cf7
Opcode Fuzzy Hash: 64df23767e956f4574f858fea7c8ff06a788bf1d982e3b78acfd99780cf9596e
Instruction Fuzzy Hash: 2B31D2316003059FEB2ACF5CC985BAFBBB8EF46750F16402DED85A61A0D7709950CB51

Function 003C66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003C6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003C676C

Strings

Combobox, xrefs: 003C672E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 457fb3212a4725a88872a53a5a3bd93e1380f241d6b7f954f4126e78f6966c4f
Instruction ID: 506a88109be025acad1ebb49a788e79ec9f90e599ea782a86393b112e30047c8
Opcode Fuzzy Hash: 457fb3212a4725a88872a53a5a3bd93e1380f241d6b7f954f4126e78f6966c4f
Instruction Fuzzy Hash: B9118275200208AFEF129F54CC82FBB376EEB49368F114529F918DB290D671DC6197A0

Function 003C6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00341D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00341D73
Part of subcall function 00341D35: GetStockObject.GDI32(00000011), ref: 00341D87
Part of subcall function 00341D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00341D91

GetWindowRect.USER32(00000000,?), ref: 003C6C71
GetSysColor.USER32(00000012), ref: 003C6C8B

Strings

static, xrefs: 003C6C4E

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6bbe52668395424420c18331e15e14fc05b355bcf13eabffad42b7b2e3f06c8c
Instruction ID: 9d76210e46b663cd7337f99791dc1dcf9c2e5d41dc005d9cb0524b2db0899e72
Opcode Fuzzy Hash: 6bbe52668395424420c18331e15e14fc05b355bcf13eabffad42b7b2e3f06c8c
Instruction Fuzzy Hash: A1212672610209AFDF05DFA8CC46EFABBA9FB08314F014629F995E3250D735E861DB60

Function 003C6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003C69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003C69B1

Strings

edit, xrefs: 003C6986

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 998db419e309890ac8c1923c170d30abe43541508cff26a811bb5e8f0b3aa9db
Instruction ID: 68b76061a255337e7638ab014f982b304344d9eb4277ead5253e1476b428f434
Opcode Fuzzy Hash: 998db419e309890ac8c1923c170d30abe43541508cff26a811bb5e8f0b3aa9db
Instruction Fuzzy Hash: 1A116D71500108AFEB128E649C42FEB37AEEB06374F514728F9A5D71E0C731DC519B60

Function 003A29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003A2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003A2A41

Strings

0, xrefs: 003A2A18

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 376f28375461beada461217a9c0b70498487ec6b5c2d0bad02dfbb455dbec53e
Instruction ID: 82da25bc5107b24b945dc27eb6d68c4b95c9902ba54cb387b128e7ea94549b24
Opcode Fuzzy Hash: 376f28375461beada461217a9c0b70498487ec6b5c2d0bad02dfbb455dbec53e
Instruction Fuzzy Hash: 1111D032A05114AFCF32DB9CD844BAB73B8EB47300F064021E855E7290DB30AD0ACB91

Function 003B21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003B222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003B2255

Strings

<local>, xrefs: 003B221D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 31a55a0b810022c35ad3e43d0f449c845b1d4e5811c2ca29f11e6533597b597e
Instruction ID: 8595a4dc15c6824eb53a9083ba81d09e208c5b33a0109ec61f775937f94ec461
Opcode Fuzzy Hash: 31a55a0b810022c35ad3e43d0f449c845b1d4e5811c2ca29f11e6533597b597e
Instruction Fuzzy Hash: A811A370541225BEDB268F518C84EF7FBACFF16759F108B2AFA159A800D2705950D6F0

Function 0035092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00343C14,004052F8,?,?,?), ref: 0035096E

