Edit tour

Windows Analysis Report
ewYjhndHg2.exe

Overview

General Information

Sample name:	ewYjhndHg2.exe renamed because original name is a hash value
Original sample name:	23699ad43e832923b83bc820adb52b17eb5bee5720129720d51a386fe9d59cac.exe
Analysis ID:	1588614
MD5:	85b9ba2dd4f28ba913277e6a47fdbda4
SHA1:	ab40621227145b3e32043fdaf96218f2b3088915
SHA256:	23699ad43e832923b83bc820adb52b17eb5bee5720129720d51a386fe9d59cac
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

ewYjhndHg2.exe (PID: 3716 cmdline: "C:\Users\user\Desktop\ewYjhndHg2.exe" MD5: 85B9BA2DD4F28BA913277E6A47FDBDA4)

RegSvcs.exe (PID: 6240 cmdline: "C:\Users\user\Desktop\ewYjhndHg2.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2666039852.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
Process Memory Space: ewYjhndHg2.exe PID: 3716	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ewYjhndHg2.exe PID: 3716	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ewYjhndHg2.exe PID: 3716	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 6240	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 6240	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.ewYjhndHg2.exe.3370000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ewYjhndHg2.exe.3370000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ewYjhndHg2.exe.3370000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32641:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x326b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3273d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32839:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x328ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32941:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.ewYjhndHg2.exe.3370000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f7d3:$s2: GetPrivateProfileString 0x2eea1:$s3: get_OSFullName 0x304d3:$s5: remove_Key 0x306aa:$s5: remove_Key 0x315db:$s6: FtpWebRequest 0x32623:$s7: logins 0x32b95:$s7: logins 0x358a6:$s7: logins 0x35958:$s7: logins 0x372ad:$s7: logins 0x364f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.ewYjhndHg2.exe.3370000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.ewYjhndHg2.exe.3370000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.ewYjhndHg2.exe.3370000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.ewYjhndHg2.exe.3370000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.ewYjhndHg2.exe.3370000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Multi AV Scanner detection for submitted file

Source: ewYjhndHg2.exe	ReversingLabs: Detection: 73%
Source: ewYjhndHg2.exe	Virustotal: Detection: 66%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: ewYjhndHg2.exe

Joe Sandbox ML: detected

Source: ewYjhndHg2.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: ewYjhndHg2.exe, 00000000.00000003.1457336387.0000000003550000.00000004.00001000.00020000.00000000.sdmp, ewYjhndHg2.exe, 00000000.00000003.1456452739.00000000033B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ewYjhndHg2.exe, 00000000.00000003.1457336387.0000000003550000.00000004.00001000.00020000.00000000.sdmp, ewYjhndHg2.exe, 00000000.00000003.1456452739.00000000033B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A6445A
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6C6D1 FindFirstFileW,FindClose,	0_2_00A6C6D1
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A6C75C
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A6EF95
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A6F0F2
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6F3F3
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A637EF
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A63B12
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6BCBC

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00A722EE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.2666039852.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: ewYjhndHg2.exe, 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2666039852.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ewYjhndHg2.exe, 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A74164

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00A74164

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00A73F66

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00A6001C

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00A8CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.ewYjhndHg2.exe.3370000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ewYjhndHg2.exe.3370000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00A03B3A
Source: ewYjhndHg2.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: ewYjhndHg2.exe, 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_82086919-2
Source: ewYjhndHg2.exe, 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_6cecd845-3
Source: ewYjhndHg2.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6f9305ee-9
Source: ewYjhndHg2.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a64f3e24-c

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00A6A1EF

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00A58310

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00A651BD

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A0E6A0	0_2_00A0E6A0
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A2D975	0_2_00A2D975
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A0FCE0	0_2_00A0FCE0
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A221C5	0_2_00A221C5
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A362D2	0_2_00A362D2
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A803DA	0_2_00A803DA
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A3242E	0_2_00A3242E
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A225FA	0_2_00A225FA
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A166E1	0_2_00A166E1
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A5E616	0_2_00A5E616
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A3878F	0_2_00A3878F
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A68889	0_2_00A68889
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A18808	0_2_00A18808
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A36844	0_2_00A36844
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A80857	0_2_00A80857
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A2CB21	0_2_00A2CB21
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A36DB6	0_2_00A36DB6
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A16F9E	0_2_00A16F9E
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A13030	0_2_00A13030
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A23187	0_2_00A23187
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A2F1D9	0_2_00A2F1D9
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A01287	0_2_00A01287
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A21484	0_2_00A21484
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A15520	0_2_00A15520
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A27696	0_2_00A27696
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A15760	0_2_00A15760
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A21978	0_2_00A21978
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A39AB5	0_2_00A39AB5
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A2BDA6	0_2_00A2BDA6
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A21D90	0_2_00A21D90
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A87DDB	0_2_00A87DDB
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A13FE0	0_2_00A13FE0
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A0DF00	0_2_00A0DF00
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00CDE660	0_2_00CDE660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0115A620	2_2_0115A620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0115DA40	2_2_0115DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01154A80	2_2_01154A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01159E60	2_2_01159E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01153E68	2_2_01153E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_011541B0	2_2_011541B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_065D2438	2_2_065D2438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_065D1288	2_2_065D1288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_065D3BD8	2_2_065D3BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_065D34F0	2_2_065D34F0

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: String function: 00A28900 appears 42 times
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: String function: 00A07DE1 appears 35 times
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: String function: 00A20AE3 appears 70 times

Source: ewYjhndHg2.exe, 00000000.00000003.1458323041.0000000003523000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ewYjhndHg2.exe
Source: ewYjhndHg2.exe, 00000000.00000003.1458541326.00000000036CD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ewYjhndHg2.exe
Source: ewYjhndHg2.exe, 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs ewYjhndHg2.exe

Source: ewYjhndHg2.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.ewYjhndHg2.exe.3370000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ewYjhndHg2.exe.3370000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A6A06A GetLastError,FormatMessageW,

0_2_00A6A06A

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A581CB AdjustTokenPrivileges,CloseHandle,		0_2_00A581CB
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00A587E1

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00A6B3FB

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00A7EE0D

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A783BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00A783BB

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00A04E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

File created: C:\Users\user\AppData\Local\Temp\aut6BCF.tmp

Jump to behavior

Source: ewYjhndHg2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2666039852.0000000002DAC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002D9A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ewYjhndHg2.exe	ReversingLabs: Detection: 73%
Source: ewYjhndHg2.exe	Virustotal: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\ewYjhndHg2.exe "C:\Users\user\Desktop\ewYjhndHg2.exe"
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ewYjhndHg2.exe"
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ewYjhndHg2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: ewYjhndHg2.exe

Static file information: File size 1088000 > 1048576

Source: ewYjhndHg2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ewYjhndHg2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ewYjhndHg2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ewYjhndHg2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ewYjhndHg2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ewYjhndHg2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ewYjhndHg2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: ewYjhndHg2.exe, 00000000.00000003.1457336387.0000000003550000.00000004.00001000.00020000.00000000.sdmp, ewYjhndHg2.exe, 00000000.00000003.1456452739.00000000033B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ewYjhndHg2.exe, 00000000.00000003.1457336387.0000000003550000.00000004.00001000.00020000.00000000.sdmp, ewYjhndHg2.exe, 00000000.00000003.1456452739.00000000033B0000.00000004.00001000.00020000.00000000.sdmp

Source: ewYjhndHg2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ewYjhndHg2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ewYjhndHg2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ewYjhndHg2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ewYjhndHg2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A04B37 LoadLibraryA,GetProcAddress,

0_2_00A04B37

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A28945 push ecx; ret		0_2_00A28958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_065DCB60 push es; ret		2_2_065DCB70

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00A048D7
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00A85376

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00A23187

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: ewYjhndHg2.exe PID: 3716, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

API/Special instruction interceptor: Address: CDE284

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ewYjhndHg2.exe, 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-106518

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

API coverage: 5.1 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00A6445A
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6C6D1 FindFirstFileW,FindClose,	0_2_00A6C6D1
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00A6C75C
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A6EF95
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00A6F0F2
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6F3F3
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A637EF
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00A63B12
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00A6BCBC

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A049A0

Source: RegSvcs.exe, 00000002.00000002.2666039852.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.2667634738.000000000603A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

API call chain: ExitProcess graph end node

graph_0-104434

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_01157068 CheckRemoteDebuggerPresent,

2_2_01157068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A73F09 BlockInput,

0_2_00A73F09

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A03B3A

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00A35A7C

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A04B37 LoadLibraryA,GetProcAddress,

0_2_00A04B37

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00CDE4F0 mov eax, dword ptr fs:[00000030h]	0_2_00CDE4F0
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00CDE550 mov eax, dword ptr fs:[00000030h]	0_2_00CDE550
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00CDCEB0 mov eax, dword ptr fs:[00000030h]	0_2_00CDCEB0

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00A580A9

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A2A124 SetUnhandledExceptionFilter,		0_2_00A2A124
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00A2A155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CFF008

Jump to behavior

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A587B1 LogonUserW,

0_2_00A587B1

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00A03B3A

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00A048D7

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A64C27 mouse_event,

0_2_00A64C27

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\ewYjhndHg2.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00A57CAF

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00A5874B

Source: ewYjhndHg2.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ewYjhndHg2.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A2862B cpuid

0_2_00A2862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00A34E87

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A41E06 GetUserNameW,

0_2_00A41E06

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00A33F3A

Source: C:\Users\user\Desktop\ewYjhndHg2.exe

Code function: 0_2_00A049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00A049A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ewYjhndHg2.exe.3370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ewYjhndHg2.exe PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: ewYjhndHg2.exe	Binary or memory string: WIN_81
Source: ewYjhndHg2.exe	Binary or memory string: WIN_XP
Source: ewYjhndHg2.exe	Binary or memory string: WIN_XPe
Source: ewYjhndHg2.exe	Binary or memory string: WIN_VISTA
Source: ewYjhndHg2.exe	Binary or memory string: WIN_7
Source: ewYjhndHg2.exe	Binary or memory string: WIN_8
Source: ewYjhndHg2.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ewYjhndHg2.exe.3370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2666039852.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ewYjhndHg2.exe PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ewYjhndHg2.exe.3370000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ewYjhndHg2.exe.3370000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ewYjhndHg2.exe PID: 3716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6240, type: MEMORYSTR

Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00A76283
Source: C:\Users\user\Desktop\ewYjhndHg2.exe	Code function: 0_2_00A76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00A76747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	651 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Virtualization/Sandbox Evasion	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ewYjhndHg2.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
ewYjhndHg2.exe	67%	Virustotal		Browse
ewYjhndHg2.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	ewYjhndHg2.exe, 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2666039852.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000002.00000002.2666039852.0000000002D62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2666039852.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588614
Start date and time:	2025-01-11 03:08:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ewYjhndHg2.exe renamed because original name is a hash value
Original Sample Name:	23699ad43e832923b83bc820adb52b17eb5bee5720129720d51a386fe9d59cac.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NX8j2O83Wu.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\ewYjhndHg2.exe
File Type:	data
Category:	dropped
Size (bytes):	150952
Entropy (8bit):	7.937797990144525
Encrypted:	false
SSDEEP:	3072:bBtBf0MaAVR3aubjdPkjX/i4e7Jp12HgZNWNNalysEBWR8FtwbWDl9mXV9dV:DMAPjbRcjXm9KA7nqK4G6DT2V9j
MD5:	B2E25F46CB41C339AD073774BAC40D0E
SHA1:	BE9AFEC414145727C2335FDB0E113545297A499C
SHA-256:	8C72C3F9C7763CD82752C5497ECEB6287D5CF194A5128AE204EBBAE99215D52D
SHA-512:	6E3F908C4CA72620C5AABDEC1C3302D96EB8DE761D9B02226F13E0A6F28528D089785E8325B3C35A395F4BB1241DD03D94B3B975D33E3B1647C002E7770B1FB3
Malicious:	false
Reputation:	low
Preview:	EA06........)...6.Mj...U...Z..P.R..JeZ.U....l.#..@.J.s.O.xi....z.. ri,..%..fSy.V.3..s..i&...s.,.a.^cqY.Q3..).K..&l.u25B.Ps.}....Z...J...,E..6..;.w...h. .#.K..!.j... ...P...&ua.M..p..P..^.JqQ.M...M..U..]....n.8..";zm2!F....4Z.....#..@...#V.........5vs$.3$~.x.f>...........k5.I<....zX.....)..G.....E....O$.N..).4.".S...#.F... 4......@..D.>."Pj.Jt..P.al.zD......p....Gu..m....l".W.d.[.'R.........G.P.sz.?a..V0..6_o.....zf.e..5..'....g.).7i......-f.O.Yg..uK.....E.Mx.yf.l......l...N...~..t[U......[].u..:.76.O'Rk.J_3.H?..2..2..yl.....Tg1.e.mX.^(.......Y.S.6w...L.3...a7..& ..@.0..n....~..R.....q...!....T....P..X..mf.......I.........{.>.....x.L.:a..D......'......AN.~'.h.'k.....X..j.U..kmB.J.Q..jUZ.o.B....R.J.T.5-6.x.\......q..-.\wN...m-s.-(........n85.H...u.}^......z.m....U....s .S%..$..8.N.v8.V5...R.@.......]...Tv.N.W-=y.b.E.q..f..Q..U..:.A.Nh5....W.R/....OU..(.0D.o......aS...y..aQ..j.:...W.Ig...r.7.L.`.,..5.N)w.."iW...*............r.j...cWD.\

C:\Users\user\AppData\Local\Temp\intemeration

Download File

Process:	C:\Users\user\Desktop\ewYjhndHg2.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.691330721634711
Encrypted:	false
SSDEEP:	6144:yoWjc7vFIRaZxm4OTVUBZw0ovC97DpCbC3Jk+dTHNiBVgv6DDHy4J:/IRCxmavystfTHNk2mG4J
MD5:	5B570ADBC0DD00AF116DB47548B7E464
SHA1:	DF95682BDFE128D7EF72BE8892F135F2770FE96D
SHA-256:	E0146C37FDA68183D21752991FE744A4216EAFA53B242FF2BA96F5BA19F1B3C1
SHA-512:	B345F78A7524187BE240E4E48598CE7F09394882874D77D300CCE916C17CC5DB2FBE01C73F99F70C737900E00490FE5880D7DCB37F1D5E65D6C453DE5B54B121
Malicious:	false
Reputation:	low
Preview:	...R;AP6L5WN..CU.NUER8APvH5WNLVCUANUER8AP6H5WNLVCUANUER8AP6H.WNLX\.ON.L...Qz...&%%c%3!273Ua3W&[8:l4&u3;;e;Va.y..:!(3mXLDqER8AP6He.NL.BVA...78AP6H5WN.VATJO^ER.BP6@5WNLVC;.MUEr8AP.K5WN.VCuANUGR8EP6H5WNLRCUANUER8aT6H7WNLVCUCN..R8QP6X5WNLFCUQNUER8A@6H5WNLVCUANM.Q8.P6H5.ML.FUANUER8AP6H5WNLVCUANQE^8AP6H5WNLVCUANUER8AP6H5WNLVCUANUER8AP6H5WNLVCUANUER8aP6@5WNLVCUANUEZ.AP~H5WNLVCUANUk&]9$6H5#.OVCuANU.Q8AR6H5WNLVCUANUER.APVfG$</VCU.KUER.BP6N5WN.UCUANUER8AP6H5.NL.m'$":&R8MP6H5WJLVAUAN.FR8AP6H5WNLVCU.NU.R8AP6H5WNLVCUANU..;AP6H5.NLVAUDN..P8.e7H6WNLWCUGNUER8AP6H5WNLVCUANUER8AP6H5WNLVCUANUER8AP6H5WNLV^......-.BWP.j.$.B..V..8.yGtB.7B...X.....=3..L.Le..L...C.=R7M....m%YIO8e?.X/.K....hd&x..0&.-...=g. Sa.....n.....L!....&..3Y%.6><:&{./3$ Q.R.I5WNL........Q9.le6XPxD;....f9....0LVC1ANU7R8A16H5.NLV,UAN;ER8?P6HKWNL.CUA.UER.AP6m5WN!VCUeNUE,8AP.5:X...&.UER8Ae....#.....y....0.H.Wo...'....@..N8.?v....M.%..Ej*V..mPOJRFWFJVIo6....UJHSAREMYx\s...i.q.o..?...k;.JH5WNLV.UA.UER..P.H5W.L.C..NUE..A.6.5...V

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.045686454020704
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ewYjhndHg2.exe
File size:	1'088'000 bytes
MD5:	85b9ba2dd4f28ba913277e6a47fdbda4
SHA1:	ab40621227145b3e32043fdaf96218f2b3088915
SHA256:	23699ad43e832923b83bc820adb52b17eb5bee5720129720d51a386fe9d59cac
SHA512:	b323f172ea0d00bbc14efe67fbce98657ae6aef2c1cec15ad4afcaaffc0334a9ba46fc11457883ab616ccd88ce3f6450111eccab04c8adecf137ba50f3d372e2
SSDEEP:	24576:Zu6J33O0c+JY5UZ+XC0kGso6Fa85Us7nYE71gaQLuWY:bu0c++OCvkGs9Fa82sTcpY
TLSH:	3935BE2273DDC370CB669173BF29B7016EBF78614630B85B2F980D7DA950162262D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67503BEE [Wed Dec 4 11:24:30 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F7B70D40ABAh
jmp 00007F7B70D33884h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F7B70D33A0Ah
cmp edi, eax
jc 00007F7B70D33D6Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F7B70D33A09h
rep movsb
jmp 00007F7B70D33D1Ch
cmp ecx, 00000080h
jc 00007F7B70D33BD4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F7B70D33A10h
bt dword ptr [004BE324h], 01h
jc 00007F7B70D33EE0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F7B70D33BADh
test edi, 00000003h
jne 00007F7B70D33BBEh
test esi, 00000003h
jne 00007F7B70D33B9Dh
bt edi, 02h
jnc 00007F7B70D33A0Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F7B70D33A13h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F7B70D33A65h
bt esi, 03h
jnc 00007F7B70D33AB8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x411cc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x109000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x411cc	0x41200	b35784b009fe7dca064196f130e522bb	False	0.8996858505278311	data	7.826924941322476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x109000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x38493	data			1.0003513383388203
RT_GROUP_ICON	0x107c4c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x107cc4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x107cd8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x107cec	0x14	data	English	Great Britain	1.25
RT_VERSION	0x107d00	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x107ddc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:09:46.223186970 CET	49708	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:09:46.419579029 CET	80	49708	208.95.112.1	192.168.2.9
Jan 11, 2025 03:09:46.419657946 CET	49708	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:09:46.480153084 CET	49708	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:09:46.487288952 CET	80	49708	208.95.112.1	192.168.2.9
Jan 11, 2025 03:09:46.903521061 CET	80	49708	208.95.112.1	192.168.2.9
Jan 11, 2025 03:09:46.947943926 CET	49708	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:10:29.034212112 CET	80	49708	208.95.112.1	192.168.2.9
Jan 11, 2025 03:10:29.034293890 CET	49708	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:11:26.918354988 CET	49708	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:11:26.923166037 CET	80	49708	208.95.112.1	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:09:46.210097075 CET	58477	53	192.168.2.9	1.1.1.1
Jan 11, 2025 03:09:46.217175007 CET	53	58477	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:09:46.210097075 CET	192.168.2.9	1.1.1.1	0xb0d4	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:09:46.217175007 CET	1.1.1.1	192.168.2.9	0xb0d4	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49708	208.95.112.1	80	6240	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:09:46.480153084 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 03:09:46.903521061 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:09:45 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	21:09:40
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\ewYjhndHg2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ewYjhndHg2.exe"
Imagebase:	0xa00000
File size:	1'088'000 bytes
MD5 hash:	85B9BA2DD4F28BA913277E6A47FDBDA4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1461042753.0000000003370000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:09:45
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ewYjhndHg2.exe"
Imagebase:	0xa30000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2666039852.0000000002CD5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2665049475.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	8.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	53

Executed Functions

Function 00A03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A03B68
IsDebuggerPresent.KERNEL32 ref: 00A03B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00AC52F8,00AC52E0,?,?), ref: 00A03BEB

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Part of subcall function 00A1092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00A03C14,00AC52F8,?,?,?), ref: 00A1096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00A03C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00AB7770,00000010), ref: 00A3D281
SetCurrentDirectoryW.KERNEL32(?,00AC52F8,?,?,?), ref: 00A3D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00AB4260,00AC52F8,?,?,?), ref: 00A3D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00A3D346

Part of subcall function 00A03A46: GetSysColorBrush.USER32(0000000F), ref: 00A03A50
Part of subcall function 00A03A46: LoadCursorW.USER32(00000000,00007F00), ref: 00A03A5F
Part of subcall function 00A03A46: LoadIconW.USER32(00000063), ref: 00A03A76
Part of subcall function 00A03A46: LoadIconW.USER32(000000A4), ref: 00A03A88
Part of subcall function 00A03A46: LoadIconW.USER32(000000A2), ref: 00A03A9A
Part of subcall function 00A03A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A03AC0
Part of subcall function 00A03A46: RegisterClassExW.USER32(?), ref: 00A03B16

Part of subcall function 00A039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A03A03
Part of subcall function 00A039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A03A24
Part of subcall function 00A039D5: ShowWindow.USER32(00000000,?,?), ref: 00A03A38
Part of subcall function 00A039D5: ShowWindow.USER32(00000000,?,?), ref: 00A03A41

Part of subcall function 00A0434A: _memset.LIBCMT ref: 00A04370
Part of subcall function 00A0434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A04415

Strings

This is a third-party compiled AutoIt script., xrefs: 00A3D279
runas, xrefs: 00A3D33A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 4ac4dabf4da4f6ff2c4deb22e36a17e40fd0901a8e1309046e54c4a23809897a
Instruction ID: 5c4cd4ebda6093fe2f08ad5d3ab072ff75c10f3819e3843d22a7e92c8e56250a
Opcode Fuzzy Hash: 4ac4dabf4da4f6ff2c4deb22e36a17e40fd0901a8e1309046e54c4a23809897a
Instruction Fuzzy Hash: 7451B371D0814DAEDF11EBF5FD05EED7BBCAB49740F014069F421A61E2DAB06A86CB21

Function 00A049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00A049CD

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

GetCurrentProcess.KERNEL32(?,00A8FAEC,00000000,00000000,?), ref: 00A04A9A
IsWow64Process.KERNEL32(00000000), ref: 00A04AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00A04AE7
FreeLibrary.KERNEL32(00000000), ref: 00A04AF2
GetSystemInfo.KERNEL32(00000000), ref: 00A04B23
GetSystemInfo.KERNEL32(00000000), ref: 00A04B2F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: d9f002a5a512c25739e6d3780ef5b572c8bcb9eef38e19fdf8e9f20b1443991e
Instruction ID: 1b7d83f0adf59246f1420253b85e82f956f41e42cf76c33545d930c1450201ce
Opcode Fuzzy Hash: d9f002a5a512c25739e6d3780ef5b572c8bcb9eef38e19fdf8e9f20b1443991e
Instruction Fuzzy Hash: CC91A4719897C5DECB31DB68A5501AAFFF5BF2A300F4449ADE1C793A81D220B908C769

Function 00A04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00A04D8E,?,?,00000000,00000000), ref: 00A04E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00A04D8E,?,?,00000000,00000000), ref: 00A04EB0
LoadResource.KERNEL32(?,00000000,?,?,00A04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A04E2F), ref: 00A3D937
SizeofResource.KERNEL32(?,00000000,?,?,00A04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A04E2F), ref: 00A3D94C
LockResource.KERNEL32(00A04D8E,?,?,00A04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00A04E2F,00000000), ref: 00A3D95F

Strings

SCRIPT, xrefs: 00A04EA6

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 1ce7e4dbc41b7f900acd284fe3673e96845466b6e738093468496ec7c2777848
Instruction ID: 53c77deb2e3f1e86f0519803955772b9db592a34d55cea4556950439c374dda1
Opcode Fuzzy Hash: 1ce7e4dbc41b7f900acd284fe3673e96845466b6e738093468496ec7c2777848
Instruction Fuzzy Hash: 12115EB5240705BFD7218BA5EC48FA77BBAFBC9B51F204268F505C62A0DB71E8028660

Function 00A0FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: d4cd3b073bd3da0563ec709172d0bc467246acf25060961f7d30ab35c4d3276e
Instruction ID: 52c09fd0841652770406807361f945a3bd926edb485dcf4b67ef71c211b48abd
Opcode Fuzzy Hash: d4cd3b073bd3da0563ec709172d0bc467246acf25060961f7d30ab35c4d3276e
Instruction Fuzzy Hash: 6E926A746083419FD720DF18C580B6AB7F1BF89304F14896DE89A9B392D7B5EC85CB92

Function 00A6445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00A3E398), ref: 00A6446A
FindFirstFileW.KERNELBASE(?,?), ref: 00A6447B
FindClose.KERNEL32(00000000), ref: 00A6448B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 20b886469cd33c98d9bd76870f3736f82f1d47ef9c0e5156179ac0c409a8fb7c
Instruction ID: 9610ae129add7d75de9d28a709a28fb800b5bafd3edd2eae89ab440a02e0ec81
Opcode Fuzzy Hash: 20b886469cd33c98d9bd76870f3736f82f1d47ef9c0e5156179ac0c409a8fb7c
Instruction Fuzzy Hash: 69E0DF328109026F8210AB78EC0E8EA77AC9E49336F204726F835C20E0FBB499009696

Function 00A0E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00A43E62

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 8b67c1b61b0b7c7592677befeaefd29ad0bca7967f1cf25c6d00e62723667981
Instruction ID: 22ea5ce162d0ebb1416a08758e3078cf4118b2edf2533c792c1e5f71802ef98a
Opcode Fuzzy Hash: 8b67c1b61b0b7c7592677befeaefd29ad0bca7967f1cf25c6d00e62723667981
Instruction Fuzzy Hash: BEA29F75A00209CFCF24CF98E580AAEB7B1FF59314F248969E905AB391D735ED42DB90

Function 00A109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A10A5B
timeGetTime.WINMM ref: 00A10D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A10E53
Sleep.KERNEL32(0000000A), ref: 00A10E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00A10EFA
DestroyWindow.USER32 ref: 00A10F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A10F20
Sleep.KERNEL32(0000000A,?,?), ref: 00A44E83
TranslateMessage.USER32(?), ref: 00A45C60
DispatchMessageW.USER32(?), ref: 00A45C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00A45C82

Strings

@TRAY_ID, xrefs: 00A4578F
@GUI_CTRLID, xrefs: 00A44F3A
@COM_EVENTOBJ, xrefs: 00A454F0
@GUI_WINHANDLE, xrefs: 00A44F8F
@GUI_CTRLHANDLE, xrefs: 00A44FE4

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 0b4d6a9705bd130cce3f0723ca72ce14398b1bf462eafd273276c3d7524f0c6d
Instruction ID: 7569b071fa880ba1bd8e62d7ca3e3a2aab9bbfae228497e0a8b260c8d1ecebf4
Opcode Fuzzy Hash: 0b4d6a9705bd130cce3f0723ca72ce14398b1bf462eafd273276c3d7524f0c6d
Instruction Fuzzy Hash: 76B2BF74A08741DFD728DF24C984FAAB7E5BF84304F14491DF589972A2DBB1E885CB82

Function 00A69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A68F5F: __time64.LIBCMT ref: 00A68F69

Part of subcall function 00A04EE5: _fseek.LIBCMT ref: 00A04EFD

__wsplitpath.LIBCMT ref: 00A69234

Part of subcall function 00A240FB: __wsplitpath_helper.LIBCMT ref: 00A2413B

_wcscpy.LIBCMT ref: 00A69247
_wcscat.LIBCMT ref: 00A6925A
__wsplitpath.LIBCMT ref: 00A6927F
_wcscat.LIBCMT ref: 00A69295
_wcscat.LIBCMT ref: 00A692A8

Part of subcall function 00A68FA5: _memmove.LIBCMT ref: 00A68FDE
Part of subcall function 00A68FA5: _memmove.LIBCMT ref: 00A68FED

_wcscmp.LIBCMT ref: 00A691EF

Part of subcall function 00A69734: _wcscmp.LIBCMT ref: 00A69824
Part of subcall function 00A69734: _wcscmp.LIBCMT ref: 00A69837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A69452
_wcsncpy.LIBCMT ref: 00A694C5
DeleteFileW.KERNEL32(?,?), ref: 00A694FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A69511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A69522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A69534

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 306adaf90e2634146c8ab534f3a8217864b3dc7666462dccde902085b3e9303f
Instruction ID: 560de522628e57e720cc0b412ed6107eec252b3e8c3384e1de83a043ad2892f5
Opcode Fuzzy Hash: 306adaf90e2634146c8ab534f3a8217864b3dc7666462dccde902085b3e9303f
Instruction Fuzzy Hash: AAC14EB1D00229AADF11DFA5DD85ADFBBBDEF49310F0040AAF609E7151EB309A458F61

Function 00A03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A03074
RegisterClassExW.USER32(00000030), ref: 00A0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A030AF
InitCommonControlsEx.COMCTL32(?), ref: 00A030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A030DC
LoadIconW.USER32(000000A9), ref: 00A030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A03101

Strings

TaskbarCreated, xrefs: 00A030A4
AutoIt v3 GUI, xrefs: 00A03090
+, xrefs: 00A0305D
0, xrefs: 00A03056

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 71716c731823221074342d4eeb08e6efa3f8443a4d0ed3d1f9137c683575f23c
Instruction ID: a18b395584e1f85331e03e4a82c532f80bd658ef3f71db56469d79bab2f8ae25
Opcode Fuzzy Hash: 71716c731823221074342d4eeb08e6efa3f8443a4d0ed3d1f9137c683575f23c
Instruction Fuzzy Hash: 6B31E7B1D4020AEFDB10DFE4E889AC9BBF0FB08310F15452AF581E62A0E7B91596CF51

Function 00A03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A03074
RegisterClassExW.USER32(00000030), ref: 00A0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A030AF
InitCommonControlsEx.COMCTL32(?), ref: 00A030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A030DC
LoadIconW.USER32(000000A9), ref: 00A030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A03101

Strings

TaskbarCreated, xrefs: 00A030A4
AutoIt v3 GUI, xrefs: 00A03090
+, xrefs: 00A0305D
0, xrefs: 00A03056

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2c6d7c24e7ad0b82bccb334ef455115a9acb90ab7c3cc595adee64ea92a42c94
Instruction ID: 01a0d6abcf213f32fc8404e60b71afd029a97db0ffed508369ce62610d1732e9
Opcode Fuzzy Hash: 2c6d7c24e7ad0b82bccb334ef455115a9acb90ab7c3cc595adee64ea92a42c94
Instruction Fuzzy Hash: D521C2B1D11219AFEB00DFE4EC89BDDBBF4FB08710F10412AF911A62A0D7B155969F91

Function 00A0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00A04706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00AC52F8,?,00A037AE,?), ref: 00A04724

Part of subcall function 00A2050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A07165), ref: 00A2052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A3E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A3E909
RegCloseKey.ADVAPI32(?), ref: 00A3E947
_wcscat.LIBCMT ref: 00A3E9A0

Strings

\, xrefs: 00A3E9C3
Include, xrefs: 00A3E8BF, 00A3E900
Software\AutoIt v3\AutoIt, xrefs: 00A0719E
\Include\, xrefs: 00A07165

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 44c78365983bd414e20d2694de71c313ec50e5da207761e19b06c021d50ea8e9
Instruction ID: 9df4156661238d80e8709d7bbbc26bbc0d866ad5c9d5ff89bdd4152df2994039
Opcode Fuzzy Hash: 44c78365983bd414e20d2694de71c313ec50e5da207761e19b06c021d50ea8e9
Instruction Fuzzy Hash: DF718E71908305AEC700EFA9ED81DAFBBE8FF84350F41092EF445871A1EB71A949CB52

Function 00A03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00A03A50
LoadCursorW.USER32(00000000,00007F00), ref: 00A03A5F
LoadIconW.USER32(00000063), ref: 00A03A76
LoadIconW.USER32(000000A4), ref: 00A03A88
LoadIconW.USER32(000000A2), ref: 00A03A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A03AC0
RegisterClassExW.USER32(?), ref: 00A03B16

Part of subcall function 00A03041: GetSysColorBrush.USER32(0000000F), ref: 00A03074
Part of subcall function 00A03041: RegisterClassExW.USER32(00000030), ref: 00A0309E
Part of subcall function 00A03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A030AF
Part of subcall function 00A03041: InitCommonControlsEx.COMCTL32(?), ref: 00A030CC
Part of subcall function 00A03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A030DC
Part of subcall function 00A03041: LoadIconW.USER32(000000A9), ref: 00A030F2
Part of subcall function 00A03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A03101

Strings

#, xrefs: 00A03AFB
AutoIt v3, xrefs: 00A03B05
0, xrefs: 00A03AF4

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 90ce6ea9f0feb32287fb3052363aa4631224639c329d4ab8210e420a3d93cd5a
Instruction ID: 423b359d360777f7b7c441237913403469dfbb60d30f6482e1718131637e8768
Opcode Fuzzy Hash: 90ce6ea9f0feb32287fb3052363aa4631224639c329d4ab8210e420a3d93cd5a
Instruction Fuzzy Hash: C121F3B1D00309AFEB10DFF4ED49B9D7BF4EB08711F11012AF504AA2A1D3B666928B94

Function 00A03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00A036D2
KillTimer.USER32(?,00000001), ref: 00A036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A0371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A0372A
CreatePopupMenu.USER32 ref: 00A0373E
PostQuitMessage.USER32(00000000), ref: 00A0374D

Strings

TaskbarCreated, xrefs: 00A03725

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 1d7049d39f62d7fd4f02d6a748a98d3a6a48f9ba53547ade1c9bdf399ad81d3c
Instruction ID: 0fe016369f7248649dd5b13cded1cd21518c37c2380000b95e9d2b7b137d7a00
Opcode Fuzzy Hash: 1d7049d39f62d7fd4f02d6a748a98d3a6a48f9ba53547ade1c9bdf399ad81d3c
Instruction Fuzzy Hash: 9441C5B391050DABDF14DFB8FD09FBA37ADEB05300F500129F602962E1DA62A9929761

Function 00A03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00A038BC
CMDLINERAW, xrefs: 00A037FB
/AutoIt3ExecuteLine, xrefs: 00A038A7
CMDLINE, xrefs: 00A03822
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00A037AE
/ErrorStdOut, xrefs: 00A0387D
/AutoIt3OutputDebug, xrefs: 00A03892

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: ce60aba65fc3fde3e281075e92ca5a328ca650f56e3ee640544e847517099f15
Instruction ID: 5b81afb684919cc7530d4b263ed5ea3ad36357c247e768a607e8cd927eac652b
Opcode Fuzzy Hash: ce60aba65fc3fde3e281075e92ca5a328ca650f56e3ee640544e847517099f15
Instruction Fuzzy Hash: 71A12972D1022DAACF05EBA4ED91EEEB7B8BF14310F440529F416A71D1EB746A48CB60

Function 00CDD640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00CDD711
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CDD937

Memory Dump Source

Source File: 00000000.00000002.1460615264.0000000000CDB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CDB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdb000_ewYjhndHg2.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: b8572f427b54b8c9271515550420ca9153a96c68c5afd6408029b355824816dd
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: F4A11874E00209EBDB14DFA5C894BEEBBB5FF48304F20855AE216BB380D7759A41DB94

Function 00A039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A03A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A03A24
ShowWindow.USER32(00000000,?,?), ref: 00A03A38
ShowWindow.USER32(00000000,?,?), ref: 00A03A41

Strings

edit, xrefs: 00A03A1E
AutoIt v3, xrefs: 00A039FB, 00A03A00, 00A03A01

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: dbea388424b5f9b28e3991a3665d2ee4760623595f94e6c515cbd077d842e646
Instruction ID: 48d39f7478ec2a00f218db581cf354c44016106f107c26fbfff199d12bb3886f
Opcode Fuzzy Hash: dbea388424b5f9b28e3991a3665d2ee4760623595f94e6c515cbd077d842e646
Instruction Fuzzy Hash: 7BF03070900290BEEB3097A3AC48EA73EBDD7C6F50B010029B900B2170C2716882CA70

Function 00CDD3F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CDD2E0: Sleep.KERNELBASE(000001F4), ref: 00CDD2F1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CDD530

Strings

NUER8AP6H5WNLVCUA, xrefs: 00CDD593, 00CDD596

Memory Dump Source

Source File: 00000000.00000002.1460615264.0000000000CDB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CDB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdb000_ewYjhndHg2.jbxd

Similarity

API ID: CreateFileSleep
String ID: NUER8AP6H5WNLVCUA
API String ID: 2694422964-261232502
Opcode ID: 340a37b9395223b628bacb60eb2df7803c1de40519dac5b87e949483112ada40
Instruction ID: edbcba4c7d25971247ae852bbda65ba84a305542a48f8dd459b8e8b63f7b547b
Opcode Fuzzy Hash: 340a37b9395223b628bacb60eb2df7803c1de40519dac5b87e949483112ada40
Instruction Fuzzy Hash: 4B517070D14248DBEF11DBB4D854BEEBBB9AF18304F104199E209BB2C1D7BA5B44CB66

Function 00A0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A3D3D7

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

_memset.LIBCMT ref: 00A040FC
_wcscpy.LIBCMT ref: 00A04150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A04160

Strings

Line: , xrefs: 00A3D400

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 53ff2de8d829289ec5edd93cf426f0b4bb403d464cda39b4d4aaec0ef6d87a28
Instruction ID: 5d2d572f6a5a4914cac6baa874256a09fa208bef03f1bd20c27e969c035d62dc
Opcode Fuzzy Hash: 53ff2de8d829289ec5edd93cf426f0b4bb403d464cda39b4d4aaec0ef6d87a28
Instruction Fuzzy Hash: 4D31B2B1808309AED320EFA0FD45FDB77E8AF44304F10491AF685920D1DB74A649CB92

Function 00A2541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00A2547B
_memcpy_s.LIBCMT ref: 00A254ED
__read_nolock.LIBCMT ref: 00A2554B
__filbuf.LIBCMT ref: 00A2556E
_memset.LIBCMT ref: 00A255B2

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 243849ee16fc0ca7cbc6cc89d67c08ad07340be8490ee83058a82653c32e3566
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 64518070E00B259BDB249F7DE98066EB7B6BF41325F248739F825962D1D770DD908B40

Function 00A0686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00A04DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A04E0F

_free.LIBCMT ref: 00A3E263
_free.LIBCMT ref: 00A3E2AA

Part of subcall function 00A06A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A06BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A3E039
Bad directive syntax error, xrefs: 00A3E292

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: c6f3c6bef8fd8ba6f6db6ad086f3219da9d9f86640d1b9c68a69bca816f38362
Instruction ID: d12c71afcfc9f2460ae0a3420ab221248a0adb8bfd6cc569c98335a5e1627537
Opcode Fuzzy Hash: c6f3c6bef8fd8ba6f6db6ad086f3219da9d9f86640d1b9c68a69bca816f38362
Instruction Fuzzy Hash: 0091587191021DAFCF08EFA4D9919EEB7B8BF19314F10442AF816AB2E1DB70A955CB50

Function 00A035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00A035A1,SwapMouseButtons,00000004,?), ref: 00A035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00A035A1,SwapMouseButtons,00000004,?,?,?,?,00A02754), ref: 00A035F5
RegCloseKey.KERNELBASE(00000000,?,?,00A035A1,SwapMouseButtons,00000004,?,?,?,?,00A02754), ref: 00A03617

Strings

Control Panel\Mouse, xrefs: 00A035D2

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 82820fbec06cc50554a3c5ef331f9379a87717c2e0cc4718ea6e129890f23f35
Instruction ID: e9bb3728142f2580b82504a26eebd4b613c4e003612d1f0c79fdc42064dc20dd
Opcode Fuzzy Hash: 82820fbec06cc50554a3c5ef331f9379a87717c2e0cc4718ea6e129890f23f35
Instruction Fuzzy Hash: DE11487251020CBFDF20CFA4EC409AFB7BCEF04740F108469E805D7250E6729E419760

Function 00CDC2E0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CDCB0D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CDCB31
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CDCB53

Memory Dump Source

Source File: 00000000.00000002.1460615264.0000000000CDB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CDB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdb000_ewYjhndHg2.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 5743b45b547c3a4f75f1d6dd9f5ff7446326728304d3bb67a41d2c21e9669e46
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: A7621E70A14259DBEB24CFA4C881BDEB376EF58300F1091A9D21DEB390E7759E81CB59

Function 00A6955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00A04EE5: _fseek.LIBCMT ref: 00A04EFD

Part of subcall function 00A69734: _wcscmp.LIBCMT ref: 00A69824
Part of subcall function 00A69734: _wcscmp.LIBCMT ref: 00A69837

_free.LIBCMT ref: 00A696A2
_free.LIBCMT ref: 00A696A9
_free.LIBCMT ref: 00A69714

Part of subcall function 00A22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A29A24), ref: 00A22D69
Part of subcall function 00A22D55: GetLastError.KERNEL32(00000000,?,00A29A24), ref: 00A22D7B

_free.LIBCMT ref: 00A6971C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction ID: f2be66cb9a3ab9175e7ae186302d808eb31b3a63c76aab107c26c6fe75af58e4
Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
Instruction Fuzzy Hash: FC514DB1D04259AFDF249F64DC81A9EBBB9FF48300F1045AEF609A3241DB715A90CF58

Function 00A2470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A247A0
__flush.LIBCMT ref: 00A247C0
__write.LIBCMT ref: 00A247F3
__flsbuf.LIBCMT ref: 00A24821

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: b23306783b40eaca12b45ac89fd486af644d8b33294e1e35aa105e0005e12a04
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 3341D775B00B659FDB18CF6DE9809AE7BB6EF49360B24813DE825C7640D770DD408B40

Function 00A044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A044CF

Part of subcall function 00A0407C: _memset.LIBCMT ref: 00A040FC
Part of subcall function 00A0407C: _wcscpy.LIBCMT ref: 00A04150
Part of subcall function 00A0407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A04160

KillTimer.USER32(?,00000001,?,?), ref: 00A04524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A04533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A3D4B9

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: b79205f6f999ed4222e950f6edba84619579d667140909ca85079272dc692ea6
Instruction ID: 43e5ad1fb00a480a3be48dcc5b9e55e228cf06d6bdacd76fa335fda5c426210b
Opcode Fuzzy Hash: b79205f6f999ed4222e950f6edba84619579d667140909ca85079272dc692ea6
Instruction Fuzzy Hash: 5521C5B0904798AFE732CB64AC55BE6BBECAB05318F04009DF79A5A181C3742D85CB51

Function 00A07285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A3EA39
GetOpenFileNameW.COMDLG32(?), ref: 00A3EA83

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

Part of subcall function 00A20791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A207B0

Strings

X, xrefs: 00A3EA51

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 7c8c290a296ca843265ba7ffa7c999c968cccd5004d8131b8e56f78b64d50916
Instruction ID: bcaab4be8f974a2ef1ee84ef39c1a762ef6efdd27996ad07c7af4deb0df08999
Opcode Fuzzy Hash: 7c8c290a296ca843265ba7ffa7c999c968cccd5004d8131b8e56f78b64d50916
Instruction Fuzzy Hash: 3C219371E0025C9BDB41DF98D845BEE7BFCAF49714F004059F508AB282DBB45989CFA1

Function 00A68D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A68DAC
__fread_nolock.LIBCMT ref: 00A68DC1

Strings

EA06, xrefs: 00A68DF3

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 9a01e92bad6019a411709813fe0a097185793ccfc60f3338ab6b4c96b56ab772
Instruction ID: d18bd9fd2b385161d51bd7f9a2f2d27032bf5630cd7f836a2552aaf2cf5cf4b7
Opcode Fuzzy Hash: 9a01e92bad6019a411709813fe0a097185793ccfc60f3338ab6b4c96b56ab772
Instruction Fuzzy Hash: CB01B971D042287EDB18CBA8D856EFE7BFCDB15311F0045AAF552D2181E979E6048760

Function 00A698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00A698F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A6990F

Strings

aut, xrefs: 00A69909

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 9ca06543492ba8c28657594f30638d61ee8ff5d22168eaa94c37ab91932afff8
Instruction ID: 72a000a23c4ab35520007ead8eca490a3655984f07467dd422a0284bbacc6097
Opcode Fuzzy Hash: 9ca06543492ba8c28657594f30638d61ee8ff5d22168eaa94c37ab91932afff8
Instruction Fuzzy Hash: 33D05E7954030EBFDB50DBE4DC0EFDA773CE704700F0006B1BA54D10A2EAB095998B91

Function 00A7CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16e93b708e1fcb84866c172936ad5c8ac1bfb9533ff6a4f2472e380577b9316
Instruction ID: c9087cb03793e5bf561c0390a32d8846e5229079d83e075d2ffe0b9c2344ccb4
Opcode Fuzzy Hash: c16e93b708e1fcb84866c172936ad5c8ac1bfb9533ff6a4f2472e380577b9316
Instruction Fuzzy Hash: 78F118716083059FC714DF28C984A6ABBE5FF88324F54C92EF8999B252D731E945CF82

Function 00A0F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A20162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A20193
Part of subcall function 00A20162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00A2019B
Part of subcall function 00A20162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A201A6
Part of subcall function 00A20162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A201B1
Part of subcall function 00A20162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00A201B9
Part of subcall function 00A20162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00A201C1

Part of subcall function 00A160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A0F930), ref: 00A16154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A0F9CD
OleInitialize.OLE32(00000000), ref: 00A0FA4A
CloseHandle.KERNEL32(00000000), ref: 00A445C8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 4b1a7fab80215492a698a9c2dadfd99a215163ba28bdbb5a320921129e551015
Instruction ID: 20bfca6a5b21239f111d57ad509bce3ed80e358d8f4fcb1070cef4a0db75d1ac
Opcode Fuzzy Hash: 4b1a7fab80215492a698a9c2dadfd99a215163ba28bdbb5a320921129e551015
Instruction Fuzzy Hash: 6781C3B0D01A40CFC788DFB9EA54E197BE6EB98306752852AF019CB361E77464C6CF10

Function 00A0434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A04370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A04415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A04432

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 3af1b16c8b4d9a64df2040a7cd48a06bfad1b0df140ccc521101b59d3394a64d
Instruction ID: adf03851d8dad3704b9ecc5f27be1a8cf39d76e05e823198131c1b11f8e37569
Opcode Fuzzy Hash: 3af1b16c8b4d9a64df2040a7cd48a06bfad1b0df140ccc521101b59d3394a64d
Instruction Fuzzy Hash: EC3181B09047058FD720DF74E884A9BBBF8FB59309F00092EF69A86291D771A944CB52

Function 00A2571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00A25733

Part of subcall function 00A2A16B: __NMSG_WRITE.LIBCMT ref: 00A2A192
Part of subcall function 00A2A16B: __NMSG_WRITE.LIBCMT ref: 00A2A19C

__NMSG_WRITE.LIBCMT ref: 00A2573A

Part of subcall function 00A2A1C8: GetModuleFileNameW.KERNEL32(00000000,00AC33BA,00000104,?,00000001,00000000), ref: 00A2A25A
Part of subcall function 00A2A1C8: ___crtMessageBoxW.LIBCMT ref: 00A2A308

Part of subcall function 00A2309F: ___crtCorExitProcess.LIBCMT ref: 00A230A5
Part of subcall function 00A2309F: ExitProcess.KERNEL32 ref: 00A230AE

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000000,?,?,?,00A20DD3,?), ref: 00A2575F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6e40573312b6dae124acc0233b08a86e6ab6eb35810fe16298ba4254f59455bf
Instruction ID: a7d19e035d8eb0063f3f2bddae785ff332ea057143d2322b36f732e2ec59c0c8
Opcode Fuzzy Hash: 6e40573312b6dae124acc0233b08a86e6ab6eb35810fe16298ba4254f59455bf
Instruction Fuzzy Hash: 8D01F132A80B32DFEE14677CFD82A2E7398AB92761F110939F9059A181DE748D014661

Function 00A698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00A69548,?,?,?,?,?,00000004), ref: 00A698BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A69548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00A698D1
CloseHandle.KERNEL32(00000000,?,00A69548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00A698D8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: ceedd15fe8d6de0c1587e7f8b992de6071d88bc030ea9799396b6b90b8f58cf3
Instruction ID: 18f93426011647cb0d80d8e1403a0c2f6758110a7ccb786994a7ccc9ca2f7464
Opcode Fuzzy Hash: ceedd15fe8d6de0c1587e7f8b992de6071d88bc030ea9799396b6b90b8f58cf3
Instruction Fuzzy Hash: A7E08632141215BBD7216B94EC0DFDA7F69EB06760F104220FB24A90E087B115229798

Function 00A68D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00A68D1B

Part of subcall function 00A22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00A29A24), ref: 00A22D69
Part of subcall function 00A22D55: GetLastError.KERNEL32(00000000,?,00A29A24), ref: 00A22D7B

_free.LIBCMT ref: 00A68D2C
_free.LIBCMT ref: 00A68D3E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 2a4d16a065b6d2a8658ef79c645ff31b9163ff674b7bbadfd7b04d14a228d245
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 7CE012B160161197CB24A77CBA40B9313EC4F5C7527140A2DB50DD71C6CE68F8528274

Function 00A0A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00A3FC01

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 4c279ce0dd77bbd6c4eca5cbb2a4b4ca3e69003bb2fdb2e4350028ebd73e1867
Instruction ID: 4737e5cda5ec764d55ba49ba95efed01e24c787a695e45b97e1462c5d8a66e7c
Opcode Fuzzy Hash: 4c279ce0dd77bbd6c4eca5cbb2a4b4ca3e69003bb2fdb2e4350028ebd73e1867
Instruction Fuzzy Hash: CE226874A08305DFDB24DF14D594A6ABBF1BF94304F15896DE88A8B3A2D731EC45CB82

Function 00A04C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A04CBA

Strings

EA06, xrefs: 00A3D8CC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 7c58f70b6a4ff018bfeea51595764902baced1b4776e65ac5911caa8d1bcbe19
Instruction ID: 2cb3b60e29ce19d38c85fee90edf7c9f0392cbf8e00b4dd35d3817d0ca1ec9e2
Opcode Fuzzy Hash: 7c58f70b6a4ff018bfeea51595764902baced1b4776e65ac5911caa8d1bcbe19
Instruction Fuzzy Hash: 034159B1A0425C6BDF219B64F9617BE7FB2BB5D300F284475EE829B2C2D6209D4483A1

Function 00A677B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A678DB

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 452a2a0dc8edaf10d23459951c12264ff77a11f8be43493a104b7cc7f73b7af0
Instruction ID: 5623e87c455d44bda41c5c94b82b55466839cbee7a43ec3c8d38b91a212f3e8a
Opcode Fuzzy Hash: 452a2a0dc8edaf10d23459951c12264ff77a11f8be43493a104b7cc7f73b7af0
Instruction Fuzzy Hash: A841F4729182099FDB10EFA8E985DBEB7B9EF09304F244469E18597382DF359C45CB60

Function 00A07A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A07AAB
_memmove.LIBCMT ref: 00A07B16

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 436c5e9091f1787ffda7db2698e9d0fff12385a901a55d8bd6dbacd160c43149
Instruction ID: bca7b7334fb109a55cd48c05b61990d5440e9d0b7809684dbcdfd2197bdc6def
Opcode Fuzzy Hash: 436c5e9091f1787ffda7db2698e9d0fff12385a901a55d8bd6dbacd160c43149
Instruction Fuzzy Hash: F83184B1B0450AAFC704DF68E8D1E6DB3A5FF493507158629E519CB2D1EB30F950CB90

Function 00A047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00A04834

Part of subcall function 00A2336C: __lock.LIBCMT ref: 00A23372
Part of subcall function 00A2336C: DecodePointer.KERNEL32(00000001,?,00A04849,00A57C74), ref: 00A2337E
Part of subcall function 00A2336C: EncodePointer.KERNEL32(?,?,00A04849,00A57C74), ref: 00A23389

Part of subcall function 00A048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A04915
Part of subcall function 00A048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A0492A

Part of subcall function 00A03B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A03B68
Part of subcall function 00A03B3A: IsDebuggerPresent.KERNEL32 ref: 00A03B7A
Part of subcall function 00A03B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00AC52F8,00AC52E0,?,?), ref: 00A03BEB
Part of subcall function 00A03B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00A03C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A04874

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 280f4324c461ab8ba7ecc6a353d23f7a4b6e7376817db485e20620cc3ba2bf7e
Instruction ID: afcdc1ad78e248dbde8f433fde0603ea63b83ff8a10b004a5629f963c6b8b2c2
Opcode Fuzzy Hash: 280f4324c461ab8ba7ecc6a353d23f7a4b6e7376817db485e20620cc3ba2bf7e
Instruction Fuzzy Hash: A51190B29043059FC700DFB9E90594ABBE8FF99750F11891EF440972B1DB70964ACB91

Function 00A20DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A2571C: __FF_MSGBANNER.LIBCMT ref: 00A25733
Part of subcall function 00A2571C: __NMSG_WRITE.LIBCMT ref: 00A2573A
Part of subcall function 00A2571C: RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000000,?,?,?,00A20DD3,?), ref: 00A2575F

std::exception::exception.LIBCMT ref: 00A20DEC
__CxxThrowException@8.LIBCMT ref: 00A20E01

Part of subcall function 00A2859B: RaiseException.KERNEL32(?,?,?,00AB9E78,00000000,?,?,?,?,00A20E06,?,00AB9E78,?,00000001), ref: 00A285F0

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 58b300ce2513e006a7158ccefe689f5bb60113abd453039398a03bfaa9818f4c
Instruction ID: 49288c1829e7ecf484e1661f7598e4807fca76acbf2e339bc6730a8480f6167d
Opcode Fuzzy Hash: 58b300ce2513e006a7158ccefe689f5bb60113abd453039398a03bfaa9818f4c
Instruction Fuzzy Hash: 02F081359422297ADB10BBACFE01ADEB7ACAF01311F104835F90496182EF709A8092D1

Function 00A255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A2562C
__lock_file.LIBCMT ref: 00A2564D

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 0ecf6c5bfeea4e8657bb78787fe742c66d5f5a54ebda4af1e7b8d0c315809e1f
Instruction ID: 46b7e86802fe24a9e085820aea679c27f99a66dc1d70b23551fe12d47760ade9
Opcode Fuzzy Hash: 0ecf6c5bfeea4e8657bb78787fe742c66d5f5a54ebda4af1e7b8d0c315809e1f
Instruction Fuzzy Hash: 07018471C01628ABCF22AF7CBD0649E7B61BF51361F584135F8141B191EB358A51DF91

Function 00A253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

__lock_file.LIBCMT ref: 00A253EB

Part of subcall function 00A26C11: __lock.LIBCMT ref: 00A26C34

__fclose_nolock.LIBCMT ref: 00A253F6

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 872d297a23a9bc47723b2303f124ab39a1786934a7bed41ab59710360f9b1c00
Instruction ID: 291966fd953d28a5a5478059381203b655a62701f1ac57534b89b8acb0db5508
Opcode Fuzzy Hash: 872d297a23a9bc47723b2303f124ab39a1786934a7bed41ab59710360f9b1c00
Instruction Fuzzy Hash: 3CF09031C02A249ADB10BB7DB9027AD66E07F41374F209268F424AF1C1CBBCC941AF92

Function 00CDC2DD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CDCB0D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CDCB31
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CDCB53

Memory Dump Source

Source File: 00000000.00000002.1460615264.0000000000CDB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CDB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdb000_ewYjhndHg2.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 815cebe14ef8f7a9cd116735b799d8bf0477d467186bb3d30052b7e9e05377a9
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 1C12CD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00A0750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A075EA

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eafeb1dff6952b68bfd55240a36f31d3ff5341a31d81c5201ab65e604fd0d92f
Instruction ID: 9c43f3d3f46eed27af8770d64aac660794e56a90114c0e8d392bfb81f3e61158
Opcode Fuzzy Hash: eafeb1dff6952b68bfd55240a36f31d3ff5341a31d81c5201ab65e604fd0d92f
Instruction Fuzzy Hash: B731C279A08A169FC714DF18E990966F7B0FF09310B14C569E98A8B391D730F881CB80

Function 00A20C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00A20CB7

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: c78b2afb5153848c07000f5714b9b0b21083dbdb90e87cb7f9b9a2ef506280f3
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3F31AEB0A001169BC718DF5DE484A69FBB6FB59300B6486A5E84ACB356DA31EDC1DB80

Function 00A3FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A3FCB7

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 58a15a5ca230a75a8aa036f847e06fb4641a7882d9c970e53182480e6cdf99fe
Instruction ID: e64034269cf3de203542821e066133f88076ec544dfdeb501430a3ebab687515
Opcode Fuzzy Hash: 58a15a5ca230a75a8aa036f847e06fb4641a7882d9c970e53182480e6cdf99fe
Instruction Fuzzy Hash: 614118745043559FDB14DF18D548B1ABBE1BF45318F0988ACE8998B3A2C731EC45CF52

Function 00A04DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00A04BEF

Part of subcall function 00A2525B: __wfsopen.LIBCMT ref: 00A25266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00AC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A04E0F

Part of subcall function 00A04B6A: FreeLibrary.KERNEL32(00000000), ref: 00A04BA4

Part of subcall function 00A04C70: _memmove.LIBCMT ref: 00A04CBA

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 1b7f8c4e1d656a231c43b38cac1a991694dc6dcff2228e18418de8663ea477c2
Instruction ID: 653f83153d3d8574b82a55a6226e3bcad5b5b3dc070845c5297b47e0af431829
Opcode Fuzzy Hash: 1b7f8c4e1d656a231c43b38cac1a991694dc6dcff2228e18418de8663ea477c2
Instruction Fuzzy Hash: A211E37164020AEBCF14FF70E916FAE77A8BF88710F108829F641A71C1EA719A019B50

Function 00A3FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00A3FD91

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3271c1c401e043fd7890c229c4d019d15a4b258bfebebfc95f4e73ec4816a7ec
Instruction ID: 36977664b76902c7b81b0a67bca63a062c4650aa3fd235793cfad5e20f161f5e
Opcode Fuzzy Hash: 3271c1c401e043fd7890c229c4d019d15a4b258bfebebfc95f4e73ec4816a7ec
Instruction Fuzzy Hash: 672130B4908305DFDB14DF64D844B1ABBE0BF88314F05886CF88A977A2D731E805CB92

Function 00A24863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00A248A6

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 206740293e18ca66c466c63819cb97fdfb34c76914a0ee3d4ecafe2e8a34ac08
Instruction ID: 1455bf1312e6d48a06a0874bdc37ea0370c25af1ce021765ccef613bd1d4fb59
Opcode Fuzzy Hash: 206740293e18ca66c466c63819cb97fdfb34c76914a0ee3d4ecafe2e8a34ac08
Instruction Fuzzy Hash: 75F02231812628EBDF11AFBCAE063EE36A0AF05320F008434F4209B282DB7C8950DB41

Function 00A04E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00AC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A04E7E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 48e331e91c66fa0780bae3c55939a40f87ae581521861cb7c814031193903bb0
Instruction ID: dc60591b41e40b944f574af04066addfb5c68e5420b93a53420dfb0027589462
Opcode Fuzzy Hash: 48e331e91c66fa0780bae3c55939a40f87ae581521861cb7c814031193903bb0
Instruction Fuzzy Hash: 8EF039B1501716CFDB349F64F494892BBF1BF183693208A3EE2D682660C732A840DF40

Function 00A20791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00A207B0

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 70f6be6b69f2143ae58c7c84e4d9bb048471436425ef91644fbc8253c0598e1f
Instruction ID: 0d45549d095aafdcb2333835874a03cbec6f9a9869b569a019d419cc5c12a335
Opcode Fuzzy Hash: 70f6be6b69f2143ae58c7c84e4d9bb048471436425ef91644fbc8253c0598e1f
Instruction Fuzzy Hash: 37E08636A041285BC720D6989C06FEA779DDB897A0F0541B5FC0CD7244E960AC8086D0

Function 00A68E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00A68EC1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: 656f391a09484efea2d2e96a81ae6d0e2e7d1bd3caad1b6211c4a17215a0992c
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: D8E092B0504B005BD7388B24D800BA373E5AB05304F00091DF2AA83241EB63B8418759

Function 00A2525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00A25266

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 8218024f2292eaf6f1526d619068c98a9c91e7f761203792b0aebcfb5e241e77
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 80B092B684020CB7CE012A96FC02A993B19AB41764F408020FB0C181A2A673A6649A89

Function 00CDD2E0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00CDD2F1

Memory Dump Source

Source File: 00000000.00000002.1460615264.0000000000CDB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CDB000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cdb000_ewYjhndHg2.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 3883fdecc6d9213e3b3a44f55ee9ff023a03c9f64aa83d3b77a5d355e88d4e80
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 09E0E67494010DDFDB00EFB8DA496AE7FB4EF04301F100161FD01D2280D6309D508A62

Non-executed Functions

Function 00A8CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A8CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A8CB95
GetWindowLongW.USER32(?,000000F0), ref: 00A8CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A8CC00
SendMessageW.USER32 ref: 00A8CC29
_wcsncpy.LIBCMT ref: 00A8CC95
GetKeyState.USER32(00000011), ref: 00A8CCB6
GetKeyState.USER32(00000009), ref: 00A8CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A8CCD9
GetKeyState.USER32(00000010), ref: 00A8CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A8CD0C
SendMessageW.USER32 ref: 00A8CD33
SendMessageW.USER32(?,00001030,?,00A8B348), ref: 00A8CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A8CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A8CE60
SetCapture.USER32(?), ref: 00A8CE69
ClientToScreen.USER32(?,?), ref: 00A8CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A8CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A8CEF5
ReleaseCapture.USER32 ref: 00A8CF00
GetCursorPos.USER32(?), ref: 00A8CF3A
ScreenToClient.USER32(?,?), ref: 00A8CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A8CFA3
SendMessageW.USER32 ref: 00A8CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A8D00E
SendMessageW.USER32 ref: 00A8D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A8D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A8D06D
GetCursorPos.USER32(?), ref: 00A8D08D
ScreenToClient.USER32(?,?), ref: 00A8D09A
GetParent.USER32(?), ref: 00A8D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00A8D123
SendMessageW.USER32 ref: 00A8D154
ClientToScreen.USER32(?,?), ref: 00A8D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A8D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00A8D20C
SendMessageW.USER32 ref: 00A8D22F
ClientToScreen.USER32(?,?), ref: 00A8D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A8D2B5

Part of subcall function 00A025DB: GetWindowLongW.USER32(?,000000EB), ref: 00A025EC

GetWindowLongW.USER32(?,000000F0), ref: 00A8D351

Strings

@U=u, xrefs: 00A8CB95, 00A8CC00, 00A8CC29, 00A8CCD9, 00A8CD0C, 00A8CD33, 00A8CE37, 00A8CFA3, 00A8CFD1, 00A8D00E, 00A8D03D, 00A8D123, 00A8D154, 00A8D20C, 00A8D22F
F, xrefs: 00A8D235
@GUI_DRAGID, xrefs: 00A8CE9C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3977979337-1007936534
Opcode ID: f1065746fef08ad80f086767014a1f529d5f3ff696f582c75dc2b61fd636857c
Instruction ID: f8d21231fb17d9d0f01a89aebf31e982b05aa53a5743e2c0bf815730fb5ee700
Opcode Fuzzy Hash: f1065746fef08ad80f086767014a1f529d5f3ff696f582c75dc2b61fd636857c
Instruction Fuzzy Hash: E542AC74604741AFD724EF68D848FAABBE5FF48320F140A29F5598B2A0D731E851DF62

Function 00A16F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A171C3
_memset.LIBCMT ref: 00A17539
_memmove.LIBCMT ref: 00A176AC

Strings

[:<:]], xrefs: 00A17479
Q\E, xrefs: 00A17FCB
\b(?<=\w), xrefs: 00A53773
DEFINE, xrefs: 00A52103
[:>:]], xrefs: 00A17492
\b(?=\w), xrefs: 00A53769

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 96dd9847458407611a88967e2cfa06784283657646516f8efd0fd253f4044597
Instruction ID: 867063dd62100e8baeeac8b8950a2ce8fdcb6f5f02154184972e5fdaea1c92bb
Opcode Fuzzy Hash: 96dd9847458407611a88967e2cfa06784283657646516f8efd0fd253f4044597
Instruction Fuzzy Hash: A693A176A04219DBDF24CF98C881BEDB7B1FF48351F24816AED55AB281E7709E85CB40

Function 00A048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00A048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A3D665
IsIconic.USER32(?), ref: 00A3D66E
ShowWindow.USER32(?,00000009), ref: 00A3D67B
SetForegroundWindow.USER32(?), ref: 00A3D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A3D69B
GetCurrentThreadId.KERNEL32 ref: 00A3D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A3D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A3D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00A3D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00A3D6CF
SetForegroundWindow.USER32(?), ref: 00A3D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A3D6E7
keybd_event.USER32(00000012,00000000), ref: 00A3D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A3D6FC
keybd_event.USER32(00000012,00000000), ref: 00A3D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A3D70A
keybd_event.USER32(00000012,00000000), ref: 00A3D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A3D719
keybd_event.USER32(00000012,00000000), ref: 00A3D71E
SetForegroundWindow.USER32(?), ref: 00A3D721
AttachThreadInput.USER32(?,?,00000000), ref: 00A3D748

Strings

Shell_TrayWnd, xrefs: 00A3D660

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 998e957157891dfbf1e832ff43464e618fcc47629101f2798799a0523fc12294
Instruction ID: eb418855183998edd3dcee93fb5cb4bebc62ccb729ca667957065c6370fa06bb
Opcode Fuzzy Hash: 998e957157891dfbf1e832ff43464e618fcc47629101f2798799a0523fc12294
Instruction Fuzzy Hash: F2315271A40318BEEB206BA19C4AF7F7E6CEB44B50F104035FA04EA1D1D6B05951ABA1

Function 00A58310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00A587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5882B
Part of subcall function 00A587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A58858
Part of subcall function 00A587E1: GetLastError.KERNEL32 ref: 00A58865

_memset.LIBCMT ref: 00A58353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00A583A5
CloseHandle.KERNEL32(?), ref: 00A583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A583CD
GetProcessWindowStation.USER32 ref: 00A583E6
SetProcessWindowStation.USER32(00000000), ref: 00A583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A5840A

Part of subcall function 00A581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A58309), ref: 00A581E0
Part of subcall function 00A581CB: CloseHandle.KERNEL32(?,?,00A58309), ref: 00A581F2

Strings

, xrefs: 00A58362
winsta0, xrefs: 00A583C8
default, xrefs: 00A58405

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 522e193fd9f244f63ff4005e8c425c92504bbb808f5630ba98acd6407ff87582
Instruction ID: 01323bdc44d5914776610e4b6bb9592e449c7a96cc412cbe6a2a3abbcb7a7d24
Opcode Fuzzy Hash: 522e193fd9f244f63ff4005e8c425c92504bbb808f5630ba98acd6407ff87582
Instruction Fuzzy Hash: 7B8156B1900249AFDF11DFA4DD45AEEBBB9FF08305F144169FD10B6261EB398A19DB20

Function 00A6C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A6C78D
FindClose.KERNEL32(00000000), ref: 00A6C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A6C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A6C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00A6C844
__swprintf.LIBCMT ref: 00A6C890
__swprintf.LIBCMT ref: 00A6C8D3

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

__swprintf.LIBCMT ref: 00A6C927

Part of subcall function 00A23698: __woutput_l.LIBCMT ref: 00A236F1

__swprintf.LIBCMT ref: 00A6C975

Part of subcall function 00A23698: __flsbuf.LIBCMT ref: 00A23713
Part of subcall function 00A23698: __flsbuf.LIBCMT ref: 00A2372B

__swprintf.LIBCMT ref: 00A6C9C4
__swprintf.LIBCMT ref: 00A6CA13
__swprintf.LIBCMT ref: 00A6CA62

Strings

%02d, xrefs: 00A6C91B, 00A6C925, 00A6C973, 00A6C9C2, 00A6CA11, 00A6CA60
%4d, xrefs: 00A6C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00A6C88A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: bf26cfa50ac55b744ac4a7b03638f65278db42d2a6b63159c41b94a1dc2a4604
Instruction ID: 4a2fb8e249f667d2c835f5664e716c4a06f4e5ef6de59a234f372ab6997fe3e3
Opcode Fuzzy Hash: bf26cfa50ac55b744ac4a7b03638f65278db42d2a6b63159c41b94a1dc2a4604
Instruction Fuzzy Hash: 5CA120B2404309AFC710EFA4D995DAFB7ECFF95700F404929F59587192EA34DA08CB62

Function 00A6EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00A6EFB6
_wcscmp.LIBCMT ref: 00A6EFCB
_wcscmp.LIBCMT ref: 00A6EFE2
GetFileAttributesW.KERNEL32(?), ref: 00A6EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00A6F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00A6F026
FindClose.KERNEL32(00000000), ref: 00A6F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00A6F04D
_wcscmp.LIBCMT ref: 00A6F074
_wcscmp.LIBCMT ref: 00A6F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6F09D
SetCurrentDirectoryW.KERNEL32(00AB8920), ref: 00A6F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6F0C5
FindClose.KERNEL32(00000000), ref: 00A6F0D2
FindClose.KERNEL32(00000000), ref: 00A6F0E4

Strings

*.*, xrefs: 00A6F048

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: fd7fe1378d6ee365c2f8adf81ab0a70b3d9ef42ebf68bde360d6da17511bba66
Instruction ID: 0f6e0e59dd39db372b5944892537618ea2c5527d0b3fc30d2c9225f07b3d1971
Opcode Fuzzy Hash: fd7fe1378d6ee365c2f8adf81ab0a70b3d9ef42ebf68bde360d6da17511bba66
Instruction Fuzzy Hash: 2731AF3250121A7EDF14EFA4EC49AEE77BCAF49360F114176E904E30A1EB74DA85CB61

Function 00A80857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A80953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00A8F910,00000000,?,00000000,?,?), ref: 00A809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00A80A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00A80A92
RegCloseKey.ADVAPI32(?), ref: 00A80DB2
RegCloseKey.ADVAPI32(00000000), ref: 00A80DBF

Strings

REG_DWORD, xrefs: 00A80C83
REG_EXPAND_SZ, xrefs: 00A80A2F
REG_SZ, xrefs: 00A80AD0
REG_BINARY, xrefs: 00A80D4D
REG_QWORD, xrefs: 00A80D00
REG_MULTI_SZ, xrefs: 00A80B7A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 8d40bbab588b5cb244055cc475f2367f7db5997fe5dcaf4c005ece1a22220cb4
Instruction ID: 55fee705de4f1002ad405c22edeb78cb09c60b687371e414ab5469ab23d18e78
Opcode Fuzzy Hash: 8d40bbab588b5cb244055cc475f2367f7db5997fe5dcaf4c005ece1a22220cb4
Instruction Fuzzy Hash: 43024B756006159FCB54EF28D941E2AB7E5FF89314F04895CF89A9B3A2DB30EC49CB81

Function 00A6F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00A6F113
_wcscmp.LIBCMT ref: 00A6F128
_wcscmp.LIBCMT ref: 00A6F13F

Part of subcall function 00A64385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A643A0

FindNextFileW.KERNEL32(00000000,?), ref: 00A6F16E
FindClose.KERNEL32(00000000), ref: 00A6F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00A6F195
_wcscmp.LIBCMT ref: 00A6F1BC
_wcscmp.LIBCMT ref: 00A6F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6F1E5
SetCurrentDirectoryW.KERNEL32(00AB8920), ref: 00A6F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6F20D
FindClose.KERNEL32(00000000), ref: 00A6F21A
FindClose.KERNEL32(00000000), ref: 00A6F22C

Strings

*.*, xrefs: 00A6F190

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 0028526011558c4885482da6b396f2585df7a7315a69432f3f471e487dd2fb1a
Instruction ID: 0a777c350a96dfa94dedf85f8075b84b50e7a41d6e176eb9022fc091d6d0e8c3
Opcode Fuzzy Hash: 0028526011558c4885482da6b396f2585df7a7315a69432f3f471e487dd2fb1a
Instruction Fuzzy Hash: FB31703650021A7EDF10EFB4FC59AEE77BC9F46360F100175E914A21A1EA34DA45CA64

Function 00A6A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A6A20F
__swprintf.LIBCMT ref: 00A6A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A6A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A6A293
_memset.LIBCMT ref: 00A6A2B2
_wcsncpy.LIBCMT ref: 00A6A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A6A323
CloseHandle.KERNEL32(00000000), ref: 00A6A32E
RemoveDirectoryW.KERNEL32(?), ref: 00A6A337
CloseHandle.KERNEL32(00000000), ref: 00A6A341

Strings

\??\%s, xrefs: 00A6A22B
\, xrefs: 00A6A247
:, xrefs: 00A6A252

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 0344da21ff4f5fca7f0af5938e6753f507b131690a92f77322cf2cb427871e14
Instruction ID: 1ed63783ec047ec346f99706fcc41009399e65cd0a51ad20d774a507a4e30123
Opcode Fuzzy Hash: 0344da21ff4f5fca7f0af5938e6753f507b131690a92f77322cf2cb427871e14
Instruction Fuzzy Hash: CB31E4B590011AABDB20DFA4DC49FEB77BCEF88700F1041B6F508E6160EB7496458F25

Function 00A166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_RECURSION=, xrefs: 00A511FC
CR), xrefs: 00A51287
UTF), xrefs: 00A510FA
UCP), xrefs: 00A5110D
ANY), xrefs: 00A512DE
BSR_UNICODE), xrefs: 00A51338
LIMIT_MATCH=, xrefs: 00A51170
NO_AUTO_POSSESS), xrefs: 00A5112E
ANYCRLF), xrefs: 00A512FB
UTF16), xrefs: 00A510CF
LF), xrefs: 00A512A4
CRLF), xrefs: 00A512C1
NO_START_OPT), xrefs: 00A5114F
BSR_ANYCRLF), xrefs: 00A5131E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: b7032571e27c48ae86aa27a512b0634588b8174c3c0ef78c4cb9ef0d6ba0aef1
Instruction ID: 677362369a26a451a7b89099b507e0ca19b99e5d237514fc853fc4bdc6453e34
Opcode Fuzzy Hash: b7032571e27c48ae86aa27a512b0634588b8174c3c0ef78c4cb9ef0d6ba0aef1
Instruction Fuzzy Hash: 82726D75E002199BDB14CF59C8907FEB7B5FF48311F14816AE809EB291EB749E85CB90

Function 00A6001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00A60097
SetKeyboardState.USER32(?), ref: 00A60102
GetAsyncKeyState.USER32(000000A0), ref: 00A60122
GetKeyState.USER32(000000A0), ref: 00A60139
GetAsyncKeyState.USER32(000000A1), ref: 00A60168
GetKeyState.USER32(000000A1), ref: 00A60179
GetAsyncKeyState.USER32(00000011), ref: 00A601A5
GetKeyState.USER32(00000011), ref: 00A601B3
GetAsyncKeyState.USER32(00000012), ref: 00A601DC
GetKeyState.USER32(00000012), ref: 00A601EA
GetAsyncKeyState.USER32(0000005B), ref: 00A60213
GetKeyState.USER32(0000005B), ref: 00A60221

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2ba1c613b3c381b8c1b2567811b01d226e25d18a7e61a8e7c71b472545dfcb6e
Instruction ID: aa036b476340c9de0aa37271512203cdb69a4af4f7f9db79e25e5ed3997455cb
Opcode Fuzzy Hash: 2ba1c613b3c381b8c1b2567811b01d226e25d18a7e61a8e7c71b472545dfcb6e
Instruction Fuzzy Hash: 1551D93090478829FB35DBB08954FEBBFB49F12380F08469ED5C65A5C2DAA49BCCC761

Function 00A803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7FDAD,?,?), ref: 00A80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A804AC

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00A8054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00A805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00A80822
RegCloseKey.ADVAPI32(00000000), ref: 00A8082F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: f368278bd6dd31863cb01f39053cf39421b288d34a6632adee3bf66ae9140693
Instruction ID: b87e91905dfc69a9cb0d13224ea78dfb238132a2b5d0fad9eb40251a1584b063
Opcode Fuzzy Hash: f368278bd6dd31863cb01f39053cf39421b288d34a6632adee3bf66ae9140693
Instruction Fuzzy Hash: 6FE14D71604204AFCB54EF28C991D6BBBF8FF89314F04856DF84ADB2A2D630E945CB91

Function 00A783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

CoInitialize.OLE32 ref: 00A78403
CoUninitialize.OLE32 ref: 00A7840E
CoCreateInstance.OLE32(?,00000000,00000017,00A92BEC,?), ref: 00A7846E
IIDFromString.OLE32(?,?), ref: 00A784E1
VariantInit.OLEAUT32(?), ref: 00A7857B
VariantClear.OLEAUT32(?), ref: 00A785DC

Strings

Invalid parameter, xrefs: 00A784FA
Failed to create object, xrefs: 00A78479, 00A7852F
NULL Pointer assignment, xrefs: 00A784B3

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: ed7947336f716fdfe7324ee943511b1c9fb24c3f5f02ca52c05af9fdceeccaf9
Instruction ID: 2507adeefbf2e47ad60bbfd662f0e54b4d9355eb94fab6142f66607867399e04
Opcode Fuzzy Hash: ed7947336f716fdfe7324ee943511b1c9fb24c3f5f02ca52c05af9fdceeccaf9
Instruction Fuzzy Hash: 9861AE70648312AFC710DF64D948F6AB7E8AF49754F00C819F9899B291CB78ED48CB92

Function 00A74164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A7418B
EmptyClipboard.USER32 ref: 00A74191
GlobalAlloc.KERNEL32(00000002,?), ref: 00A741A6
CloseClipboard.USER32 ref: 00A74245

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d1bb22a305eee6aef4d40991e8c6b83a33788d4a6e487bea99566314f7427fe6
Instruction ID: c7c145b2f3da99aa1917ede59c8091077dd06208c932c9a3a2f3ff21b7b519f3
Opcode Fuzzy Hash: d1bb22a305eee6aef4d40991e8c6b83a33788d4a6e487bea99566314f7427fe6
Instruction Fuzzy Hash: 4B21B5752012159FDB10EFA4EC09B6E7BA8FF04711F10C125F949DB2A2EB30AC42CB94

Function 00A637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

Part of subcall function 00A64A31: GetFileAttributesW.KERNEL32(?,00A6370B), ref: 00A64A32

FindFirstFileW.KERNEL32(?,?), ref: 00A638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00A6394B
MoveFileW.KERNEL32(?,?), ref: 00A6395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00A6397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00A6399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00A639B9

Strings

\*.*, xrefs: 00A6384E, 00A63857, 00A6386C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 8ec35d00fc28fd8ba1f5af411ac67fd5b3a8ea144712b9da2bc57a17510eb33d
Instruction ID: 44d8c878e5f6dac92f68cbb72c1f820acbeb0e51b6a9fad734e1df4d4ffbee4c
Opcode Fuzzy Hash: 8ec35d00fc28fd8ba1f5af411ac67fd5b3a8ea144712b9da2bc57a17510eb33d
Instruction Fuzzy Hash: D8514F72C0514DAACF05EBE0EA929EDB779AF15304F600069E406B7191EB716F0ACB61

Function 00A6F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00A6F440
Sleep.KERNEL32(0000000A), ref: 00A6F470
_wcscmp.LIBCMT ref: 00A6F484
_wcscmp.LIBCMT ref: 00A6F49F
FindNextFileW.KERNEL32(?,?), ref: 00A6F53D
FindClose.KERNEL32(00000000), ref: 00A6F553

Strings

*.*, xrefs: 00A6F425

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: cf35354279bd934dcac6fe6b8566ade7a701e016cae70ac0cc41a36fda2affc0
Instruction ID: 875492f975906582ebdbd2bf6ec8b1b304003336b682d331f734295736207b31
Opcode Fuzzy Hash: cf35354279bd934dcac6fe6b8566ade7a701e016cae70ac0cc41a36fda2affc0
Instruction Fuzzy Hash: 5E415D7294421AAFDF14EFA4EC49AEEBBB8FF05310F144466E815A7191EB309E45CF50

Function 00A15760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A158A5
_memmove.LIBCMT ref: 00A158F5
_memmove.LIBCMT ref: 00A1595B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3ff9bdbc6c9ba43f94b81f186594401c8b915fc13d653bc8d2a5d9d16dfdacd8
Instruction ID: c243c8f9872a036ade3805ceee55ed1ca87b45ba6c92387cb6e106c0d9ef6e57
Opcode Fuzzy Hash: 3ff9bdbc6c9ba43f94b81f186594401c8b915fc13d653bc8d2a5d9d16dfdacd8
Instruction Fuzzy Hash: 45129A70E00A09DFDF04DFA5DA81AEEB7F5FF88300F104529E846A7291EB36A955CB51

Function 00A651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00A587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5882B
Part of subcall function 00A587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A58858
Part of subcall function 00A587E1: GetLastError.KERNEL32 ref: 00A58865

ExitWindowsEx.USER32(?,00000000), ref: 00A651F9

Strings

@, xrefs: 00A651EC
, xrefs: 00A651E7
SeShutdownPrivilege, xrefs: 00A651C9

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: e99c0047ad415d5efad38c368d43f94c972aafae3e95430861baf897a8d0d6bf
Instruction ID: 8f4d4efdbcd9cf106ee9670219945a56d2e41686fa680a90fa1be90083a6862e
Opcode Fuzzy Hash: e99c0047ad415d5efad38c368d43f94c972aafae3e95430861baf897a8d0d6bf
Instruction Fuzzy Hash: F801F731F916126FF7286378ACAAFFA73B8EB05341F200521FD13E20D2E9611C418690

Function 00A76283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A762DC
WSAGetLastError.WSOCK32(00000000), ref: 00A762EB
bind.WSOCK32(00000000,?,00000010), ref: 00A76307
listen.WSOCK32(00000000,00000005), ref: 00A76316
WSAGetLastError.WSOCK32(00000000), ref: 00A76330
closesocket.WSOCK32(00000000,00000000), ref: 00A76344

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 1657d7861de487241767ac1a4cbb45295673f34a2539deb61c419b67cb383cf2
Instruction ID: 2c84f6e359fbbd9fb9f170f0590a74706d21938ef7642c28affface5d1fdeda7
Opcode Fuzzy Hash: 1657d7861de487241767ac1a4cbb45295673f34a2539deb61c419b67cb383cf2
Instruction Fuzzy Hash: 1D21CE716006059FCB10EF64DD45B6EB7A9EF49320F14C168F85AAB3D2C770AD05CB51

Function 00A15520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00A20DB6: std::exception::exception.LIBCMT ref: 00A20DEC
Part of subcall function 00A20DB6: __CxxThrowException@8.LIBCMT ref: 00A20E01

_memmove.LIBCMT ref: 00A50258
_memmove.LIBCMT ref: 00A5036D
_memmove.LIBCMT ref: 00A50414

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 2f5fd734368151cf2ee32f058e4308ae39713b0be8cd537eb2dbeb70f0f41a7e
Instruction ID: c3325cebe3128eed9afdcdb5eab4be659958da54c3b55713a40799089a0d7181
Opcode Fuzzy Hash: 2f5fd734368151cf2ee32f058e4308ae39713b0be8cd537eb2dbeb70f0f41a7e
Instruction Fuzzy Hash: 9202B170E00609DFCF04DF68DA81AAEBBB5FF84310F148069E846DB295EB35D955CB91

Function 00A01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00A019FA
GetSysColor.USER32(0000000F), ref: 00A01A4E
SetBkColor.GDI32(?,00000000), ref: 00A01A61

Part of subcall function 00A01290: DefDlgProcW.USER32(?,00000020,?), ref: 00A012D8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: b6117cf55c031e62e7a937b688b8542ccea9dcf5f7a3d7d8ab4263a9aa475de8
Instruction ID: ea8099fffee0634ee2883de8d66e7ef0f436056a7d6e2e7d936190b777b4fdf2
Opcode Fuzzy Hash: b6117cf55c031e62e7a937b688b8542ccea9dcf5f7a3d7d8ab4263a9aa475de8
Instruction Fuzzy Hash: E4A1587121254CBFE729ABA8AD48EFF35AEDF423C1F14011AF602D61D2CB259D4197B1

Function 00A76747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A77DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A7679E
WSAGetLastError.WSOCK32(00000000), ref: 00A767C7
bind.WSOCK32(00000000,?,00000010), ref: 00A76800
WSAGetLastError.WSOCK32(00000000), ref: 00A7680D
closesocket.WSOCK32(00000000,00000000), ref: 00A76821

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 548e3e7b890f6370dfd1fc34c8eba5ea7a90d21ac40fd388697869ca3a56b239
Instruction ID: 2dad0c85efbd16c6e99a5a92cbdc29c5e4d12bf4622eceef2d78564ca34de5c5
Opcode Fuzzy Hash: 548e3e7b890f6370dfd1fc34c8eba5ea7a90d21ac40fd388697869ca3a56b239
Instruction Fuzzy Hash: 27411471B00604AFEB10BF649D82F2E77A8EF09710F04C158FA49AB3C3CA749D018791

Function 00A85376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00A853C5
IsWindowEnabled.USER32 ref: 00A853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00A853E0
IsIconic.USER32 ref: 00A853EE
IsZoomed.USER32 ref: 00A853FC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ac82f3671463cb7687718d01ff397042492ec457b5a6406f79c9acc396c41e31
Instruction ID: f1851a38fde1bbadd972a9839c2373c7e15a2513ebcd03e87cb8cb5f95838b1c
Opcode Fuzzy Hash: ac82f3671463cb7687718d01ff397042492ec457b5a6406f79c9acc396c41e31
Instruction Fuzzy Hash: F611B231B00915AFEB217F76DC54A6A7B99FF447A1B404438FC45D7241DB70DC028BA0

Function 00A580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A580F6

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 705ba2859e061c1618e5b7976947dca5a484a8bb5bb480b4277aeaf509088f55
Instruction ID: 4d0d85f31da9c51d5ba40cf9f79d2001f7196742d25f56ee6757cefa52ab82cf
Opcode Fuzzy Hash: 705ba2859e061c1618e5b7976947dca5a484a8bb5bb480b4277aeaf509088f55
Instruction Fuzzy Hash: 75F04F31240305EFEB108FA5EC8DE673BACFF49755B100125F945D6150DA759C46DB60

Function 00A04B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A04AD0), ref: 00A04B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A04B57

Strings

GetNativeSystemInfo, xrefs: 00A04B51
kernel32.dll, xrefs: 00A04B40

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d4e7e752917b049239263a9a8d8814ba39485d8b8e96135fc6f6b8f386e38611
Instruction ID: 1f402a52a678154003d622ced1863b48db3ba0f699483900373d27a479c48b2d
Opcode Fuzzy Hash: d4e7e752917b049239263a9a8d8814ba39485d8b8e96135fc6f6b8f386e38611
Instruction Fuzzy Hash: 82D01774A10717DFEB20FF72E82CB0676E4BF4A791B11CC3A9586D6190E674E880CB54

Function 00A13030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 2582645f0d797660f4c348ea72636c8f23386214b01675e3e675107bfe4b23fe
Instruction ID: 7f5d767c25a6d1ddaf72d800012b0ea02a52a53339da0b429d7e4edad245074d
Opcode Fuzzy Hash: 2582645f0d797660f4c348ea72636c8f23386214b01675e3e675107bfe4b23fe
Instruction Fuzzy Hash: 6E22AE766083009FDB24DF24D981BAFB7E4BF85310F14492DF89A97291DB71E984CB92

Function 00A7EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00A7EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00A7EE4B

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Process32NextW.KERNEL32(00000000,?), ref: 00A7EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00A7EF1A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 65284222883f061834a54a326f9cf150e1f24bfd50394b07054ad30749f249b6
Instruction ID: f6cafe11c6b20e4aaf23cd035025ca1895afc072fedce901e074258a3280716a
Opcode Fuzzy Hash: 65284222883f061834a54a326f9cf150e1f24bfd50394b07054ad30749f249b6
Instruction Fuzzy Hash: F5519D71504305AFD310EF24DC85E6BB7E8EF88750F10892DF595972A2EB30A908CB92

Function 00A5E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A5E628

Strings

|, xrefs: 00A5E658
(, xrefs: 00A5E66E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b5df62c950259d00f1fe135c11a55ab895fa2109061fa3264427641f5bea0a9d
Instruction ID: 494e2c35387dafcdca2489d8563febfea6925281a53ba3774d3815631a770f81
Opcode Fuzzy Hash: b5df62c950259d00f1fe135c11a55ab895fa2109061fa3264427641f5bea0a9d
Instruction Fuzzy Hash: 13323575A007059FDB28CF29C48196AB7F1FF48320B15C56EE99ADB7A1E770EA41CB40

Function 00A722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A7180A,00000000), ref: 00A723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00A72418

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: df402238a747b6152f914db6eef6b4abc8e968e3431dbc668b14a32eb4b32945
Instruction ID: 99efaa3bfc6b1ac72557c84fdb0aa769164c23cf058a7593e0c92e09374ac1af
Opcode Fuzzy Hash: df402238a747b6152f914db6eef6b4abc8e968e3431dbc668b14a32eb4b32945
Instruction Fuzzy Hash: B141D571A04209BFEB20DF95DD85FBBB7BCEB40314F10C06AF649AB241EA759E419760

Function 00A6B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A6B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00A6B4B2

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4aad3954540f6534d33af28b10ae4c0cb1b46e33df9a7d8ea62501b8393810a8
Instruction ID: b51964a099e090f8966e34c5d42eb1c5d261314f5c01a32f8f9fab5d6614cef6
Opcode Fuzzy Hash: 4aad3954540f6534d33af28b10ae4c0cb1b46e33df9a7d8ea62501b8393810a8
Instruction Fuzzy Hash: 47214475A00108DFCB00EFA5D984AEEBBB8FF49314F1481A9E905EB352DB319956CB51

Function 00A587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00A20DB6: std::exception::exception.LIBCMT ref: 00A20DEC
Part of subcall function 00A20DB6: __CxxThrowException@8.LIBCMT ref: 00A20E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A5882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A58858
GetLastError.KERNEL32 ref: 00A58865

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 73e49a9ac248f7ef5a84893b11bb2030f4f9481f990759f497959cfe5b783eec
Instruction ID: 072e1e6d949b8665c675591e93a4ce1a6d127231235fd3b9c6f6c58c0016562b
Opcode Fuzzy Hash: 73e49a9ac248f7ef5a84893b11bb2030f4f9481f990759f497959cfe5b783eec
Instruction Fuzzy Hash: D111BFB2404205AFE718DFA4EC85D2BB7F9FB04711B20852EF85597211EB30BC418B60

Function 00A5874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A58774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A5878B
FreeSid.ADVAPI32(?), ref: 00A5879B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: fcd0921e3b99274b36d8dc3fba83210fc83316ec1853dcfb24bf9a7b171ca935
Instruction ID: b204c83e963611cb2200ce7bb7550b0b04e44455c37ee972d733ccc91f4f10b6
Opcode Fuzzy Hash: fcd0921e3b99274b36d8dc3fba83210fc83316ec1853dcfb24bf9a7b171ca935
Instruction Fuzzy Hash: C9F04975A1130DBFDF00DFF4DC89AAEBBBCEF08201F1044A9A901E2181E7756A048B50

Function 00A6C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00A6C6FB
FindClose.KERNEL32(00000000), ref: 00A6C72B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 89cc2202095861a6010628868e5ec5ec2448b557a0093eb5fe22b40266583705
Instruction ID: 37caedfded3dc5e5ce2b22688cc3a568b3599a6849dab0ff5c0adaeb0e828a26
Opcode Fuzzy Hash: 89cc2202095861a6010628868e5ec5ec2448b557a0093eb5fe22b40266583705
Instruction Fuzzy Hash: 6B115E726006049FDB10EF29D845A6AF7E9FF85325F00C51DF9A9D7391DB30A805CB81

Function 00A6A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00A79468,?,00A8FB84,?), ref: 00A6A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00A79468,?,00A8FB84,?), ref: 00A6A0A9

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: f0174ccd57318e3f0013ab4c672291057a21e442e2f8e0a56fb0aea439710554
Instruction ID: d4bc41c2efd771b2aabe41eae0c376c75adbe15d8453ad8d829c695d1ee713c1
Opcode Fuzzy Hash: f0174ccd57318e3f0013ab4c672291057a21e442e2f8e0a56fb0aea439710554
Instruction Fuzzy Hash: EEF0823550522DABDB21AFA4DC49FEA776CFF18361F004165F919D6181DA309940CFA1

Function 00A581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A58309), ref: 00A581E0
CloseHandle.KERNEL32(?,?,00A58309), ref: 00A581F2

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 93582cd1cd0d2f7a3730a7ea01bd752b7d0359ba2db418a69058ecd9a31c3af4
Instruction ID: f0cc22e7de36b89779d593aa3bbb5111bb38fa08f132739ca5830e624375c0cd
Opcode Fuzzy Hash: 93582cd1cd0d2f7a3730a7ea01bd752b7d0359ba2db418a69058ecd9a31c3af4
Instruction Fuzzy Hash: 1CE0B672011621AEE7256BA4FC09D777BAAEB043117258929B8A684471DB62AC91DB10

Function 00A2A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00A28D57,?,?,?,00000001), ref: 00A2A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00A2A163

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 31cb72239b3dc3d549f974b5aff16b6336e1320d4b6e9aecb3a759da0ac17f5d
Instruction ID: 22caca5c2f486c7ea32260c7156a938e7d8be9afed4e1f482f90472f4ff5fe46
Opcode Fuzzy Hash: 31cb72239b3dc3d549f974b5aff16b6336e1320d4b6e9aecb3a759da0ac17f5d
Instruction Fuzzy Hash: 2AB0923125430AAFCA006BD1EC09B883F68EB46AA2F404020F61D88060CB6254528B91

Function 00A2F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d52cd04561c6143ab6ff8ead6619821955b57fcebe5949a12bd2bdf6863aa29
Instruction ID: e6ea981e62ec860ac104a374850ba1cd1743a63227819859626466fbe1c56387
Opcode Fuzzy Hash: 1d52cd04561c6143ab6ff8ead6619821955b57fcebe5949a12bd2bdf6863aa29
Instruction Fuzzy Hash: 37320421E29F514DD7239639D83233AA299AFB73C4F15D737E81AB5AA5EF28C4C34100

Function 00A3242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4251ba26dec6bcd84ad9c9225a16031c38f7e043c0e5984504e0810d870b30dc
Instruction ID: 6b8c3c62beb732f8846e29e6a512bb12f0744e1bf07a65b3ed876cddbcf6cd03
Opcode Fuzzy Hash: 4251ba26dec6bcd84ad9c9225a16031c38f7e043c0e5984504e0810d870b30dc
Instruction Fuzzy Hash: 5EB1EE30E2AF514DD72396798831336BA9CAFBB2C5F51D71BFC2674D22EB2185834281

Function 00A68889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00A6889B

Part of subcall function 00A2520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00A68F6E,00000000,?,?,?,?,00A6911F,00000000,?), ref: 00A25213
Part of subcall function 00A2520A: __aulldiv.LIBCMT ref: 00A25233

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: a8ca19be87535616f9a7c683fb54c01486bc44393c3bbe86c84a03751b356038
Instruction ID: d99fbb1d7db16dd1eb5b2661ebc897a7d802d222ebee18cd4c6b0bd0c350c9f3
Opcode Fuzzy Hash: a8ca19be87535616f9a7c683fb54c01486bc44393c3bbe86c84a03751b356038
Instruction Fuzzy Hash: 6921AF726256108BC729CF69D841A92B3E5EBA5311B698F6CD0F6CB2C0CA34A905CB54

Function 00A64C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00A64C4A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 9d0066b49cb6526ee735e1c2f37de764327adba06c4ccee3931feed897c64073
Instruction ID: c68d22c21e4ef793cc0a1f9a5e90dbabfeda833d368b1a139a0dd8f64d039daf
Opcode Fuzzy Hash: 9d0066b49cb6526ee735e1c2f37de764327adba06c4ccee3931feed897c64073
Instruction Fuzzy Hash: 67D05EA116521A38FE1C07209E1FFBB0138E308782FD081497101CA2C1EC805C405130

Function 00A587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00A58389), ref: 00A587D1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 6e7b35bc7365ab8ee2f6b7bfa5618e773b554013a07bb055affb0d6899d08630
Instruction ID: f76a77f4e1d118acf59242c39d05c299a39571aa4e14523c572defaeaa7074e5
Opcode Fuzzy Hash: 6e7b35bc7365ab8ee2f6b7bfa5618e773b554013a07bb055affb0d6899d08630
Instruction Fuzzy Hash: 53D05E3226050EAFEF018EA4DC01EAE3B79EB04B01F408111FE15D50A1C775D835AB60

Function 00A2A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00A2A12A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2403dcb90956ec22b1a2be1c3122163547d23c4bc0c984ec319bf87d7332196
Instruction ID: bb559b27c7664074462c2c9a679654fece345ee83831b82ccc01761b7febd847
Opcode Fuzzy Hash: c2403dcb90956ec22b1a2be1c3122163547d23c4bc0c984ec319bf87d7332196
Instruction Fuzzy Hash: 31A0113000020EAB8A002B82EC08888BFACEA022A0B008020F80C880228B32A8228A80

Function 00A18808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5531599e2e9738e052ee299a364ca63d9a2537593381df7aab9de1f0ddebc4b2
Instruction ID: 4808fc293596ccf43b4d9432bf0d2dd9a5c9b6601aec3209e3dcf653edc7d418
Opcode Fuzzy Hash: 5531599e2e9738e052ee299a364ca63d9a2537593381df7aab9de1f0ddebc4b2
Instruction Fuzzy Hash: 74221130E04506CBDF288B74C4A47FCBBB2BF01385F29816ADA568B592DB789DD5CB41

Function 00A221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 46854c399bc99124b91351dcec89c64c72c16fd3396e4702ac1282e084048fd0
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: AFC182322451B34ADB2D873DA43413EBAA19EA27B131A077DD8B3CB1D4EE24D965D720

Function 00A225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 1aca0f3d43c28f3659e313fdc069d01a2c355bc11d2218121c400f185e9d439c
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 29C151322091B34ADF2D473E947423EBAA19EA27B131B077DD4B2DB1D5EE20C965D720

Function 00A21978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 8f33fc9607a0749ba24061f90360cd144717e08dcd4cac4a121de1fc8278c8d9
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 6BC18F362491B349DF2D473EA47413EBAA19EB27B131B077DD4B2CB1D4EE20C966D620

Function 00A77806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A7785B
DeleteObject.GDI32(00000000), ref: 00A7786D
DestroyWindow.USER32 ref: 00A7787B
GetDesktopWindow.USER32 ref: 00A77895
GetWindowRect.USER32(00000000), ref: 00A7789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00A779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00A779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77A35
GetClientRect.USER32(00000000,?), ref: 00A77A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A77A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77ABB
GlobalLock.KERNEL32(00000000), ref: 00A77AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77AD3
GlobalUnlock.KERNEL32(00000000), ref: 00A77ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77AE3
GlobalFree.KERNEL32(00000000), ref: 00A77AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A92CAC,00000000), ref: 00A77B16
GlobalFree.KERNEL32(00000000), ref: 00A77B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00A77B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00A77B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A77D7A

Strings

DISPLAY, xrefs: 00A77BDD
@U=u, xrefs: 00A77B6B, 00A77CFA
, xrefs: 00A77D00
static, xrefs: 00A77A75, 00A77BCC
AutoIt v3, xrefs: 00A77A2D

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: bb9fb498b769bf7801c5624837f5030e93da3ab711df23895b530cc7635a0096
Instruction ID: 9e9c334acfa02724b5feed68f38dff41768eed74decfbef2af8be8df57cda572
Opcode Fuzzy Hash: bb9fb498b769bf7801c5624837f5030e93da3ab711df23895b530cc7635a0096
Instruction Fuzzy Hash: 36025B71A00119EFDB14DFA4DD89EAE7BB9FF49310F108168F915AB2A1D730AD42CB60

Function 00A8A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00A8A630
GetSysColorBrush.USER32(0000000F), ref: 00A8A661
GetSysColor.USER32(0000000F), ref: 00A8A66D
SetBkColor.GDI32(?,000000FF), ref: 00A8A687
SelectObject.GDI32(?,00000000), ref: 00A8A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00A8A6C1
GetSysColor.USER32(00000010), ref: 00A8A6C9
CreateSolidBrush.GDI32(00000000), ref: 00A8A6D0
FrameRect.USER32(?,?,00000000), ref: 00A8A6DF
DeleteObject.GDI32(00000000), ref: 00A8A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00A8A731
FillRect.USER32(?,?,00000000), ref: 00A8A763
GetWindowLongW.USER32(?,000000F0), ref: 00A8A78E

Part of subcall function 00A8A8CA: GetSysColor.USER32(00000012), ref: 00A8A903
Part of subcall function 00A8A8CA: SetTextColor.GDI32(?,?), ref: 00A8A907
Part of subcall function 00A8A8CA: GetSysColorBrush.USER32(0000000F), ref: 00A8A91D
Part of subcall function 00A8A8CA: GetSysColor.USER32(0000000F), ref: 00A8A928
Part of subcall function 00A8A8CA: GetSysColor.USER32(00000011), ref: 00A8A945
Part of subcall function 00A8A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A8A953
Part of subcall function 00A8A8CA: SelectObject.GDI32(?,00000000), ref: 00A8A964
Part of subcall function 00A8A8CA: SetBkColor.GDI32(?,00000000), ref: 00A8A96D
Part of subcall function 00A8A8CA: SelectObject.GDI32(?,?), ref: 00A8A97A
Part of subcall function 00A8A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00A8A999
Part of subcall function 00A8A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A8A9B0
Part of subcall function 00A8A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00A8A9C5
Part of subcall function 00A8A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A8A9ED

Strings

@U=u, xrefs: 00A8A7B8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: bd80c681e6d927377e5420750def21640f7fb95b381bd706c46bcda8018c32cd
Instruction ID: d3bf237628938f45440d3c6ad93c75b8bf68bef81c3ff1f2efc5efd57dbc8334
Opcode Fuzzy Hash: bd80c681e6d927377e5420750def21640f7fb95b381bd706c46bcda8018c32cd
Instruction Fuzzy Hash: 4A915B72408302AFD710EFA4DC08A5B7BB9FB89321F144B2AF962D61A1D771D946CB52

Function 00A8356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00A8F910), ref: 00A83627
IsWindowVisible.USER32(?), ref: 00A8364B

Strings

EDITPASTE, xrefs: 00A8395F
DELSTRING, xrefs: 00A83749
ADDSTRING, xrefs: 00A83716
CURRENTTAB, xrefs: 00A836BD
GETSELECTED, xrefs: 00A838A3
ISENABLED, xrefs: 00A8366B
ISCHECKED, xrefs: 00A83839
CHECK, xrefs: 00A8386D
TABRIGHT, xrefs: 00A8369D
GETLINECOUNT, xrefs: 00A838C6
GETCURRENTCOL, xrefs: 00A83928
HIDEDROPDOWN, xrefs: 00A83700
@U=u, xrefs: 00A838E3, 00A8390A, 00A83993
SETCURRENTSELECTION, xrefs: 00A837B6
GETLINE, xrefs: 00A8399B
FINDSTRING, xrefs: 00A83776
SENDCOMMANDID, xrefs: 00A839DA
GETCURRENTLINE, xrefs: 00A838ED
GETCURRENTSELECTION, xrefs: 00A837E3
UNCHECK, xrefs: 00A83883
ISVISIBLE, xrefs: 00A83637
SHOWDROPDOWN, xrefs: 00A836E0
TABLEFT, xrefs: 00A83687
SELECTSTRING, xrefs: 00A83806

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: 2f32498c35807407b5ece88785846023d033faaaaf8ede2906f8ea4eb26e4098
Instruction ID: 851bacaf034a7a626d18d76726ce7883304dcefb92b28e419984a854afa9a886
Opcode Fuzzy Hash: 2f32498c35807407b5ece88785846023d033faaaaf8ede2906f8ea4eb26e4098
Instruction Fuzzy Hash: B1D16C712042019FCF04FF14C6A1AAFBBA5AF95794F544468F8825B3A3DB35EE4ACB41

Function 00A02C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00A02CA2
DeleteObject.GDI32(00000000), ref: 00A02CE8
DeleteObject.GDI32(00000000), ref: 00A02CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00A02CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00A02D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00A3C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A3C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A3C89D

Part of subcall function 00A01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A02036,?,00000000,?,?,?,?,00A016CB,00000000,?), ref: 00A01B9A

SendMessageW.USER32(?,00001053), ref: 00A3C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A3C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A3C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00A3C912

Strings

@U=u, xrefs: 00A3C43B, 00A3C542, 00A3C81D
0, xrefs: 00A3C731

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: c9a0443d99e09d1623d2ad4a1f58ce154aa1a1181bc4aebe82f0b8cf8b33e263
Instruction ID: b66947cd18ea28c833aa53ccf60275202102312e0c9ee85fe70f8ef9d17737d1
Opcode Fuzzy Hash: c9a0443d99e09d1623d2ad4a1f58ce154aa1a1181bc4aebe82f0b8cf8b33e263
Instruction Fuzzy Hash: C9129C30600206EFDB25CF24D988BA9BBE5BF44324F544569F895EB2A2C731EC52CB91

Function 00A774AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00A774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A7759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00A775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00A775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00A77633
GetClientRect.USER32(00000000,?), ref: 00A7763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00A77683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A77692
GetStockObject.GDI32(00000011), ref: 00A776A2
SelectObject.GDI32(00000000,00000000), ref: 00A776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00A776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A776BF
DeleteDC.GDI32(00000000), ref: 00A776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00A7770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00A77746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A7775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00A7776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00A7779B
GetStockObject.GDI32(00000011), ref: 00A777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00A777BB

Strings

msctls_progress32, xrefs: 00A7773C
DISPLAY, xrefs: 00A77688
@U=u, xrefs: 00A776FA
static, xrefs: 00A7767D, 00A77795
AutoIt v3, xrefs: 00A7762B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: fb74aedb7574074a900b4378963453178b7bc1182b94703d2e9ec415174e307f
Instruction ID: b92b6adc9ec79f1ce673dc67a0ecb992b7e5cb46e658030ff2e4b570e8782603
Opcode Fuzzy Hash: fb74aedb7574074a900b4378963453178b7bc1182b94703d2e9ec415174e307f
Instruction Fuzzy Hash: 5BA18FB1A40609BFEB14DBA4DC4AFAF7BB9EB04710F008214FA15A72E1D770AD41CB64

Function 00A8A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00A8A903
SetTextColor.GDI32(?,?), ref: 00A8A907
GetSysColorBrush.USER32(0000000F), ref: 00A8A91D
GetSysColor.USER32(0000000F), ref: 00A8A928
CreateSolidBrush.GDI32(?), ref: 00A8A92D
GetSysColor.USER32(00000011), ref: 00A8A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A8A953
SelectObject.GDI32(?,00000000), ref: 00A8A964
SetBkColor.GDI32(?,00000000), ref: 00A8A96D
SelectObject.GDI32(?,?), ref: 00A8A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00A8A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A8A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A8A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A8A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A8AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00A8AA32
DrawFocusRect.USER32(?,?), ref: 00A8AA3D
GetSysColor.USER32(00000011), ref: 00A8AA4B
SetTextColor.GDI32(?,00000000), ref: 00A8AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00A8AA67
SelectObject.GDI32(?,00A8A5FA), ref: 00A8AA7E
DeleteObject.GDI32(?), ref: 00A8AA89
SelectObject.GDI32(?,?), ref: 00A8AA8F
DeleteObject.GDI32(?), ref: 00A8AA94
SetTextColor.GDI32(?,?), ref: 00A8AA9A
SetBkColor.GDI32(?,?), ref: 00A8AAA4

Strings

@U=u, xrefs: 00A8A9ED

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: f584cbceed2b1e92f60f93e906738719d342104280b878371ef1db570d921edc
Instruction ID: e621a3bc7de52ccda6f550e29345e46311536fe7eb16d0a242c1df3bb353e359
Opcode Fuzzy Hash: f584cbceed2b1e92f60f93e906738719d342104280b878371ef1db570d921edc
Instruction Fuzzy Hash: 48512D71901209EFDB11EFE4DC48EAE7B79FB08320F214626FA11AB2A1D7759941DB90

Function 00A6AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6AD1E
GetDriveTypeW.KERNEL32(?,00A8FAC0,?,\\.\,00A8F910), ref: 00A6ADFB
SetErrorMode.KERNEL32(00000000,00A8FAC0,?,\\.\,00A8F910), ref: 00A6AF59

Strings

PhysicalDrive, xrefs: 00A6ADA7
Virtual, xrefs: 00A6AF21
Fixed, xrefs: 00A6AE43
Network, xrefs: 00A6AE39
RAID, xrefs: 00A6AEF7
CDROM, xrefs: 00A6AE2F
SSD, xrefs: 00A6AE86
SSA, xrefs: 00A6AEE2
SCSI, xrefs: 00A6AEC6
Fibre, xrefs: 00A6AEE9
USB, xrefs: 00A6AEF0
1394, xrefs: 00A6AEDB
SATA, xrefs: 00A6AF0C
Removable, xrefs: 00A6AE4D
iSCSI, xrefs: 00A6AEFE
RAMDisk, xrefs: 00A6AE25
ATA, xrefs: 00A6AED4
ATAPI, xrefs: 00A6AECD
MMC, xrefs: 00A6AF1A
\\.\, xrefs: 00A6AD70
SAS, xrefs: 00A6AF05
FileBackedVirtual, xrefs: 00A6AF28
Unknown, xrefs: 00A6AE1B, 00A6AEBF

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: dcb5472039f328c5ba473c3d8058e1ede5ee26c390864bd631abc2e209acea93
Instruction ID: 57a4c67eec487331ef44e300fc5d2e4e8577a903e2e8710972795ed2f3b8dbcf
Opcode Fuzzy Hash: dcb5472039f328c5ba473c3d8058e1ede5ee26c390864bd631abc2e209acea93
Instruction Fuzzy Hash: 395174B0644209EBCB10EB64C992CBD73B9FF29740B20885AE407B72D2DA759D42DF53

Function 00A89A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00A89AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00A89B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00A89BA7

Strings

@U=u, xrefs: 00A89B8B, 00A89BA7, 00A89D23, 00A89D56, 00A89DB6, 00A89E00, 00A89E60, 00A89E84, 00A89F40
0, xrefs: 00A89BE4

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: a1b0202905f129c33cd522971f5b1fb9879c496e5621c7703f42dd3635147e1e
Instruction ID: a90728c3bac98d583f5083c6ab719eb57b3635b033480c3d44d983585a41d06a
Opcode Fuzzy Hash: a1b0202905f129c33cd522971f5b1fb9879c496e5621c7703f42dd3635147e1e
Instruction Fuzzy Hash: DE02DB70104301AFE729EF24C888BBBBBE5FF49304F08862DF999962A1D735D945CB52

Function 00A068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A06931
__wcsnicmp.LIBCMT ref: 00A06949
__wcsnicmp.LIBCMT ref: 00A06961
__wcsnicmp.LIBCMT ref: 00A06979
__wcsnicmp.LIBCMT ref: 00A06991
__wcsnicmp.LIBCMT ref: 00A069A9
__wcsnicmp.LIBCMT ref: 00A069C1
__wcsnicmp.LIBCMT ref: 00A069D5
__wcsnicmp.LIBCMT ref: 00A06A16
__wcsnicmp.LIBCMT ref: 00A06A2A
__wcsnicmp.LIBCMT ref: 00A06A3E
__wcsnicmp.LIBCMT ref: 00A06A52

Strings

#include, xrefs: 00A069A3
#notrayicon, xrefs: 00A06943
#include-once, xrefs: 00A0698B
Unterminated group of comments, xrefs: 00A3E403
#requireadmin, xrefs: 00A0695B
#comments-start, xrefs: 00A069BB, 00A06A10
#ce, xrefs: 00A06A4C
#cs, xrefs: 00A069CF, 00A06A24
Cannot parse #include, xrefs: 00A3E3F0
Bad directive syntax error, xrefs: 00A3E31A
#comments-end, xrefs: 00A06A38
#OnAutoItStartRegister, xrefs: 00A06973
#pragma compile, xrefs: 00A0692B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 183202759185b85efe8db2cf9a5fc7dd9c857024d3f49b183318c2a2ccee2151
Instruction ID: d0d3df3ec3cce5b1cbec48885d7d229ad9d40feee3b0a92247e788d3bb2f83d0
Opcode Fuzzy Hash: 183202759185b85efe8db2cf9a5fc7dd9c857024d3f49b183318c2a2ccee2151
Instruction Fuzzy Hash: 7381F2B170021ABEDF20FB64FD42FAA37A8AF05744F044424F905AA1D2EB70DA65C6A1

Function 00A889D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A88AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A88AD2
CharNextW.USER32(0000014E), ref: 00A88B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A88B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A88B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A88B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00A88B86
SetWindowTextW.USER32(?,0000014E), ref: 00A88BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00A88BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A88C1F
_memset.LIBCMT ref: 00A88C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00A88C8D
_memset.LIBCMT ref: 00A88CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A88D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00A88D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00A88E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00A88E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A88E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A88EB4
DrawMenuBar.USER32(?), ref: 00A88EC3
SetWindowTextW.USER32(?,0000014E), ref: 00A88EEB

Strings

@U=u, xrefs: 00A88AC1, 00A88AD2, 00A88B07, 00A88B86, 00A88BEE, 00A88C1F, 00A88C8D, 00A88D16, 00A88D6E, 00A88E1B
0, xrefs: 00A88E55

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: e732149e032dad5efcf957a535b98db2c1b47fc2fdcd848e1a243735ed36c153
Instruction ID: 8e5540bbff7ea9bfdf0d36acf4f217c07c371754e5ed277df3b4bf5b08d12f43
Opcode Fuzzy Hash: e732149e032dad5efcf957a535b98db2c1b47fc2fdcd848e1a243735ed36c153
Instruction Fuzzy Hash: 06E17074900219AFDF20EFA4CC84EEE7BB9EF05750F508166FA15AA190DF789981DF60

Function 00A8488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A849CA
GetDesktopWindow.USER32 ref: 00A849DF
GetWindowRect.USER32(00000000), ref: 00A849E6
GetWindowLongW.USER32(?,000000F0), ref: 00A84A48
DestroyWindow.USER32(?), ref: 00A84A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A84A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A84ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00A84AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00A84AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00A84B09
IsWindowVisible.USER32(?), ref: 00A84B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00A84B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00A84B58
GetWindowRect.USER32(?,?), ref: 00A84B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00A84B96
GetMonitorInfoW.USER32(00000000,?), ref: 00A84BB0
CopyRect.USER32(?,?), ref: 00A84BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00A84C32

Strings

0, xrefs: 00A84975
(, xrefs: 00A84BA3
tooltips_class32, xrefs: 00A84A96

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 5cf9a51b9dedbed8b05783cd22c3f31b0bd40bd4bce7ee9b431576ceb5bb69e4
Instruction ID: 9e8567edc1fe3754780eb6c12abe2369009c63af16779e3571e403785147347f
Opcode Fuzzy Hash: 5cf9a51b9dedbed8b05783cd22c3f31b0bd40bd4bce7ee9b431576ceb5bb69e4
Instruction Fuzzy Hash: FCB16971604342AFDB04EF64D948B6BBBE4FF88314F008A1DF999AB2A1D771E805CB55

Function 00A6449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A644D2
_wcscpy.LIBCMT ref: 00A64500
_wcscmp.LIBCMT ref: 00A6450B
_wcscat.LIBCMT ref: 00A64521
_wcsstr.LIBCMT ref: 00A6452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A64548
_wcscat.LIBCMT ref: 00A64591
_wcscat.LIBCMT ref: 00A64598
_wcsncpy.LIBCMT ref: 00A645C3

Strings

%u.%u.%u.%u, xrefs: 00A64626
04090000, xrefs: 00A6457E
\VarFileInfo\Translation, xrefs: 00A64540
DefaultLangCodepage, xrefs: 00A645AB
StringFileInfo\, xrefs: 00A6451B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 9af117fbdc8b78c519344b97d39ce6ce31a53bac499cdb44c58189b0fab2ebb8
Instruction ID: 67b6bb01d95beba233a58d7958d49dd92b3226823119bdcecf5e7b97f10784cf
Opcode Fuzzy Hash: 9af117fbdc8b78c519344b97d39ce6ce31a53bac499cdb44c58189b0fab2ebb8
Instruction Fuzzy Hash: 0F41D4329002157FEB15BB78ED47EBF777CEF46710F04047AF905A6182EA349A0197A5

Function 00A027D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A028BC
GetSystemMetrics.USER32(00000007), ref: 00A028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A028EF
GetSystemMetrics.USER32(00000008), ref: 00A028F7
GetSystemMetrics.USER32(00000004), ref: 00A0291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A02939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A02949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A0297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A02990
GetClientRect.USER32(00000000,000000FF), ref: 00A029AE
GetStockObject.GDI32(00000011), ref: 00A029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00A029D5

Part of subcall function 00A02344: GetCursorPos.USER32(?), ref: 00A02357
Part of subcall function 00A02344: ScreenToClient.USER32(00AC57B0,?), ref: 00A02374
Part of subcall function 00A02344: GetAsyncKeyState.USER32(00000001), ref: 00A02399
Part of subcall function 00A02344: GetAsyncKeyState.USER32(00000002), ref: 00A023A7

SetTimer.USER32(00000000,00000000,00000028,00A01256), ref: 00A029FC

Strings

@U=u, xrefs: 00A029D5
AutoIt v3 GUI, xrefs: 00A02974

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 2dcb21ba8d463e20c844432d9d246e347da3ec8d6e771c726f737394a021e145
Instruction ID: 1dc179196e32d873084bcb4a556c0f81f2141de2e9f5ba61ba17d5b486a5f1d1
Opcode Fuzzy Hash: 2dcb21ba8d463e20c844432d9d246e347da3ec8d6e771c726f737394a021e145
Instruction Fuzzy Hash: 36B15C75A0020AEFDB14DFA8DD49BAE7BB4FB08314F114229FA15E72E0DB74A851DB50

Function 00A8BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00A8BA56
GetFileSize.KERNEL32(00000000,00000000), ref: 00A8BA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00A8BA78
CloseHandle.KERNEL32(00000000), ref: 00A8BA85
GlobalLock.KERNEL32(00000000), ref: 00A8BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A8BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00A8BAA6
CloseHandle.KERNEL32(00000000), ref: 00A8BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A8BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00A92CAC,?), ref: 00A8BAD7
GlobalFree.KERNEL32(00000000), ref: 00A8BAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 00A8BB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00A8BB36
DeleteObject.GDI32(00000000), ref: 00A8BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A8BB74

Strings

@U=u, xrefs: 00A8BB74

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 8bce19f15f503ace7a722eef4112476740436ea632b9c5ff80ccda3131262f04
Instruction ID: 765be562099fa630926d21d091f9a43b89c898e716c793fde97736596746160c
Opcode Fuzzy Hash: 8bce19f15f503ace7a722eef4112476740436ea632b9c5ff80ccda3131262f04
Instruction Fuzzy Hash: 20411775600209EFDB21EFA5DC88EAABBB8FF89711F104169F905D7260D7309E02DB60

Function 00A5A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A5A47A
__swprintf.LIBCMT ref: 00A5A51B
_wcscmp.LIBCMT ref: 00A5A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A5A583
_wcscmp.LIBCMT ref: 00A5A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00A5A5F6
GetDlgCtrlID.USER32(?), ref: 00A5A648
GetWindowRect.USER32(?,?), ref: 00A5A67E
GetParent.USER32(?), ref: 00A5A69C
ScreenToClient.USER32(00000000), ref: 00A5A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00A5A71D
_wcscmp.LIBCMT ref: 00A5A731
GetWindowTextW.USER32(?,?,00000400), ref: 00A5A757
_wcscmp.LIBCMT ref: 00A5A76B

Part of subcall function 00A2362C: _iswctype.LIBCMT ref: 00A23634

Strings

%s%u, xrefs: 00A5A515

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 09b3fdbed99e4f416840c3f89d9857c213d0e523484cf007b1980c6653ec60d1
Instruction ID: 782b917b802ed13b3d1a3b7cebee3375d9a43857379f4eefb497cd32ea0cbbfd
Opcode Fuzzy Hash: 09b3fdbed99e4f416840c3f89d9857c213d0e523484cf007b1980c6653ec60d1
Instruction Fuzzy Hash: 4EA1D271304206AFDB14DF64C884FAAB7E8FF58352F048629FD99D2190DB30E959CB92

Function 00A5AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00A5AF18
_wcscmp.LIBCMT ref: 00A5AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00A5AF51
CharUpperBuffW.USER32(?,00000000), ref: 00A5AF6E
_wcscmp.LIBCMT ref: 00A5AF8C
_wcsstr.LIBCMT ref: 00A5AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00A5AFD5
_wcscmp.LIBCMT ref: 00A5AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00A5B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00A5B055
_wcscmp.LIBCMT ref: 00A5B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00A5B08D
GetWindowRect.USER32(00000004,?), ref: 00A5B0F6

Strings

ThumbnailClass, xrefs: 00A5AFE0, 00A5B060
@, xrefs: 00A5AEF9

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 7e7cfd02f732e4cdd880fdcedb5fcc70b43d9c61616e4f93b926860141484132
Instruction ID: 71859786257627dec76bb798a725db8e8550eabba36ad113d0d493c9cad11986
Opcode Fuzzy Hash: 7e7cfd02f732e4cdd880fdcedb5fcc70b43d9c61616e4f93b926860141484132
Instruction Fuzzy Hash: 4C81E17111820A9FDB04DF14C981FAA77E8FF54316F04866AFD858A092DB34DD4DCBA1

Function 00A8A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8A259
DestroyWindow.USER32(?,?), ref: 00A8A2D3

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A8A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A8A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A8A382
DestroyWindow.USER32(00000000), ref: 00A8A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A00000,00000000), ref: 00A8A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A8A3F4
GetDesktopWindow.USER32 ref: 00A8A40D
GetWindowRect.USER32(00000000), ref: 00A8A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A8A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A8A444

Part of subcall function 00A025DB: GetWindowLongW.USER32(?,000000EB), ref: 00A025EC

Strings

@U=u, xrefs: 00A8A36F, 00A8A382, 00A8A3F4, 00A8A41E
0, xrefs: 00A8A26F
tooltips_class32, xrefs: 00A8A346, 00A8A3D4

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: 9f1f2b1a21187033d7b5af9fe04d86476a12f2608f0645a72e39d4ec20f6ff08
Instruction ID: 5006b1c5239fa8ffe0d264d660de0ab1c03b381d3a0e9e1cd365c1f4c6dbcd2d
Opcode Fuzzy Hash: 9f1f2b1a21187033d7b5af9fe04d86476a12f2608f0645a72e39d4ec20f6ff08
Instruction Fuzzy Hash: 4271DF70541345AFEB21DF68CC48F6A7BE5FB99300F04492EF9868B2A0D770E946DB52

Function 00A8C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DragQueryPoint.SHELL32(?,?), ref: 00A8C627

Part of subcall function 00A8AB37: ClientToScreen.USER32(?,?), ref: 00A8AB60
Part of subcall function 00A8AB37: GetWindowRect.USER32(?,?), ref: 00A8ABD6
Part of subcall function 00A8AB37: PtInRect.USER32(?,?,00A8C014), ref: 00A8ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00A8C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A8C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A8C6BE
_wcscat.LIBCMT ref: 00A8C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A8C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00A8C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00A8C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00A8C757
DragFinish.SHELL32(?), ref: 00A8C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A8C851

Strings

@U=u, xrefs: 00A8C690, 00A8C705, 00A8C71E, 00A8C735, 00A8C757
@GUI_DRAGFILE, xrefs: 00A8C800
@GUI_DRAGID, xrefs: 00A8C7C9
@GUI_DROPID, xrefs: 00A8C77E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: d4e3a78a0da2e8503d28db437fbc49db67b54f2d24f748f0219510dce8595949
Instruction ID: f1099980d959d7d17b25a719f352568f09bf9ea5e342f0c0fa4643c3c03b605a
Opcode Fuzzy Hash: d4e3a78a0da2e8503d28db437fbc49db67b54f2d24f748f0219510dce8595949
Instruction Fuzzy Hash: 1C618C71508305AFC701EFA4DD85DAFBBE8FF89350F00092EF591922A1DB30A949CB62

Function 00A5ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A5AC33

Strings

[ACTIVE, xrefs: 00A5AC20
[CLASS:, xrefs: 00A5AC83
[HANDLE:, xrefs: 00A5AC3F
[REGEXPTITLE:, xrefs: 00A5AC5B
[LAST, xrefs: 00A5ACE0
CLASSNAME=, xrefs: 00A5AC70
ACTIVE, xrefs: 00A5AC0E
REGEXP=, xrefs: 00A5AC48
ALL, xrefs: 00A5ACC7
[ALL, xrefs: 00A5ACD9
LAST, xrefs: 00A5ABF8
HANDLE=, xrefs: 00A5AC2C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 12e820b736643fc9f17dacb0d2d6469dd19da14b5ca32942d973096048facae3
Instruction ID: 62231ab05a3f7b70fba5d5d8f4b8e9add19e60702be6646ec8ed2da69ba07e8f
Opcode Fuzzy Hash: 12e820b736643fc9f17dacb0d2d6469dd19da14b5ca32942d973096048facae3
Instruction Fuzzy Hash: 90315871A48209BADB14FBA4EF43EEE77687F20751F600529F846710D2EF716F089652

Function 00A74FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00A75013
LoadCursorW.USER32(00000000,00007F00), ref: 00A7501E
LoadCursorW.USER32(00000000,00007F03), ref: 00A75029
LoadCursorW.USER32(00000000,00007F8B), ref: 00A75034
LoadCursorW.USER32(00000000,00007F01), ref: 00A7503F
LoadCursorW.USER32(00000000,00007F81), ref: 00A7504A
LoadCursorW.USER32(00000000,00007F88), ref: 00A75055
LoadCursorW.USER32(00000000,00007F80), ref: 00A75060
LoadCursorW.USER32(00000000,00007F86), ref: 00A7506B
LoadCursorW.USER32(00000000,00007F83), ref: 00A75076
LoadCursorW.USER32(00000000,00007F85), ref: 00A75081
LoadCursorW.USER32(00000000,00007F82), ref: 00A7508C
LoadCursorW.USER32(00000000,00007F84), ref: 00A75097
LoadCursorW.USER32(00000000,00007F04), ref: 00A750A2
LoadCursorW.USER32(00000000,00007F02), ref: 00A750AD
LoadCursorW.USER32(00000000,00007F89), ref: 00A750B8
GetCursorInfo.USER32(?), ref: 00A750C8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 1128ab06e6c255295d71d31644c906a705560959022eb40185993c8a6a2473e4
Instruction ID: f805f165c16045021b479568c918cf0686450f5c23d0e2bc233949502441a8bd
Opcode Fuzzy Hash: 1128ab06e6c255295d71d31644c906a705560959022eb40185993c8a6a2473e4
Instruction Fuzzy Hash: D431F4B1D4831E6ADF109FB69C8995FBFE8FF04750F50852AA50DE7280DA7865018F91

Function 00A84392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A84424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A8446F

Strings

SELECT, xrefs: 00A84620
GETITEMCOUNT, xrefs: 00A84551
@U=u, xrefs: 00A8446F
GETSELECTED, xrefs: 00A8457F
GETTEXT, xrefs: 00A845C2
EXPAND, xrefs: 00A84521
GETTOTALCOUNT, xrefs: 00A84456
UNCHECK, xrefs: 00A8464B
ISCHECKED, xrefs: 00A845F2
EXISTS, xrefs: 00A844D8
CHECK, xrefs: 00A8448F
COLLAPSE, xrefs: 00A844B5

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: e21f13bba303e805c01c7f2283ef3e53467349ce21dec3f2c9f9a836080c93a7
Instruction ID: 2c4b9b226665bb72cc60ce10365bc9d14498856c5694229e2028558e30961b69
Opcode Fuzzy Hash: e21f13bba303e805c01c7f2283ef3e53467349ce21dec3f2c9f9a836080c93a7
Instruction Fuzzy Hash: C0917C712043129FCB04EF24D551A6EB7E5AF99350F448868F8965B3A3DB31ED4ACB81

Function 00A8B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A8B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A86B11,?), ref: 00A8B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A8B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A8B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A8B9C3
FreeLibrary.KERNEL32(?), ref: 00A8B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A8B9DF
DestroyIcon.USER32(?), ref: 00A8B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A8BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A8BA17

Part of subcall function 00A22EFD: __wcsicmp_l.LIBCMT ref: 00A22F86

Strings

@U=u, xrefs: 00A8B9F7
.icl, xrefs: 00A8B82A
.dll, xrefs: 00A8B86D
.exe, xrefs: 00A8B84A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: 90f06112a2fb7f1dc3a84c90e61e74990a05bad10f534a940539f7727e61c6a1
Instruction ID: b1ef88832b901d8de678656d2f669df7e2405940b8efbeaa8bf799cf998f3add
Opcode Fuzzy Hash: 90f06112a2fb7f1dc3a84c90e61e74990a05bad10f534a940539f7727e61c6a1
Instruction Fuzzy Hash: 92610E71910219BEEB14EFA4DC41FBE7BACFB08720F108215FA11D61C1DB74A991DBA0

Function 00A6A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

CharLowerBuffW.USER32(?,?), ref: 00A6A3CB
GetDriveTypeW.KERNEL32 ref: 00A6A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A6A4C5

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Strings

close, xrefs: 00A6A3D1
type cdaudio alias cd wait, xrefs: 00A6A443
open, xrefs: 00A6A3F2
open , xrefs: 00A6A427
close cd wait, xrefs: 00A6A4B0
closed, xrefs: 00A6A3DF, 00A6A3E8
wait, xrefs: 00A6A482
set cd door , xrefs: 00A6A466

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 6e6d5de5f3ff6827862981ffedffafd7089054f3dda77a61c857d4771055e7c6
Instruction ID: 9cc400ae13a1723ab11e2ae7573e864c419e99658ab4e427cb855caf3bc5055f
Opcode Fuzzy Hash: 6e6d5de5f3ff6827862981ffedffafd7089054f3dda77a61c857d4771055e7c6
Instruction Fuzzy Hash: EE512A715042099FC700EF24D99586EB7F8FF94758F10886DF89A672A2DB31AD0ACF52

Function 00A5F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00A3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00A5F8DF
LoadStringW.USER32(00000000,?,00A3E029,00000001), ref: 00A5F8E8

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

GetModuleHandleW.KERNEL32(00000000,00AC5310,?,00000FFF,?,?,00A3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00A5F90A
LoadStringW.USER32(00000000,?,00A3E029,00000001), ref: 00A5F90D
__swprintf.LIBCMT ref: 00A5F95D
__swprintf.LIBCMT ref: 00A5F96E
_wprintf.LIBCMT ref: 00A5FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A5FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A5FA12
Line %d:, xrefs: 00A5F968
^ ERROR, xrefs: 00A5F9C3
Line %d (File "%s"):, xrefs: 00A5F957
Error: , xrefs: 00A5F9E5

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 1a62696a0c98945d8cf794aaf83350d73508469ed9661c1e829436fd80b1f7da
Instruction ID: f3fe904d146e91256d5c225f3f77c77453afe3315956ec1afbd32cf447bd677c
Opcode Fuzzy Hash: 1a62696a0c98945d8cf794aaf83350d73508469ed9661c1e829436fd80b1f7da
Instruction Fuzzy Hash: 2E411972D0411DAACF04FBE4EE96EEEB77CAF14341F500465B606B6092EA356F09CB61

Function 00A6D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00A6DA10
_wcscat.LIBCMT ref: 00A6DA28
_wcscat.LIBCMT ref: 00A6DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A6DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6DA63
GetFileAttributesW.KERNEL32(?), ref: 00A6DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00A6DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00A6DAA7

Strings

*.*, xrefs: 00A6DAE6

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 24adec2d645d9b1b1db8cbd552d79e94df9807cd42afa91e944ee49eda14f136
Instruction ID: ee8154e9161de58e3b60b5ebfb994c201e2a8bbb08967515518ee5446d6e0382
Opcode Fuzzy Hash: 24adec2d645d9b1b1db8cbd552d79e94df9807cd42afa91e944ee49eda14f136
Instruction Fuzzy Hash: AA818372A043459FCB24DF64C944A6AB7F8BF89790F188C2EF889DB251E630D945CB52

Function 00A8C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A8C1FC
GetFocus.USER32 ref: 00A8C20C
GetDlgCtrlID.USER32(00000000), ref: 00A8C217
_memset.LIBCMT ref: 00A8C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A8C36D
GetMenuItemCount.USER32(?), ref: 00A8C38D
GetMenuItemID.USER32(?,00000000), ref: 00A8C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A8C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A8C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A8C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00A8C489

Strings

0, xrefs: 00A8C33A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: a121cd8439352474ca657ece719a57ad895fd1722b172b35517311e3161d7d1c
Instruction ID: 514b75535b3b85f4a10f43d7ff55a68ebc23b7c45ee63b4a3a19b45eaf189ed1
Opcode Fuzzy Hash: a121cd8439352474ca657ece719a57ad895fd1722b172b35517311e3161d7d1c
Instruction Fuzzy Hash: C5818C70608301AFD710EF64D898EABBBE8FB88724F00492EF99597291D770D945CF62

Function 00A7731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A7738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00A7739B
CreateCompatibleDC.GDI32(?), ref: 00A773A7
SelectObject.GDI32(00000000,?), ref: 00A773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00A77408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00A77444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00A77468
SelectObject.GDI32(00000006,?), ref: 00A77470
DeleteObject.GDI32(?), ref: 00A77479
DeleteDC.GDI32(00000006), ref: 00A77480
ReleaseDC.USER32(00000000,?), ref: 00A7748B

Strings

(, xrefs: 00A77410

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 1573ba0bbd1fff7a1994344f6230c3979196bddebd31d1e75f12ca02d3505e04
Instruction ID: 702976e5c6846216b398dfa1c577fa4d9a877742dec0b64440a727089a0eb81a
Opcode Fuzzy Hash: 1573ba0bbd1fff7a1994344f6230c3979196bddebd31d1e75f12ca02d3505e04
Instruction Fuzzy Hash: 9C514775904309EFCB14CFA8DC84EAEBBB9EF48310F14C529F99AAB211D731A941CB50

Function 00A64F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00A64F7A

Part of subcall function 00A2049F: timeGetTime.WINMM(?,753DB400,00A10E7B), ref: 00A204A3

Sleep.KERNEL32(0000000A), ref: 00A64FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00A64FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A64FEC
SetActiveWindow.USER32 ref: 00A6500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A65019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00A65038
Sleep.KERNEL32(000000FA), ref: 00A65043
IsWindow.USER32 ref: 00A6504F
EndDialog.USER32(00000000), ref: 00A65060

Strings

@U=u, xrefs: 00A65019, 00A65038
BUTTON, xrefs: 00A64FDE

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 1fe1dd351e302e91049b657c405feffce355bb1f5734d2fff2b4630c400d3fe5
Instruction ID: a56ce121961daef1ba13d9ac4a52fb58a924f94d41bb241799b5d231962f3d8d
Opcode Fuzzy Hash: 1fe1dd351e302e91049b657c405feffce355bb1f5734d2fff2b4630c400d3fe5
Instruction Fuzzy Hash: 20216A7460460ABFEB10DFB0ED89E263BB9EF48745F261038F103821B1DB719D528B62

Function 00A06A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00A20957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A06B0C,?,00008000), ref: 00A20973

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A06BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00A06CFA

Part of subcall function 00A0586D: _wcscpy.LIBCMT ref: 00A058A5

Part of subcall function 00A2363D: _iswctype.LIBCMT ref: 00A23645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00A3E496
Bad directive syntax error, xrefs: 00A3E79D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00A3E421
Unterminated string, xrefs: 00A3E7E4
Error opening the file, xrefs: 00A3E43D, 00A3E4B8
AU3!, xrefs: 00A06B61
EA06, xrefs: 00A3E452

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 687e0008ac0754228ab4ba2baf41d8e7289bdeb67826cf033acaadef718ba1a1
Instruction ID: a408ee6ac414ac54190f96038a94fbe737575443a68a9ff909b16978cb38bdb2
Opcode Fuzzy Hash: 687e0008ac0754228ab4ba2baf41d8e7289bdeb67826cf033acaadef718ba1a1
Instruction Fuzzy Hash: 3D029D305083459FC724EF24E991AAFBBF5BF98314F14482DF486972A2DB30E949CB52

Function 00A62D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00A62DDD
GetMenuItemCount.USER32(00AC5890), ref: 00A62E66
DeleteMenu.USER32(00AC5890,00000005,00000000,000000F5,?,?), ref: 00A62EF6
DeleteMenu.USER32(00AC5890,00000004,00000000), ref: 00A62EFE
DeleteMenu.USER32(00AC5890,00000006,00000000), ref: 00A62F06
DeleteMenu.USER32(00AC5890,00000003,00000000), ref: 00A62F0E
GetMenuItemCount.USER32(00AC5890), ref: 00A62F16
SetMenuItemInfoW.USER32(00AC5890,00000004,00000000,00000030), ref: 00A62F4C
GetCursorPos.USER32(?), ref: 00A62F56
SetForegroundWindow.USER32(00000000), ref: 00A62F5F
TrackPopupMenuEx.USER32(00AC5890,00000000,?,00000000,00000000,00000000), ref: 00A62F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A62F7E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 3e196e934bdb9ff7b8892feaa8b680e228d8e3e5736aa7a9953495503e2b87b0
Instruction ID: 90c3b7768b9382e1c249d36890e27fbe03817aafe185229eb6dadd5535a81f48
Opcode Fuzzy Hash: 3e196e934bdb9ff7b8892feaa8b680e228d8e3e5736aa7a9953495503e2b87b0
Instruction Fuzzy Hash: 7E71F670601A06BFEB259F64DC49FAABF74FF04754F100226F625AA1E0C7765C60D791

Function 00A577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

_memset.LIBCMT ref: 00A5786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A57902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00A5792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A57935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A5793A

Strings

SOFTWARE\Classes\, xrefs: 00A5780C
\IPC$, xrefs: 00A57882
\CLSID, xrefs: 00A57822

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 40009a08ec1b3e879de260375d3d80b63ed8abe6bd247ac7cd2e85b09a02ca67
Instruction ID: be4ffff080f1f1087425c0b5211189fb4cda96e35a6214f9b3345d75254d47e6
Opcode Fuzzy Hash: 40009a08ec1b3e879de260375d3d80b63ed8abe6bd247ac7cd2e85b09a02ca67
Instruction Fuzzy Hash: DF410872C1422DAEDF11EFA4EC45DEEB778BF04310F004429E905B21A1EA306D49CBA0

Function 00A80E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7FDAD,?,?), ref: 00A80E31

Strings

HKEY_CLASSES_ROOT, xrefs: 00A80EC4
HKEY_LOCAL_MACHINE, xrefs: 00A80E9A
HKEY_CURRENT_USER, xrefs: 00A80F10
HKCU, xrefs: 00A80F21
HKEY_CURRENT_CONFIG, xrefs: 00A80EEE
HKLM, xrefs: 00A80EAF
HKU, xrefs: 00A80F43
HKEY_USERS, xrefs: 00A80F32
HKCR, xrefs: 00A80ED9
HKCC, xrefs: 00A80EFF

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 1b6a712bb4cb89c740181e6594008b089984493aba053cb951a3e6b4db839028
Instruction ID: 3418d2ef39acc6b81ce721039358930baf48c09f138e3000f4dd895a214ce2d1
Opcode Fuzzy Hash: 1b6a712bb4cb89c740181e6594008b089984493aba053cb951a3e6b4db839028
Instruction Fuzzy Hash: 1C415A3150025A8BCF60EF14EAA5EEF3764BF11384F548464FE655B292DB31AD1ECBA0

Function 00A874BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00A8755E
CreateCompatibleDC.GDI32(00000000), ref: 00A87565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00A87578
SelectObject.GDI32(00000000,00000000), ref: 00A87580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A8758B
DeleteDC.GDI32(00000000), ref: 00A87594
GetWindowLongW.USER32(?,000000EC), ref: 00A8759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00A875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00A875BE

Strings

@U=u, xrefs: 00A87578
static, xrefs: 00A874F6

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: af19421802567b410e22b9f4ab50f1a09375e7e5d67d843e1cd39742f3ec8fc6
Instruction ID: f1219feeeb79302041262157e8ed2785c0e947a4f21921214d26ddd492130d84
Opcode Fuzzy Hash: af19421802567b410e22b9f4ab50f1a09375e7e5d67d843e1cd39742f3ec8fc6
Instruction Fuzzy Hash: EE316B32504215BFDF16AFA4DC08FDB3B69FF09360F210224FA15A61A0D731D822DBA4

Function 00A5F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A3E2A0,00000010,?,Bad directive syntax error,00A8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A5F7C2
LoadStringW.USER32(00000000,?,00A3E2A0,00000010), ref: 00A5F7C9

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

_wprintf.LIBCMT ref: 00A5F7FC
__swprintf.LIBCMT ref: 00A5F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A5F88D

Strings

Line %d:, xrefs: 00A5F818
Line %d (File "%s"):, xrefs: 00A5F833
%s (%d) : ==> %s.: %s %s, xrefs: 00A5F7F7
Error: , xrefs: 00A5F85B
., xrefs: 00A5F873

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: f2dea6656650364aa06dd301ffd0099afef90671fbaa46c2731ac9f03232dc97
Instruction ID: f9d9bb9bf5b445e09b5745906a71510986f4d83538ed7f451094603fff517f11
Opcode Fuzzy Hash: f2dea6656650364aa06dd301ffd0099afef90671fbaa46c2731ac9f03232dc97
Instruction Fuzzy Hash: DB21593290021EBFCF11EFA4DD0AEEE7779BF18300F040865F515660A2EA35AA28DB50

Function 00A652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Part of subcall function 00A07924: _memmove.LIBCMT ref: 00A079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A65330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A65346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A65357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A65369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A6537A

Strings

play PlayMe wait, xrefs: 00A65364
open , xrefs: 00A652DF
alias PlayMe, xrefs: 00A65309
status PlayMe mode, xrefs: 00A6532B
close PlayMe, xrefs: 00A65341, 00A6536E
play PlayMe, xrefs: 00A65375

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: c074b1e22ff643f982cfb129182f7d6d3434b44951d799aa61f05b3eb16057d6
Instruction ID: 2849f9046dc7827471593b5f3280060498c04fbc1965e4afe23b87444104eb6e
Opcode Fuzzy Hash: c074b1e22ff643f982cfb129182f7d6d3434b44951d799aa61f05b3eb16057d6
Instruction Fuzzy Hash: F6115B21E5016D79D720ABB5DC5ADFFABBCFB91B84F100829B401A61D2EEA01D45C6A0

Function 00A646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A646D2
gethostname.WSOCK32(?,00000100), ref: 00A646EC
gethostbyname.WSOCK32(?), ref: 00A646F9
_wcscpy.LIBCMT ref: 00A64721
_memmove.LIBCMT ref: 00A64734
inet_ntoa.WSOCK32(?), ref: 00A6473F
_strcat.LIBCMT ref: 00A6474D
_wcscpy.LIBCMT ref: 00A64764
WSACleanup.WSOCK32 ref: 00A64772
_wcscpy.LIBCMT ref: 00A64780

Strings

0.0.0.0, xrefs: 00A6471B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 80817be820db9a89d990d56dc73da757f0bfd60cf476082a3dde8e8d8060df54
Instruction ID: 843d183e33443db41123df72cb7ba8cebeb2e0a003a7bf74a5997a63e97e3562
Opcode Fuzzy Hash: 80817be820db9a89d990d56dc73da757f0bfd60cf476082a3dde8e8d8060df54
Instruction Fuzzy Hash: 1711E431900115BFDB20AB74AC4AEEA77BCEF06711F0401B6F44596091FF748AC28B50

Function 00A6D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

CoInitialize.OLE32(00000000), ref: 00A6D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A6D67D
SHGetDesktopFolder.SHELL32(?), ref: 00A6D691
CoCreateInstance.OLE32(00A92D7C,00000000,00000001,00AB8C1C,?), ref: 00A6D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A6D74C
CoTaskMemFree.OLE32(?,?), ref: 00A6D7A4
_memset.LIBCMT ref: 00A6D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00A6D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A6D840
CoTaskMemFree.OLE32(00000000), ref: 00A6D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00A6D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00A6D880

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c500826b1a12eaf7f6526bb34a27a7400700df0d6ca93caef7355a9304f32c3f
Instruction ID: 32a60ad2f97e653569cf0690151af9da8ce7ef5473b65150b77ccc58c95b4199
Opcode Fuzzy Hash: c500826b1a12eaf7f6526bb34a27a7400700df0d6ca93caef7355a9304f32c3f
Instruction Fuzzy Hash: 8AB10B75A00109AFDB04DFA4C988DAEBBB9FF49354F148469F909EB261DB30ED45CB50

Function 00A5C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00A5C283
GetWindowRect.USER32(00000000,?), ref: 00A5C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00A5C2F3
GetDlgItem.USER32(?,00000002), ref: 00A5C2FE
GetWindowRect.USER32(00000000,?), ref: 00A5C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00A5C364
GetDlgItem.USER32(?,000003E9), ref: 00A5C372
GetWindowRect.USER32(00000000,?), ref: 00A5C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00A5C3C6
GetDlgItem.USER32(?,000003EA), ref: 00A5C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A5C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00A5C3FE

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: f5da2e1b7d4b9b7ad9182f439c321140c72096c7936cddbedf8f9c13b19bc12f
Instruction ID: 67ac2d825f36c179cad9910ce0f5a09e445236cf4874d93cf1d4cebd4c7fd9cf
Opcode Fuzzy Hash: f5da2e1b7d4b9b7ad9182f439c321140c72096c7936cddbedf8f9c13b19bc12f
Instruction Fuzzy Hash: 78515F71B00205AFDB18CFA9DD89AAEBBB6FB88321F14813DF915D6294D7709D458B10

Function 00A0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A02036,?,00000000,?,?,?,?,00A016CB,00000000,?), ref: 00A01B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A020D3
KillTimer.USER32(-00000001,?,?,?,?,00A016CB,00000000,?,?,00A01AE2,?,?), ref: 00A0216E
DestroyAcceleratorTable.USER32(00000000), ref: 00A3BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A016CB,00000000,?,?,00A01AE2,?,?), ref: 00A3BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A016CB,00000000,?,?,00A01AE2,?,?), ref: 00A3BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A016CB,00000000,?,?,00A01AE2,?,?), ref: 00A3BD0A
DeleteObject.GDI32(00000000), ref: 00A3BD1C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 178a47a782db06805ba0f26cd724f2bacf0764cdae6fc295e638868861301c99
Instruction ID: 69d2c01fb5c760e0250c878fc4e1f1c991db03ffe67fb188442f5727a3fde8d9
Opcode Fuzzy Hash: 178a47a782db06805ba0f26cd724f2bacf0764cdae6fc295e638868861301c99
Instruction Fuzzy Hash: A5616831910B09DFDB35DF64E948B2AB7F2FB44312F508529F5429A9A0C770BC92EB90

Function 00A021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00A025DB: GetWindowLongW.USER32(?,000000EB), ref: 00A025EC

GetSysColor.USER32(0000000F), ref: 00A021D3

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 56116f3f45322ae6bfbb9896d0a97b46ba5551d652359d16f468e04dc6a185b5
Instruction ID: 6a206c4d57e6ebc057e123d620b1850af632e2d24400a1269e8711c69be7d5b2
Opcode Fuzzy Hash: 56116f3f45322ae6bfbb9896d0a97b46ba5551d652359d16f468e04dc6a185b5
Instruction Fuzzy Hash: E1416431500644AFDB259FA8EC8CBF93766EB4A321F244365FE658A1E5C7318C82DB61

Function 00A6A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00A8F910), ref: 00A6A90B
GetDriveTypeW.KERNEL32(00000061,00AB89A0,00000061), ref: 00A6A9D5
_wcscpy.LIBCMT ref: 00A6A9FF

Strings

unknown, xrefs: 00A6A996
ramdisk, xrefs: 00A6A97F
network, xrefs: 00A6A969
cdrom, xrefs: 00A6A927
removable, xrefs: 00A6A93D
all, xrefs: 00A6A911
fixed, xrefs: 00A6A953

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 0fc7d9914f054f721c69cf0cc6b742dbfa6828eb85c2cec94fa79638424a087c
Instruction ID: 780398d30dca908c64d962d8a990b5df4238c05486fbb933b162b8f5b2752b1e
Opcode Fuzzy Hash: 0fc7d9914f054f721c69cf0cc6b742dbfa6828eb85c2cec94fa79638424a087c
Instruction Fuzzy Hash: A6517E32508301AFC700EF14DA92AAFB7B9FFA4344F54482DF595672E2DB319909CA53

Function 00A88645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A886FF

Strings

@U=u, xrefs: 00A88735

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 6a2e2a9898283d29c7936894e511f863aaed1cfcb26ae9a25edc0541798e5a34
Instruction ID: a20c7cec8010dbe7d8d26511fb4925eb3afa084813e366292081761275c511bb
Opcode Fuzzy Hash: 6a2e2a9898283d29c7936894e511f863aaed1cfcb26ae9a25edc0541798e5a34
Instruction Fuzzy Hash: CE519030900244BEEF20EB68DC89FAD7BB4FB05760FA04225F951E61E1DF79A980DB50

Function 00A02B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00A3C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A3C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A3C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00A3C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A3C370
DestroyIcon.USER32(00000000), ref: 00A3C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A3C39C
DestroyIcon.USER32(?), ref: 00A3C3AB

Part of subcall function 00A8A4AF: DeleteObject.GDI32(00000000), ref: 00A8A4E8

Strings

@U=u, xrefs: 00A3C370, 00A3C39C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: 03bd860120c4a4a8b4bd3f621521f6a7beffc73cda6f22db2deee934ed554682
Instruction ID: a770e01d2b7a32e018c3bd1b3ac60a95dd01730ffd3dd816e218ecfb87c3807d
Opcode Fuzzy Hash: 03bd860120c4a4a8b4bd3f621521f6a7beffc73cda6f22db2deee934ed554682
Instruction Fuzzy Hash: 29513A70A00309AFDB24DFA4DC49FAA7BB5EB59720F104529F902AB2D0D770ED91DB50

Function 00A09837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00A09862
__swprintf.LIBCMT ref: 00A098AC
__i64tow.LIBCMT ref: 00A3F5E6

Strings

False, xrefs: 00A3F5AE
%.15g, xrefs: 00A098A6
0x%p, xrefs: 00A3F5C8
True, xrefs: 00A3F5A7

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 9d09fbdc290efd3cf866f183e715bdd45a5a7cf0254e36eabe6f41fca882d710
Instruction ID: 57f67049472b3587066950c84b25d6f38c06cfcd0b3b39c24350470bdc236192
Opcode Fuzzy Hash: 9d09fbdc290efd3cf866f183e715bdd45a5a7cf0254e36eabe6f41fca882d710
Instruction Fuzzy Hash: B941B571914209AFEB24DF78E946E7A73F9FF05300F20487EF549D6292EA3599458B10

Function 00A87152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8716A
CreateMenu.USER32 ref: 00A87185
SetMenu.USER32(?,00000000), ref: 00A87194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A87221
IsMenu.USER32(?), ref: 00A87237
CreatePopupMenu.USER32 ref: 00A87241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A8726E
DrawMenuBar.USER32 ref: 00A87276

Strings

0, xrefs: 00A87160
F, xrefs: 00A87262

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 4b258479a78cbc5ce14261624d2e08107551cb830e27dbad46c0b14fc444a9fe
Instruction ID: 9ecad6efd07977b390b898d29c0821c38107f5bdc511c1dfe807656140ee4c37
Opcode Fuzzy Hash: 4b258479a78cbc5ce14261624d2e08107551cb830e27dbad46c0b14fc444a9fe
Instruction Fuzzy Hash: E8415A74A01205EFDB10EFA4D988EDA7BB5FF49310F240028F955A7361E731A920CF90

Function 00A58F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00A59014
GetDlgCtrlID.USER32 ref: 00A5901F
GetParent.USER32 ref: 00A5903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A5903E
GetDlgCtrlID.USER32(?), ref: 00A59047
GetParent.USER32(?), ref: 00A59063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A59066

Strings

@U=u, xrefs: 00A59066
ComboBox, xrefs: 00A58F9C
ListBox, xrefs: 00A58FD1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 62910ad205d00bf2babc61a8dc8ab9e648e858cc7cf1c002132887b157ee9e76
Instruction ID: cc1fd51b9051018a4bbe0a61c672441d2600a969938f239b4e0ad6d04f796b7b
Opcode Fuzzy Hash: 62910ad205d00bf2babc61a8dc8ab9e648e858cc7cf1c002132887b157ee9e76
Instruction Fuzzy Hash: 8B21AE70A00109BFDF04ABA0CC85EFEBBB8EF49311F104625B921972E1EB755829DB20

Function 00A5907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00A590FD
GetDlgCtrlID.USER32 ref: 00A59108
GetParent.USER32 ref: 00A59124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00A59127
GetDlgCtrlID.USER32(?), ref: 00A59130
GetParent.USER32(?), ref: 00A5914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00A5914F

Strings

@U=u, xrefs: 00A5914F
ComboBox, xrefs: 00A59087
ListBox, xrefs: 00A590BC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 2106943032d8fec5a0d0fdc92b088e66136877a0db274ed6a274bedd6f058573
Instruction ID: a27ad2e305acb82805d1a4a77a8965a57ce9cc802a86b59673a1ab5895c2919f
Opcode Fuzzy Hash: 2106943032d8fec5a0d0fdc92b088e66136877a0db274ed6a274bedd6f058573
Instruction Fuzzy Hash: B421A174A00109BFDF01ABA4DC85EFEBBB8FF54301F104125B911972A2EB755869DF20

Function 00A59163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00A5916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00A59184
_wcscmp.LIBCMT ref: 00A59196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A59211

Strings

@U=u, xrefs: 00A59211
details, xrefs: 00A591BF
SHELLDLL_DefView, xrefs: 00A59190
smallicons, xrefs: 00A591D9
largeicons, xrefs: 00A591A5
list, xrefs: 00A591F3

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 690e2230fa109756bddeabaf91a5bf456cc8aecca5556c6509b128cc33cc0fdb
Instruction ID: efcbaa4b4726b1cbd042bc7a1f0cbee96e309f31425d6636c0737f2f77e9f184
Opcode Fuzzy Hash: 690e2230fa109756bddeabaf91a5bf456cc8aecca5556c6509b128cc33cc0fdb
Instruction Fuzzy Hash: 2111A736248317F9FA112628EC06DEF3B9CBB15721F200526FD14E94D2FFB158556694

Function 00A26E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A26E3E

Part of subcall function 00A28B28: __getptd_noexit.LIBCMT ref: 00A28B28

__gmtime64_s.LIBCMT ref: 00A26ED7
__gmtime64_s.LIBCMT ref: 00A26F0D
__gmtime64_s.LIBCMT ref: 00A26F2A
__allrem.LIBCMT ref: 00A26F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A26F9C
__allrem.LIBCMT ref: 00A26FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A26FD1
__allrem.LIBCMT ref: 00A26FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A27006
__invoke_watson.LIBCMT ref: 00A27077

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 06b5522d3c2f480902ac81a8f9951936de2b447702a986824f2a5c4cd0766fc1
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: D9710676A05726ABDB14EF7CED41B6AB7B8AF04360F144239F514D7281E770EE048790

Function 00A62527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62542
GetMenuItemInfoW.USER32(00AC5890,000000FF,00000000,00000030), ref: 00A625A3
SetMenuItemInfoW.USER32(00AC5890,00000004,00000000,00000030), ref: 00A625D9
Sleep.KERNEL32(000001F4), ref: 00A625EB
GetMenuItemCount.USER32(?), ref: 00A6262F
GetMenuItemID.USER32(?,00000000), ref: 00A6264B
GetMenuItemID.USER32(?,-00000001), ref: 00A62675
GetMenuItemID.USER32(?,?), ref: 00A626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A62700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A62714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A62735

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: eab44fab442469941fdad880a89a384f24076c678156a6968b142c886cd67350
Instruction ID: d1411216dca1db0280c0564446973ff50bafd5cc4de19cc5436639033b2f7d2e
Opcode Fuzzy Hash: eab44fab442469941fdad880a89a384f24076c678156a6968b142c886cd67350
Instruction Fuzzy Hash: 1C61A3B4900A4AAFDB21CFA4DD84FFE7BB8EB45344F140169F842A7291D735AD06DB21

Function 00A86F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A86FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A86FA8
GetWindowLongW.USER32(?,000000F0), ref: 00A86FCC
_memset.LIBCMT ref: 00A86FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A86FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A87067

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c5678019396344a8884e1f051edd00a20e7e75ee268b19bd7bde72dc71ce141d
Instruction ID: 9ed82280419ffc6736cfe7e73bb91cf00ed4ce7f5b45921d7bae01c5915ee56f
Opcode Fuzzy Hash: c5678019396344a8884e1f051edd00a20e7e75ee268b19bd7bde72dc71ce141d
Instruction Fuzzy Hash: 98615B75900208AFDB11EFA4CD85FEE77F8EB09710F244169FA14AB2A1D771AD41DBA0

Function 00A56B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A56BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00A56C18
VariantInit.OLEAUT32(?), ref: 00A56C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00A56C4A
VariantCopy.OLEAUT32(?,?), ref: 00A56C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00A56CB1
VariantClear.OLEAUT32(?), ref: 00A56CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00A56CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A56CDC
VariantClear.OLEAUT32(?), ref: 00A56CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A56CF9

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 90b90e69d715befb8f23a67b65de85af5f54e19df5326a699306757d499cf404
Instruction ID: 807cc003290880a0368ab7563d72a4e5bd809e9c801573cf370ea977ac3a7846
Opcode Fuzzy Hash: 90b90e69d715befb8f23a67b65de85af5f54e19df5326a699306757d499cf404
Instruction Fuzzy Hash: A8414275A00119AFCF00DFA8D9449AEBBB9FF08355F408069ED55E7361DB30A94ACF90

Function 00A8D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

GetSystemMetrics.USER32(0000000F), ref: 00A8D47C
GetSystemMetrics.USER32(0000000F), ref: 00A8D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00A8D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00A8D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00A8D716
ShowWindow.USER32(00000003,00000000), ref: 00A8D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00A8D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00A8D77D

Strings

@U=u, xrefs: 00A8D6F5, 00A8D716

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: 5531751ba970534d1ee207f9640c6c158bef89f8b331525bd8b05c0370f91709
Instruction ID: e456419c36fc2def0efcfc479dade678e20db6985621c503c3188863e03686ba
Opcode Fuzzy Hash: 5531751ba970534d1ee207f9640c6c158bef89f8b331525bd8b05c0370f91709
Instruction Fuzzy Hash: 0FB17B71A00219EFDF18DF68C985BAD7BB1BF04711F188179EC58AB295E734A990CB50

Function 00A02E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00A02EAE

Part of subcall function 00A01DB3: GetClientRect.USER32(?,?), ref: 00A01DDC
Part of subcall function 00A01DB3: GetWindowRect.USER32(?,?), ref: 00A01E1D
Part of subcall function 00A01DB3: ScreenToClient.USER32(?,?), ref: 00A01E45

GetDC.USER32 ref: 00A3CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A3CD45
SelectObject.GDI32(00000000,00000000), ref: 00A3CD53
SelectObject.GDI32(00000000,00000000), ref: 00A3CD68
ReleaseDC.USER32(?,00000000), ref: 00A3CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A3CDFB

Strings

@U=u, xrefs: 00A3CD45
U, xrefs: 00A3CCD0

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 2204a3f734de1633851501ca51e55676c700d26435bfd9c81aa9d6be49487771
Instruction ID: 01a23c375211903370881ce675567a325a71ec15f2da35913ef3b73188238612
Opcode Fuzzy Hash: 2204a3f734de1633851501ca51e55676c700d26435bfd9c81aa9d6be49487771
Instruction Fuzzy Hash: D571DF31900209DFCF21DF64DC84AAA7FB5FF48360F24427AFD55AA2A6D7319881DB60

Function 00A75732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00A75793
inet_addr.WSOCK32(?,?,?), ref: 00A757D8
gethostbyname.WSOCK32(?), ref: 00A757E4
IcmpCreateFile.IPHLPAPI ref: 00A757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A75862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A75878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00A758ED
WSACleanup.WSOCK32 ref: 00A758F3

Strings

Ping, xrefs: 00A75816

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: caa6b608c1e474225353dc2fa3ba49d1b0992ca81f156620634d2247aa7d96b3
Instruction ID: 4388f0fa542b314df42753b97b6a3ad114184fff12a31119661b4bab8c184a43
Opcode Fuzzy Hash: caa6b608c1e474225353dc2fa3ba49d1b0992ca81f156620634d2247aa7d96b3
Instruction Fuzzy Hash: F8518D31A006019FDB10EF64DD49B2A7BE4EF48720F04C969F99ADB2A1DB70E805DB42

Function 00A6B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A6B546
GetLastError.KERNEL32 ref: 00A6B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00A6B5BD

Strings

READY, xrefs: 00A6B596
READONLY, xrefs: 00A6B588
UNKNOWN, xrefs: 00A6B575
INVALID, xrefs: 00A6B58F
NOTREADY, xrefs: 00A6B57C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 835fa0fba1d1da9c9b991fa8ee896889e61f84ac259c0c96b4e3d81d63b5bcfe
Instruction ID: 7e8f5d82d858ef79ecb4fa8afda5fb97a84bdc2f510843e47258ffb53bf7c51a
Opcode Fuzzy Hash: 835fa0fba1d1da9c9b991fa8ee896889e61f84ac259c0c96b4e3d81d63b5bcfe
Instruction Fuzzy Hash: 1E317475A00209EFCB00EFA8D985EEE77B8FF49310F144165E607D7292DB719A82CB61

Function 00A861D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00A861EB
GetDC.USER32(00000000), ref: 00A861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A861FE
ReleaseDC.USER32(00000000,00000000), ref: 00A8620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A86246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A86257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A8902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00A86291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A862B1

Strings

@U=u, xrefs: 00A86257, 00A862B1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 87a5d8e1718dabb4ce3e18fcede91f4b3ecf29eb5da0d77ee248e3d7b8a2fb20
Instruction ID: 1d732ee712d1e17824ed4ec49bb68c70757fed48cdd5ccf3be881dda448600cc
Opcode Fuzzy Hash: 87a5d8e1718dabb4ce3e18fcede91f4b3ecf29eb5da0d77ee248e3d7b8a2fb20
Instruction Fuzzy Hash: F0317C72201210BFEF119F50CC8AFEA3BA9EF49765F044165FE089A292D7759C52CB74

Function 00A788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A788D7
CoInitialize.OLE32(00000000), ref: 00A78904
CoUninitialize.OLE32 ref: 00A7890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00A78A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00A78B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00A92C0C), ref: 00A78B6F
CoGetObject.OLE32(?,00000000,00A92C0C,?), ref: 00A78B92
SetErrorMode.KERNEL32(00000000), ref: 00A78BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A78C25
VariantClear.OLEAUT32(?), ref: 00A78C35

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 2ed0fef003faae843f5822b14ff03c2643ff85cec7bdf27fe086195055797923
Instruction ID: fb8e9b363c9055aa749279a68a001fee8dd2dedceaa261f617e47ac61863e753
Opcode Fuzzy Hash: 2ed0fef003faae843f5822b14ff03c2643ff85cec7bdf27fe086195055797923
Instruction Fuzzy Hash: A7C116B1608305AFD700DF68C88892BB7E9FF89748F00895DF9899B251DB75ED06CB52

Function 00A67990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00A67A6C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 3645bd32b87bcfe3babb47b643b6f8543ff8623dcc913ff82f9078eebe076263
Instruction ID: a232b37a1e0fbbc9b897720e623c9763d7b7ca4541d82babc847bde5174877c2
Opcode Fuzzy Hash: 3645bd32b87bcfe3babb47b643b6f8543ff8623dcc913ff82f9078eebe076263
Instruction Fuzzy Hash: E7B1D17591421A9FDB00DFA8D884BBEB7F4FF09329F204429E951E7291D734E941CBA0

Function 00A611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A60268,?,00000001), ref: 00A61204
GetWindowThreadProcessId.USER32(00000000), ref: 00A6120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A60268,?,00000001), ref: 00A6121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00A6122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A60268,?,00000001), ref: 00A61245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A60268,?,00000001), ref: 00A61257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A60268,?,00000001), ref: 00A6129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A60268,?,00000001), ref: 00A612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00A60268,?,00000001), ref: 00A612BC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: abac9d891b627a0b52d5fb261207035f30f6f4ef452bea753de81cca44a1bb37
Instruction ID: 90cdaa83f85b2ee7f934d3d3d582afda9eb8650facb26fc588dd1d5fd1d4674c
Opcode Fuzzy Hash: abac9d891b627a0b52d5fb261207035f30f6f4ef452bea753de81cca44a1bb37
Instruction Fuzzy Hash: 1131A0B5600208BFDB10DFA5EC98FAA7BB9EF55315F154239FD00D61A0D7749D418BA0

Function 00A0FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A0FAA6
OleUninitialize.OLE32(?,00000000), ref: 00A0FB45
UnregisterHotKey.USER32(?), ref: 00A0FC9C
DestroyWindow.USER32(?), ref: 00A445D6
FreeLibrary.KERNEL32(?), ref: 00A4463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A44668

Strings

close all, xrefs: 00A0FAA1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 78d972dfaea7e5e9e40699b5938326b02aa395ad478b7b093c1ae8be5cff89b1
Instruction ID: edadb43d1a393390d33796db9809fdc15a9ee62e5281f94c5efcaec28e8f2b96
Opcode Fuzzy Hash: 78d972dfaea7e5e9e40699b5938326b02aa395ad478b7b093c1ae8be5cff89b1
Instruction Fuzzy Hash: 47A19134701216CFDB28EF14D695B69F3A4BF49700F5542ADE80AAB292DB30EC16CF50

Function 00A5A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00A5A439), ref: 00A5A377

Strings

NAME, xrefs: 00A5A1A9
CLASS, xrefs: 00A5A0F6
INSTANCE, xrefs: 00A5A285
TEXT, xrefs: 00A5A2AE
REGEXPCLASS, xrefs: 00A5A13C
CLASSNN, xrefs: 00A5A119

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8a675f063ad9e4a4cf8f33e508e9cc2fd0229f7618cec0ae9e6c78981bc64747
Instruction ID: 163367ab96109fc3c0a73fb76e37c66ca93e2008cbc0258a70002e73b656ccab
Opcode Fuzzy Hash: 8a675f063ad9e4a4cf8f33e508e9cc2fd0229f7618cec0ae9e6c78981bc64747
Instruction Fuzzy Hash: 8C91E631B00606ABCB08DFA4D582BEDFB78BF14351F508229EC49A7192DF31699DCB91

Function 00A8B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00CA4E90), ref: 00A8B3EB
IsWindowEnabled.USER32(00CA4E90), ref: 00A8B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00A8B4DB
SendMessageW.USER32(00CA4E90,000000B0,?,?), ref: 00A8B512
IsDlgButtonChecked.USER32(?,?), ref: 00A8B54F
GetWindowLongW.USER32(00CA4E90,000000EC), ref: 00A8B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00A8B589

Strings

@U=u, xrefs: 00A8B4DB, 00A8B512, 00A8B589

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 66bb39244fcd331c0c0ddb07ac0e57424f2732ae4ab17f4966f2a3946551a452
Instruction ID: 02e29a8862d26195c2d8ca62013a55e834080f1633ec65b93a27d8b229f95bd6
Opcode Fuzzy Hash: 66bb39244fcd331c0c0ddb07ac0e57424f2732ae4ab17f4966f2a3946551a452
Instruction Fuzzy Hash: E771B234A10704EFEB24EFA4C895FBA7BB5FF09300F144569F946972A2C731A991DB60

Function 00A86D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A86E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00A86E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A86E52
_wcscat.LIBCMT ref: 00A86EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00A86EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A86EF2

Strings

SysListView32, xrefs: 00A86DF6
@U=u, xrefs: 00A86E24, 00A86E38

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: c719c904601cb011d5f431eee654f1b85823b64d31b95958b1ce1237f98d6d2c
Instruction ID: 5ef511805aa48a79a01b7919771c45eaf2f92193ebfbbcc8bc365ef6aecf1682
Opcode Fuzzy Hash: c719c904601cb011d5f431eee654f1b85823b64d31b95958b1ce1237f98d6d2c
Instruction Fuzzy Hash: 8141A171A00349AFEB21EFA4CC85BEE77B8EF08350F10092AF584E7291D6719D858B60

Function 00A71A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A71A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A71A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00A71ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A71AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A71AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00A71B10
InternetCloseHandle.WININET(00000000), ref: 00A71B57

Part of subcall function 00A72483: GetLastError.KERNEL32(?,?,00A71817,00000000,00000000,00000001), ref: 00A72498
Part of subcall function 00A72483: SetEvent.KERNEL32(?,?,00A71817,00000000,00000000,00000001), ref: 00A724AD

Strings

, xrefs: 00A71B01

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 6a515ffddf332a9c136f4f3907cd1f70576939f8ca036f9ab4008dc050df4971
Instruction ID: a306d49888d6b11f4398d87dcc562c4d4a5119a88f8f81757cd00948c0218e90
Opcode Fuzzy Hash: 6a515ffddf332a9c136f4f3907cd1f70576939f8ca036f9ab4008dc050df4971
Instruction Fuzzy Hash: 4E416EB1601219BFEB119F54CC89FFB7BACEF48354F10C12AFA099A141E7749E459BA0

Function 00A862CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A862EC
GetWindowLongW.USER32(00CA4E90,000000F0), ref: 00A8631F
GetWindowLongW.USER32(00CA4E90,000000F0), ref: 00A86354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A86386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00A863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A863DB

Strings

@U=u, xrefs: 00A862EC, 00A86386, 00A863B0

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 9fe4d60aedb8e856cc521689238b4a4dc256a70987c5f79f973aade2a71c9c44
Instruction ID: cc4f274cbe60bc988671042b2f89665b8d483b4a53591dc6ea7d17c25355c409
Opcode Fuzzy Hash: 9fe4d60aedb8e856cc521689238b4a4dc256a70987c5f79f973aade2a71c9c44
Instruction Fuzzy Hash: 993105306442519FEB21EFA8DC85F5537E1FB5A714F1901A4F501DF2B1CB71A881EB51

Function 00A78C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A8F910), ref: 00A78D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A8F910), ref: 00A78D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00A78ED6
SysFreeString.OLEAUT32(?), ref: 00A78F00

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: c73aa0e29533b6cc01215bb9e2f837a083374abdf5f54df92b9a8a7a4d64c5a3
Instruction ID: 9f312469c2fee15b5fadc47d507a99256ca7e6461f563a25d9b0d78ede00aaa5
Opcode Fuzzy Hash: c73aa0e29533b6cc01215bb9e2f837a083374abdf5f54df92b9a8a7a4d64c5a3
Instruction Fuzzy Hash: F6F11671A00209AFCB14DF94CC88EAEB7B9FF49315F10C499F909AB251DB35AE46CB51

Function 00A7F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A7F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A7F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A7F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A7F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A7FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00A7FA7C
CloseHandle.KERNEL32(?), ref: 00A7FAAB
CloseHandle.KERNEL32(?), ref: 00A7FB22

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: bf5fb91061710f51786e792710725e1cf1c49f63e4e04759dfcb35f678263f46
Instruction ID: 7ca4bf14aad094487cc2fefc957825e728046900e99a3ba7f0c9bff308587b58
Opcode Fuzzy Hash: bf5fb91061710f51786e792710725e1cf1c49f63e4e04759dfcb35f678263f46
Instruction Fuzzy Hash: ECE1BD316042019FCB14EF24D981B6ABBE5FF89354F14C96DF8999B2A2CB30DD45CB52

Function 00A64CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A63697,?), ref: 00A6468B

Part of subcall function 00A6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A63697,?), ref: 00A646A4

Part of subcall function 00A64A31: GetFileAttributesW.KERNEL32(?,00A6370B), ref: 00A64A32

lstrcmpiW.KERNEL32(?,?), ref: 00A64D40
_wcscmp.LIBCMT ref: 00A64D5A
MoveFileW.KERNEL32(?,?), ref: 00A64D75

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 791edbee65c3fd5cc8f31bcae3fec9a585091962f33a06db76565560d1a06a35
Instruction ID: 9c68d5e55b4bbfb8389796cdc716fbdd926347795d52b81d1224b09065b476bf
Opcode Fuzzy Hash: 791edbee65c3fd5cc8f31bcae3fec9a585091962f33a06db76565560d1a06a35
Instruction Fuzzy Hash: 7F5175B24083459FC724EBA4D9819DFB3ECAF89750F00092EF689C3151EF34A188C766

Function 00A5966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A5A84C
Part of subcall function 00A5A82C: GetCurrentThreadId.KERNEL32 ref: 00A5A853
Part of subcall function 00A5A82C: AttachThreadInput.USER32(00000000,?,00A59683,?,00000001), ref: 00A5A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00A5968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00A596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00A596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00A596FB

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a0f4076ee7463f4aa2a7647e8d4420445ba03252aa64a58282a1b982eec548f9
Instruction ID: 6854e7ae6a26cc15a8e064cdf762b7ee13fa3adb9d45e055a4e3792771e72f43
Opcode Fuzzy Hash: a0f4076ee7463f4aa2a7647e8d4420445ba03252aa64a58282a1b982eec548f9
Instruction Fuzzy Hash: AF11E1B1A10219BEF610AFA0DC89F6A3B2DEB4C751F100525F744AB0A0C9F25C11DBA4

Function 00A58921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00A5853C,00000B00,?,?), ref: 00A5892A
HeapAlloc.KERNEL32(00000000,?,00A5853C,00000B00,?,?), ref: 00A58931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A5853C,00000B00,?,?), ref: 00A58946
GetCurrentProcess.KERNEL32(?,00000000,?,00A5853C,00000B00,?,?), ref: 00A5894E
DuplicateHandle.KERNEL32(00000000,?,00A5853C,00000B00,?,?), ref: 00A58951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00A5853C,00000B00,?,?), ref: 00A58961
GetCurrentProcess.KERNEL32(00A5853C,00000000,?,00A5853C,00000B00,?,?), ref: 00A58969
DuplicateHandle.KERNEL32(00000000,?,00A5853C,00000B00,?,?), ref: 00A5896C
CreateThread.KERNEL32(00000000,00000000,00A58992,00000000,00000000,00000000), ref: 00A58986

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f80557296649daadfd65860eaee88bbeca3f082653f7c0ad6b9c84d65b116224
Instruction ID: a92b3947d312b30baade0837da8dff416b385a6e1df5549b6af5c3b24b8c0acf
Opcode Fuzzy Hash: f80557296649daadfd65860eaee88bbeca3f082653f7c0ad6b9c84d65b116224
Instruction Fuzzy Hash: F901A4B5240309FFE610EBA5DC8DF6B7BACEB89711F408521FB05DB2A1DA7498118B20

Function 00A79B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00A79B7B
NULL Pointer assignment, xrefs: 00A79BA4, 00A79EC8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: deb70e3802480a8f0d9d9a485a61779b03a24b35f19938d7a0fc3c60c5c833d9
Instruction ID: 3bff5eb5cb487aca188824badb9a4c5405070bb1b644114c2140d71546443dac
Opcode Fuzzy Hash: deb70e3802480a8f0d9d9a485a61779b03a24b35f19938d7a0fc3c60c5c833d9
Instruction Fuzzy Hash: 01C16171A0021AAFDF10DF98DD85AAFB7F5FB48314F14C46AE909AB281E7709D45CB90

Function 00A79113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A79167
VariantInit.OLEAUT32(?), ref: 00A79238
VariantInit.OLEAUT32(?), ref: 00A79339
VariantClear.OLEAUT32(?), ref: 00A79343
VariantClear.OLEAUT32(?), ref: 00A793A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00A791C8, 00A792F6, 00A793AE
Incorrect Object type in FOR..IN loop, xrefs: 00A7931C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 2d165b3ee865ea09639c6a8bd2b0225d499f18723a280b1968a58ba7aa6a5fd7
Instruction ID: 7ecbb5e7ecdd6d96d424e25d015f366d3dc0da08a8c58cf521d2767d7d5cd411
Opcode Fuzzy Hash: 2d165b3ee865ea09639c6a8bd2b0225d499f18723a280b1968a58ba7aa6a5fd7
Instruction Fuzzy Hash: C7916871A00219ABDF24DFA5CC48FAFBBB8EF45710F10C55AF919AB281D7709945CBA0

Function 00A7975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00A5710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?,?,00A57455), ref: 00A57127
Part of subcall function 00A5710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A57142
Part of subcall function 00A5710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A57150
Part of subcall function 00A5710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?), ref: 00A57160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00A79806
_memset.LIBCMT ref: 00A79813
_memset.LIBCMT ref: 00A79956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00A79982
CoTaskMemFree.OLE32(?), ref: 00A7998D

Strings

NULL Pointer assignment, xrefs: 00A799DB

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 63255d9cce5c8647ae5dfc0fcf78dbb4963f622eeac23cbe9d8d9171afb80eb2
Instruction ID: ee8982901775fda794f00839b942200e1131a54d1ced31bdf51431cafc6fceaa
Opcode Fuzzy Hash: 63255d9cce5c8647ae5dfc0fcf78dbb4963f622eeac23cbe9d8d9171afb80eb2
Instruction Fuzzy Hash: FF912771D00229ABDB10DFA4DD41EDEBBB9AF08350F10816AF519A7291EB719A44CFA0

Function 00A7E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00A63C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00A63C7A
Part of subcall function 00A63C55: Process32FirstW.KERNEL32(00000000,?), ref: 00A63C88
Part of subcall function 00A63C55: CloseHandle.KERNEL32(00000000), ref: 00A63D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A7E9A4
GetLastError.KERNEL32 ref: 00A7E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A7E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00A7EA63
GetLastError.KERNEL32(00000000), ref: 00A7EA6E
CloseHandle.KERNEL32(00000000), ref: 00A7EAA3

Strings

SeDebugPrivilege, xrefs: 00A7E9C2

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 3ce972839fedf48cf78fa4f3ae59a61855d9d17c7cdb29d6f26868ed89d47a7a
Instruction ID: 889a8167432797ff23c0d3c198ac9a2e1fe1ba32621331c58522a6cd502c6953
Opcode Fuzzy Hash: 3ce972839fedf48cf78fa4f3ae59a61855d9d17c7cdb29d6f26868ed89d47a7a
Instruction Fuzzy Hash: 7E41A9712002019FDB10EF64DD95F6EB7A5BF88355F04C458F9069B2C2DB74A849CB91

Function 00A8B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00AC57B0,00000000,00CA4E90,?,?,00AC57B0,?,00A8B5A8,?,?), ref: 00A8B712
EnableWindow.USER32(00000000,00000000), ref: 00A8B736
ShowWindow.USER32(00AC57B0,00000000,00CA4E90,?,?,00AC57B0,?,00A8B5A8,?,?), ref: 00A8B796
ShowWindow.USER32(00000000,00000004,?,00A8B5A8,?,?), ref: 00A8B7A8
EnableWindow.USER32(00000000,00000001), ref: 00A8B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00A8B7EF

Strings

@U=u, xrefs: 00A8B7EF

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 7146519c7fd9a4a0e332a455327782abc4c930d4980fb7ac339f6e1c53e617cc
Instruction ID: bcbe5a5668ab713524636cfd5c73268e75d06f646c41421d30d4b96f486ba3dd
Opcode Fuzzy Hash: 7146519c7fd9a4a0e332a455327782abc4c930d4980fb7ac339f6e1c53e617cc
Instruction Fuzzy Hash: 80418F34602341AFDB22EF24C499B957FE1FF49310F5841B9F9489F6A2C731A856CB60

Function 00A62F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00A63033

Strings

warning, xrefs: 00A6301C
info, xrefs: 00A62FD4
blank, xrefs: 00A62FB5
stop, xrefs: 00A63004
question, xrefs: 00A62FEC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0f3adb24ac58a9614eb34a018a12133e430f6926613c81247b8cb9cc2f6ba94c
Instruction ID: c90acb2f6f0dae99b16e61470861f7992bc8fbb1d8d148665bf7e3ed08e515a6
Opcode Fuzzy Hash: 0f3adb24ac58a9614eb34a018a12133e430f6926613c81247b8cb9cc2f6ba94c
Instruction Fuzzy Hash: D9112B32348347BEEB249B5CDC42DAF7BBCDF15320B21002AFA0066182DB745F4557A0

Function 00A642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A64312
LoadStringW.USER32(00000000), ref: 00A64319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A6432F
LoadStringW.USER32(00000000), ref: 00A64336
_wprintf.LIBCMT ref: 00A6435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A6437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00A64357

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: a441ee3f7e8d571940925e6b8060974bb08aac3b954a96f299aa2549e165c0cb
Instruction ID: 88abf14db1b8ba27d626ebec64da1ac5f8797a1f7c5b6a1331b03bd03326186d
Opcode Fuzzy Hash: a441ee3f7e8d571940925e6b8060974bb08aac3b954a96f299aa2549e165c0cb
Instruction Fuzzy Hash: A1014FF6900209BFE711E7E4DD89EE6776CEB08300F0005B1B749E6051EA745E854B70

Function 00A02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A3C1C7,00000004,00000000,00000000,00000000), ref: 00A02ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00A3C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00A02B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00A3C1C7,00000004,00000000,00000000,00000000), ref: 00A3C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00A3C1C7,00000004,00000000,00000000,00000000), ref: 00A3C286

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b0cca81ff9ea1d6cfdac8e229ba1e7c4298373d91d0fc217f7db7c763585e77a
Instruction ID: 95e685bd26e1b311d72a0d45ee1180a0757eadd05fac999c6e30275e2e9bc908
Opcode Fuzzy Hash: b0cca81ff9ea1d6cfdac8e229ba1e7c4298373d91d0fc217f7db7c763585e77a
Instruction Fuzzy Hash: 94413B307047C89FDB359B78AC9CB6B7BA2BB85354F24881DF047925E0CA75A886D720

Function 00A670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00A670DD

Part of subcall function 00A20DB6: std::exception::exception.LIBCMT ref: 00A20DEC
Part of subcall function 00A20DB6: __CxxThrowException@8.LIBCMT ref: 00A20E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00A67114
EnterCriticalSection.KERNEL32(?), ref: 00A67130
_memmove.LIBCMT ref: 00A6717E
_memmove.LIBCMT ref: 00A6719B
LeaveCriticalSection.KERNEL32(?), ref: 00A671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00A671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00A671DE

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 59713f8ac01c86b4ce52bcb9895a9999f96ee5d02f5bddbebf081efb704783bd
Instruction ID: abee2ea2a04d2e6d4399b3f80dc0e33e00507be7c9c4c4a99fcaf8281daa6f4d
Opcode Fuzzy Hash: 59713f8ac01c86b4ce52bcb9895a9999f96ee5d02f5bddbebf081efb704783bd
Instruction Fuzzy Hash: AA318D71900215EFDB00EFA8DD85EAEB779EF45710F1441B5E904AB256EB309E51CBA0

Function 00A5BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00A5BBC4
_memcmp.LIBCMT ref: 00A5BBE6
_memcmp.LIBCMT ref: 00A5BBFE
_memcmp.LIBCMT ref: 00A5BC11
_memcmp.LIBCMT ref: 00A5BC2B
_memcmp.LIBCMT ref: 00A5BC3E
_memcmp.LIBCMT ref: 00A5BC56
_memcmp.LIBCMT ref: 00A5BC71

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 4b160ec226a94fda7963ba2090a64c4f6abe709e11b13a0663e291947951dee6
Instruction ID: 33d2c3b1d13ebbdbe05c019248efb87a1d5ac512260267a8688b74e210c15eba
Opcode Fuzzy Hash: 4b160ec226a94fda7963ba2090a64c4f6abe709e11b13a0663e291947951dee6
Instruction Fuzzy Hash: 8321B0B17112157BAA047715AE42FFB73ACBE2434BB054420FD089A647EB74DE1982B5

Function 00A6EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

Part of subcall function 00A1FC86: _wcscpy.LIBCMT ref: 00A1FCA9

_wcstok.LIBCMT ref: 00A6EC94
_wcscpy.LIBCMT ref: 00A6ED23
_memset.LIBCMT ref: 00A6ED56

Strings

X, xrefs: 00A6ED93

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 6cd54a5a5e4fe454ea87eb1008068556db542754adf047991743024fc4b3f4fe
Instruction ID: 16aeb9cc958dce3a91cae00e00b6e7fb434c9e0364aea3da2a2a1a30b4c38445
Opcode Fuzzy Hash: 6cd54a5a5e4fe454ea87eb1008068556db542754adf047991743024fc4b3f4fe
Instruction Fuzzy Hash: 65C15C759083059FC754EF68D981A6AB7F4FF85310F00892DF8999B2A2DB30EC45CB82

Function 00A76B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A76C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A76C21
WSAGetLastError.WSOCK32(00000000), ref: 00A76C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00A76CEA
inet_ntoa.WSOCK32(?), ref: 00A76CA7

Part of subcall function 00A5A7E9: _strlen.LIBCMT ref: 00A5A7F3
Part of subcall function 00A5A7E9: _memmove.LIBCMT ref: 00A5A815

_strlen.LIBCMT ref: 00A76D44
_memmove.LIBCMT ref: 00A76DAD

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 36b8fcf2506c0194750c1e027d6f43f919c746beddc6a119349bd9b89d61dd5f
Instruction ID: 834ef2880a0ee332b8590d21f301f521ed92259b8f0fb631ffc205b89a850a09
Opcode Fuzzy Hash: 36b8fcf2506c0194750c1e027d6f43f919c746beddc6a119349bd9b89d61dd5f
Instruction Fuzzy Hash: C981F071204B04AFD720EF24DD82F6BB7A8AF85714F10CA18F9499B2D2DA70AD05CB91

Function 00A01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bfab6285dabf8cec08c9381ab51cbadf1211166db976c636289f7ae59ceccf6
Instruction ID: 6f2f6b2f425824562357cce3d661001ab7751b3f758b31e8d35c759380ea265d
Opcode Fuzzy Hash: 7bfab6285dabf8cec08c9381ab51cbadf1211166db976c636289f7ae59ceccf6
Instruction Fuzzy Hash: E0715A70900109EFCB04DF98DC89AFEBB79FF85314F248159F915AA2A1C735AA51CFA0

Function 00A7F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7F448
_memset.LIBCMT ref: 00A7F511
ShellExecuteExW.SHELL32(?), ref: 00A7F556

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

Part of subcall function 00A1FC86: _wcscpy.LIBCMT ref: 00A1FCA9

GetProcessId.KERNEL32(00000000), ref: 00A7F5CD
CloseHandle.KERNEL32(00000000), ref: 00A7F5FC

Strings

@, xrefs: 00A7F525

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: e727c0f38e8ffc10c78cfbda0ce4ce00a323134f64f3d64c1f3212cbfaca32a4
Instruction ID: dadb1d3df2059af2c5b04314af97cf157145e07b84cbe381af41e44e4bf92e90
Opcode Fuzzy Hash: e727c0f38e8ffc10c78cfbda0ce4ce00a323134f64f3d64c1f3212cbfaca32a4
Instruction Fuzzy Hash: 1E6180B5A00619DFCB14DFA4D9859AEBBF5FF49310F14C069E859AB391CB30AE41CB90

Function 00A60F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00A60F8C
GetKeyboardState.USER32(?), ref: 00A60FA1
SetKeyboardState.USER32(?), ref: 00A61002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00A61030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00A6104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00A61095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A610B8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d7537a88d65c412f24c795e6970cd399b0c8ee0a192bf6a76e6c36dc5022d807
Instruction ID: 5a7f3f97aa5ec5e6859d7ad7fd86456345b3ea4db6b08def8d595590eb28e4f5
Opcode Fuzzy Hash: d7537a88d65c412f24c795e6970cd399b0c8ee0a192bf6a76e6c36dc5022d807
Instruction Fuzzy Hash: 8951E1A06047D63DFB3643348C15BBBBEB96B06304F0C8989E1D4868D2D2A9ECD9D751

Function 00A60D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00A60DA5
GetKeyboardState.USER32(?), ref: 00A60DBA
SetKeyboardState.USER32(?), ref: 00A60E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A60E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A60E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A60EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A60EC9

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2f9e9cc204f23f39191577bf82c2f53409d244ed0ecb62d8161f8df32beefc17
Instruction ID: 988ac547c61e2b4bee939c9ed2cc66c45602f56ce77fb5320599877903ecc38b
Opcode Fuzzy Hash: 2f9e9cc204f23f39191577bf82c2f53409d244ed0ecb62d8161f8df32beefc17
Instruction Fuzzy Hash: 1151E1A05487E57DFB3683748C55FBBBFB9AB06300F088989E1D4468C2D396ACD9D760

Function 00A655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00A6560A
_wcsncpy.LIBCMT ref: 00A6563F
_wcsncpy.LIBCMT ref: 00A65671
_wcsncpy.LIBCMT ref: 00A656A4
_wcsncpy.LIBCMT ref: 00A656E6
_wcsncpy.LIBCMT ref: 00A65720
_wcsncpy.LIBCMT ref: 00A6574F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 361792a7c7bff3e17004e80817e6aaea8c5abc1469a71cde38054c6feb41482b
Instruction ID: 5b45d5e984332dfaa04df28a1724bfe1e42b91cee9b4d9f65f6421addc6b438a
Opcode Fuzzy Hash: 361792a7c7bff3e17004e80817e6aaea8c5abc1469a71cde38054c6feb41482b
Instruction Fuzzy Hash: 33416566C1062476CB11EBB8DC46ACFB7B89F05310F508966F518E3221FB34A695C7A6

Function 00A8A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00A8A14F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: b354af5906d1d983ae32d8575421b6a77ac3e2804ce999defa34b16f6710268e
Instruction ID: 0492d346af0614e523071c2368f8e53a4234edf9c1dd1d7f05b60bde90969297
Opcode Fuzzy Hash: b354af5906d1d983ae32d8575421b6a77ac3e2804ce999defa34b16f6710268e
Instruction Fuzzy Hash: 4041C335E04104AFE710EF68CC4CFA9BBB4EB29310F150266F856A72E1C730AD52DB51

Function 00A63671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00A6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A63697,?), ref: 00A6468B

Part of subcall function 00A6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A63697,?), ref: 00A646A4

lstrcmpiW.KERNEL32(?,?), ref: 00A636B7
_wcscmp.LIBCMT ref: 00A636D3
MoveFileW.KERNEL32(?,?), ref: 00A636EB
_wcscat.LIBCMT ref: 00A63733
SHFileOperationW.SHELL32(?), ref: 00A6379F

Strings

\*.*, xrefs: 00A6372D

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 21b33fd7c47995579d341ecc741a14abab1c5c32e64d759e94e282f5dfc7fdde
Instruction ID: ce4466fc1c4c1df2113e49bf10272e037d380e838dd43d15b260df4392fdfe1c
Opcode Fuzzy Hash: 21b33fd7c47995579d341ecc741a14abab1c5c32e64d759e94e282f5dfc7fdde
Instruction Fuzzy Hash: E0416172508345AECB52EF64D541ADFB7F8EF89380F40092EB49AC3251EA34D68AC752

Function 00A87291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A87351
IsMenu.USER32(?), ref: 00A87369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A873B1
DrawMenuBar.USER32 ref: 00A873C4

Strings

0, xrefs: 00A8729E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: e840d3edfd1fc9f9071e15ed4a089f9a38c2196c9a6574403b148d9e9d23036b
Instruction ID: 922d996967d50f9eb053eadf14d8face9f3b16545d90be454dfbb8df171d4c50
Opcode Fuzzy Hash: e840d3edfd1fc9f9071e15ed4a089f9a38c2196c9a6574403b148d9e9d23036b
Instruction Fuzzy Hash: 2B411675A04209AFDB20EFA0D884E9EBBB8FB05350F248529FD15AB260D730ED50EB51

Function 00A80FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00A80FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A80FFE
FreeLibrary.KERNEL32(00000000), ref: 00A810B5

Part of subcall function 00A80FA5: RegCloseKey.ADVAPI32(?), ref: 00A8101B
Part of subcall function 00A80FA5: FreeLibrary.KERNEL32(?), ref: 00A8106D
Part of subcall function 00A80FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00A81090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00A81058

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 17b0d7c6dbf0e7dd1eb3ffd8020515128fc50abb8b2b3b91dee90250a0c5048e
Instruction ID: ee0f38b26d6fe511c46cd32db12e636e58d62c5c30d13bdc281c9028fe2d1800
Opcode Fuzzy Hash: 17b0d7c6dbf0e7dd1eb3ffd8020515128fc50abb8b2b3b91dee90250a0c5048e
Instruction Fuzzy Hash: E7310A71901109BFDB15EB90DC89EFFB7BCEF08300F10416AE501E2151EA749E8A9BA1

Function 00A5DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5DB54
SysAllocString.OLEAUT32(00000000), ref: 00A5DB57
SysAllocString.OLEAUT32(?), ref: 00A5DB75
SysFreeString.OLEAUT32(?), ref: 00A5DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00A5DBA3
SysAllocString.OLEAUT32(?), ref: 00A5DBB1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a72fc61e1c196e9f0d9685bcb6a77bb090615586bb4654a63cdc1e4b9462c36b
Instruction ID: 18e7e285bed2313be2b5440d122f799f846b738e9bfac39b4e9f8fa1bbad4308
Opcode Fuzzy Hash: a72fc61e1c196e9f0d9685bcb6a77bb090615586bb4654a63cdc1e4b9462c36b
Instruction Fuzzy Hash: DF219236600219AFEF20DFE8DC88CBB73ADFB09361B128526FD54DB251D6709C458760

Function 00A76173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00A77DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A761C6
WSAGetLastError.WSOCK32(00000000), ref: 00A761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A7620E
connect.WSOCK32(00000000,?,00000010), ref: 00A76217
WSAGetLastError.WSOCK32 ref: 00A76221
closesocket.WSOCK32(00000000), ref: 00A7624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00A76263

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 1ad8914fb5112725fe557a91f4274836bca57f61d29bc47437b6064229bafe5a
Instruction ID: c4ef295d0008eb1e6013bf792021d790cb181d2fdbdc91c8c413e4fe80f7f65c
Opcode Fuzzy Hash: 1ad8914fb5112725fe557a91f4274836bca57f61d29bc47437b6064229bafe5a
Instruction Fuzzy Hash: D031A471600508AFDF10AF64DC85BBE7BACEB45710F04C069FD09A7292DB70AC458BA1

Function 00A58E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A58F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A58F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00A58F57

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Strings

@U=u, xrefs: 00A58F14, 00A58F27, 00A58F57
ComboBox, xrefs: 00A58E9E
ListBox, xrefs: 00A58ED3

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: 17f81cd9532380f4412774f82f8b8bed0bdb92af0883ca49a6c0c7645fd61ab1
Instruction ID: 7eb36e034fa915415e822fad14b67e3e957b85b69fd6063d3a82467ff8e27797
Opcode Fuzzy Hash: 17f81cd9532380f4412774f82f8b8bed0bdb92af0883ca49a6c0c7645fd61ab1
Instruction Fuzzy Hash: 88210171A00108BEDB14ABB0DC86CFFB779EF09360B104629F825A71E1DF39584E9A20

Function 00A5F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00A5F671
__wcsnicmp.LIBCMT ref: 00A5F692
__wcsnicmp.LIBCMT ref: 00A5F6AC

Strings

#notrayicon, xrefs: 00A5F669
#requireadmin, xrefs: 00A5F68C
#OnAutoItStartRegister, xrefs: 00A5F6A6

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: e03399bc0d222e630fa9720987a89b03f6e92789563d9b6884bedcd96813da32
Instruction ID: d60b0baef2df02c31a5177accd1902df56aa5a648e39a8dd0eacb9251361edcb
Opcode Fuzzy Hash: e03399bc0d222e630fa9720987a89b03f6e92789563d9b6884bedcd96813da32
Instruction Fuzzy Hash: AB2134722042617EDA20AB38AD02FA773E8FF59341F104439FD4686491EB70AD89D395

Function 00A5DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A5DC2F
SysAllocString.OLEAUT32(00000000), ref: 00A5DC32
SysAllocString.OLEAUT32 ref: 00A5DC53
SysFreeString.OLEAUT32 ref: 00A5DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00A5DC76
SysAllocString.OLEAUT32(?), ref: 00A5DC84

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 96b53c01e6994a786f7c3bccaa4992cb1363b3fcc0dabaeb6458374972a8ca25
Instruction ID: 7d3306ed456d736c13c922bb6127132cc4eb57ea05c224b0d4af375994f1e360
Opcode Fuzzy Hash: 96b53c01e6994a786f7c3bccaa4992cb1363b3fcc0dabaeb6458374972a8ca25
Instruction Fuzzy Hash: 41215E35604205AF9B20DBF8DC88DAA77ACFB08361B108126FD14DB261DAB09C45C764

Function 00A5B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00A5B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A5B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A5B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A5B27F
_wcsstr.LIBCMT ref: 00A5B289

Strings

@U=u, xrefs: 00A5B221, 00A5B259

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: d01d73a8a020850a4e630b82de735cf336dc7f0b69469e4fc72bff681965deb3
Instruction ID: e6cc8b9d1a5d963d47eab9f382fcc28189e16b46aae3ee2cf262888fa8406e0d
Opcode Fuzzy Hash: d01d73a8a020850a4e630b82de735cf336dc7f0b69469e4fc72bff681965deb3
Instruction Fuzzy Hash: D8212532214201BEEB159B79AC09EBF7BA8EF49712F104139FC04CA1A1EF718C419370

Function 00A59307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A59320

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A59352
__itow.LIBCMT ref: 00A5936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A59392
__itow.LIBCMT ref: 00A593A3

Strings

@U=u, xrefs: 00A59320, 00A59352, 00A59392

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: 6d8079f1fe0662e4260b086913b16886f74e9350529e99288056f7cde832b80d
Instruction ID: 58dbc7c9d791a59a1b82248fa70e393cbd14ef9e802ed55785961833099c1b31
Opcode Fuzzy Hash: 6d8079f1fe0662e4260b086913b16886f74e9350529e99288056f7cde832b80d
Instruction Fuzzy Hash: 2D21F531B00208FBDB10ABA49D89EAF3BA8FB49721F144029FD09DF1C1D6B0DD599791

Function 00A875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A01D73
Part of subcall function 00A01D35: GetStockObject.GDI32(00000011), ref: 00A01D87
Part of subcall function 00A01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A01D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A87632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A8763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A8764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A87659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A87665

Strings

Msctls_Progress32, xrefs: 00A87603

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2b499fc5e07f733e00566aae10180ab473e32ffb7ea68841d06b0ca8b15afcb2
Instruction ID: e2fe0d3fc815a06c4e7f4da104a7b76ae779b47c74874ef57fe447363db6602e
Opcode Fuzzy Hash: 2b499fc5e07f733e00566aae10180ab473e32ffb7ea68841d06b0ca8b15afcb2
Instruction Fuzzy Hash: F811B6B1110119BFEF159F64CC85EEB7F6DEF08798F114125B604A20A0D772DC21DBA4

Function 00A29AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00A29AE6

Part of subcall function 00A23187: EncodePointer.KERNEL32(00000000), ref: 00A2318A
Part of subcall function 00A23187: __initp_misc_winsig.LIBCMT ref: 00A231A5
Part of subcall function 00A23187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00A29EA0
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00A29EB4
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00A29EC7
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00A29EDA
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00A29EED
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00A29F00
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00A29F13
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00A29F26
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00A29F39
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00A29F4C
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00A29F5F
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00A29F72
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00A29F85
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00A29F98
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00A29FAB
Part of subcall function 00A23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00A29FBE

__mtinitlocks.LIBCMT ref: 00A29AEB
__mtterm.LIBCMT ref: 00A29AF4

Part of subcall function 00A29B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00A29AF9,00A27CD0,00ABA0B8,00000014), ref: 00A29C56
Part of subcall function 00A29B5C: _free.LIBCMT ref: 00A29C5D
Part of subcall function 00A29B5C: DeleteCriticalSection.KERNEL32(00ABEC00,?,?,00A29AF9,00A27CD0,00ABA0B8,00000014), ref: 00A29C7F

__calloc_crt.LIBCMT ref: 00A29B19
__initptd.LIBCMT ref: 00A29B3B
GetCurrentThreadId.KERNEL32 ref: 00A29B42

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 65640f6fe884a044693c533439a151ed93d2be6e8e595b6b36b7c8b14fc4d0ae
Instruction ID: a2617c835adb0719d60eb6c56d8adae65dde54ab4285ef259878c2152a554292
Opcode Fuzzy Hash: 65640f6fe884a044693c533439a151ed93d2be6e8e595b6b36b7c8b14fc4d0ae
Instruction Fuzzy Hash: BBF0903251A7316AFA34B7BCBD0768B6694EF02F70F200A39F464D51D2EF61844245A4

Function 00A2406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00A23F85), ref: 00A24085
GetProcAddress.KERNEL32(00000000), ref: 00A2408C
EncodePointer.KERNEL32(00000000), ref: 00A24097
DecodePointer.KERNEL32(00A23F85), ref: 00A240B2

Strings

combase.dll, xrefs: 00A24080
RoUninitialize, xrefs: 00A24074

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: b095bf4ea913eb5c40a847c0e894ed1fb3606f5111aca7dd30735049d06e245f
Instruction ID: be35329c5805487f277eb2a05ebb36c80e1deb2378f6dfbd9a1cec9e341938d3
Opcode Fuzzy Hash: b095bf4ea913eb5c40a847c0e894ed1fb3606f5111aca7dd30735049d06e245f
Instruction Fuzzy Hash: C2E0B671685311EFEF10EFE2ED0DF853AA5BB04742F158625F621E50A0CBBA4642DB14

Function 00A664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00A6660B
_memmove.LIBCMT ref: 00A66546

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

_memmove.LIBCMT ref: 00A665B9
_memmove.LIBCMT ref: 00A666A0
_memmove.LIBCMT ref: 00A666B9
_memmove.LIBCMT ref: 00A666D5

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 07f7beecbd1dd8334db84aaf9af2abfb4d3119d97a414b28777fd7aaa104b083
Instruction ID: 0a1bed82d289a3d17eee400d3544fd92582dc9f75c4e9ac379e49da5ddbea62a
Opcode Fuzzy Hash: 07f7beecbd1dd8334db84aaf9af2abfb4d3119d97a414b28777fd7aaa104b083
Instruction Fuzzy Hash: 67617C7090025A9BCF05EF64EE82EFE37B9AF05308F058529FD566B293DB34A945CB50

Function 00A801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7FDAD,?,?), ref: 00A80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00A80320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A80349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A8038C
RegCloseKey.ADVAPI32(00000000), ref: 00A80399

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 68f2250eb504d4d25971fa8510db5ad7b82c2d7383bd6ef4989a89a5f42b8b08
Instruction ID: fd0f6aa5c6f6e013567826bb98063f33835df8d9a48a9b3817c3c161e3af8c25
Opcode Fuzzy Hash: 68f2250eb504d4d25971fa8510db5ad7b82c2d7383bd6ef4989a89a5f42b8b08
Instruction Fuzzy Hash: BF514931508204AFCB10EF64D985EAFBBE9FF85314F04491DF5958B2A2EB31E909CB52

Function 00A85799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00A857FB
GetMenuItemCount.USER32(00000000), ref: 00A85832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A8585A
GetMenuItemID.USER32(?,?), ref: 00A858C9
GetSubMenu.USER32(?,?), ref: 00A858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00A85928

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: ce8ada7cd0caa3b5f10e272d55d46ba9c104afe7d48c2e26027ac50d39ce17bd
Instruction ID: 8449ad29a9e488bf46d908dad9ff2732f44a6a86669a6e496935d4a23dad3ad1
Opcode Fuzzy Hash: ce8ada7cd0caa3b5f10e272d55d46ba9c104afe7d48c2e26027ac50d39ce17bd
Instruction Fuzzy Hash: 20516E35E00615EFCF11EFA4D945AAEB7B5EF48310F104066EC41BB351DB34AE419B90

Function 00A5EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A5EF06
VariantClear.OLEAUT32(00000013), ref: 00A5EF78
VariantClear.OLEAUT32(00000000), ref: 00A5EFD3
_memmove.LIBCMT ref: 00A5EFFD
VariantClear.OLEAUT32(?), ref: 00A5F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A5F078

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 25bbb3be7c5046b7d7de47cbee00961107c877878bb330e60361e6e3f8290de0
Instruction ID: 931c6adafd47d5e6bf2b1304dbc0e4a2f703f01e31092df5c311a2bf385c717e
Opcode Fuzzy Hash: 25bbb3be7c5046b7d7de47cbee00961107c877878bb330e60361e6e3f8290de0
Instruction Fuzzy Hash: 4F5166B5A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED59DB341E734E915CFA0

Function 00A6220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A622A3
IsMenu.USER32(00000000), ref: 00A622C3
CreatePopupMenu.USER32 ref: 00A622F7
GetMenuItemCount.USER32(000000FF), ref: 00A62355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00A62386

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 90e4ae234ab231924f4b64d106c30989802d34533de95d10b1ff88a7cc7243b4
Instruction ID: a0dad188e8f7f38946e8fd4f6674d5fa6589b93196808d62e3d4c6576f02cf3d
Opcode Fuzzy Hash: 90e4ae234ab231924f4b64d106c30989802d34533de95d10b1ff88a7cc7243b4
Instruction Fuzzy Hash: CB51BB70A00A4AEFDF25CF68C988BAEBBF5FF05314F104129E811AB290E3748944CB51

Function 00A01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00A0179A
GetWindowRect.USER32(?,?), ref: 00A017FE
ScreenToClient.USER32(?,?), ref: 00A0181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A0182C
EndPaint.USER32(?,?), ref: 00A01876

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0ff72616d3c9876727f74abf895c2f7bc08d7c3049ac39c92a092fab5b24ac27
Instruction ID: 156f14cd2a0a633dabde8aa8eea3ad20738b0cf888210e1c89062eb6f8749b93
Opcode Fuzzy Hash: 0ff72616d3c9876727f74abf895c2f7bc08d7c3049ac39c92a092fab5b24ac27
Instruction Fuzzy Hash: E341AD30500705AFD710DF64DC84FBA7BF8EB49724F044629FAA48B2E1D730A94ADB62

Function 00A7709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00A74E41,?,?,00000000,00000001), ref: 00A770AC

Part of subcall function 00A739A0: GetWindowRect.USER32(?,?), ref: 00A739B3

GetDesktopWindow.USER32 ref: 00A770D6
GetWindowRect.USER32(00000000), ref: 00A770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00