Part of subcall function 00347BCC: _memmove.LIBCMT ref: 00347C06

_wcscat.LIBCMT ref: 00384CB7

Strings

S@, xrefs: 003509AE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: S@
API String ID: 257928180-58448795
Opcode ID: a05a2e77c3dc69690d4af89942311c734ac77e723f5e07d7a2826b1296759a8d
Instruction ID: 2aebc0e7340791652904dbcb2209b2da4999ae27659a8043472229e4d5cbbb56
Opcode Fuzzy Hash: a05a2e77c3dc69690d4af89942311c734ac77e723f5e07d7a2826b1296759a8d
Instruction Fuzzy Hash: 1511A531905209AACB47FB64C806EDE77F8FF09341B0084A6BD48EB1A5EB71A7884B15

Function 00398E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 0039AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0039AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00398E73

Strings

ComboBox, xrefs: 00398E12
ListBox, xrefs: 00398E3D

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c860a605b9c1cb9a16c737d1a89a6e7f57c17f73dd51cc81401d3b4453acb286
Instruction ID: 81b743ac30ee8bfeed689724f1f616d5e440b5dbfcfc2675d840408a48de711a
Opcode Fuzzy Hash: c860a605b9c1cb9a16c737d1a89a6e7f57c17f73dd51cc81401d3b4453acb286
Instruction Fuzzy Hash: D701B571E15619AB8F16EBA4CC568FE73A9AF46360B140A19F8215B3D2DF316808D690

Function 00398CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 0039AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0039AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00398D6B

Strings

ComboBox, xrefs: 00398D0A
ListBox, xrefs: 00398D35

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8e379beea8593c88c5ae51206a45ec2ddaa9f21ec431a580711765e516e5b9ba
Instruction ID: 40fc934742fc500817c86a8bded2fb7d38f9c34cdcc8c0540f2254111f24cf81
Opcode Fuzzy Hash: 8e379beea8593c88c5ae51206a45ec2ddaa9f21ec431a580711765e516e5b9ba
Instruction Fuzzy Hash: 6201F7B1A41509ABDF17EBE0C952EFE73ACDF56340F100019B8016B2D2DF106E08D2B1

Function 00398D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00347DE1: _memmove.LIBCMT ref: 00347E22

Part of subcall function 0039AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0039AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00398DEE

Strings

ComboBox, xrefs: 00398D8F
ListBox, xrefs: 00398DBA

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2bd916b9c3d85987c274d38dd65e2ca5ab51d4ab4f6eff49e84c7bf123f97572
Instruction ID: 2392b70bfa25e56aa756c40588b370fd5ee44a0263ebcc13a53e24f1e258196f
Opcode Fuzzy Hash: 2bd916b9c3d85987c274d38dd65e2ca5ab51d4ab4f6eff49e84c7bf123f97572
Instruction Fuzzy Hash: 2F01A272A55509ABDF13EBA4C952EFE77AC9F16340F100015F805AB292DE259E18D2B1

Function 0039C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0039C534

Part of subcall function 0039C816: _memmove.LIBCMT ref: 0039C860
Part of subcall function 0039C816: VariantInit.OLEAUT32(00000000), ref: 0039C882
Part of subcall function 0039C816: VariantCopy.OLEAUT32(00000000,?), ref: 0039C88C

VariantClear.OLEAUT32(?), ref: 0039C556

Strings

d}?, xrefs: 0039C517

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}?
API String ID: 2932060187-2624098408
Opcode ID: b7e4d1a84f31824c4c701caf3599513dad4e75811dfa2729b886ccc9b2cd4f92
Instruction ID: 6e4c08883328d429486a9c097be3bee68a8ef58cfd976e454a9b4268ef63315a
Opcode Fuzzy Hash: b7e4d1a84f31824c4c701caf3599513dad4e75811dfa2729b886ccc9b2cd4f92
Instruction Fuzzy Hash: B01100719007089FC711DF9AD88499BF7F8FF08310B50852FE58AD7611D771AA44CB50

Function 003A4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003A4F46
_wcscmp.LIBCMT ref: 003A4F58

Strings

#32770, xrefs: 003A4F52

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: ed00dc63669f5b474b4598915d18f3546a17162a6318e64bc3b6fe683df4bb5c
Instruction ID: fbc6f645bdf4ab3b6dc422180f570bcc79c145ac1ac5ce7bb71d407ad42d2763
Opcode Fuzzy Hash: ed00dc63669f5b474b4598915d18f3546a17162a6318e64bc3b6fe683df4bb5c
Instruction Fuzzy Hash: 65E0D13350422C2BD7119755AC45FA7F7ECDB85B71F010067FD04D7051D5709A558BE0

Function 0037B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0037B314: _memset.LIBCMT ref: 0037B321

Part of subcall function 00360940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0037B2F0,?,?,?,0034100A), ref: 00360945

IsDebuggerPresent.KERNEL32(?,?,?,0034100A), ref: 0037B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0034100A), ref: 0037B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0037B2FE

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 142b6ff1d7d6a92454d35996cda722fcaadb04ad4bdfd3018e028e0e56f68f62
Instruction ID: 9b085dde63047e27e5e53d38eedba715f6213047395f2f80660f440468e893c2
Opcode Fuzzy Hash: 142b6ff1d7d6a92454d35996cda722fcaadb04ad4bdfd3018e028e0e56f68f62
Instruction Fuzzy Hash: C1E06578200B548FE7329F25D504743BAE8EF00304F008A6CE445CB250E7B8E444CBA1

Function 00381935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00381775

Part of subcall function 003BBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0038195E,?), ref: 003BBFFE
Part of subcall function 003BBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003BC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0038196D

Strings

WIN_XPe, xrefs: 00381788

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 4398304e893b1303709698f936ac2407ccff6127a3d82da290bbd5c8e46ac087
Instruction ID: b2e32753a39ed774c4c2bf876384e1d04471f604d5f45047a8739ebad8c368c7
Opcode Fuzzy Hash: 4398304e893b1303709698f936ac2407ccff6127a3d82da290bbd5c8e46ac087
Instruction Fuzzy Hash: 55F0C971801209DFDB16EB91C984AECBBFCAB08305F5504D9F102A64A0D7755F85DF64

Function 003C5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003C5981

Part of subcall function 003A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A52BC

Strings

Shell_TrayWnd, xrefs: 003C5967

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 6516733cc7d3ad8d1835a1dc5329e26a359fd5bd12763b16948117cdcb5bf0ab
Instruction ID: 741216a036117357188edec97117538571ba81d9c0a850ca3cc9812bf59c3f7d
Opcode Fuzzy Hash: 6516733cc7d3ad8d1835a1dc5329e26a359fd5bd12763b16948117cdcb5bf0ab
Instruction Fuzzy Hash: D9D0C931384711BBE669AB709C0BFE66A29AB11B51F000825B34AEA1D0C9E4A800C754

Function 003C5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C59AE
PostMessageW.USER32(00000000), ref: 003C59B5

Part of subcall function 003A5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003A52BC

Strings

Shell_TrayWnd, xrefs: 003C59A7

Memory Dump Source

Source File: 00000000.00000002.1355166000.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true

Associated: 00000000.00000002.1355134737.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003CF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355281769.00000000003F4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355354729.00000000003FE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1355380683.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_340000_OKkUGRkZV7.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5623709e72e038cbc720c70ed67a8b4977e7f04c3e5bb20f2001d64e51ffdf3c
Instruction ID: d65c8bf8933b3572a00c06dedd6d6971cd778390da86d4e5706401dc655f20c7
Opcode Fuzzy Hash: 5623709e72e038cbc720c70ed67a8b4977e7f04c3e5bb20f2001d64e51ffdf3c
Instruction Fuzzy Hash: 29D0C9313807117BE66AAB709C0BFD66629AB16B51F000825B34AEA1D0C9E4A800C758

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OKkUGRkZV7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\Local\Temp\aut6FF.tmp

C:\Users\user\AppData\Local\Temp\autC2A3.tmp

C:\Users\user\AppData\Local\Temp\autD10A.tmp

C:\Users\user\AppData\Local\Temp\intemeration

C:\Users\user\AppData\Local\lecheries\ambiparous.exe

Windows Analysis Report
OKkUGRkZV7.exe

Function 00343B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 003449A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00344E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 003A9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00343015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00343041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0034708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00343633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00343A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre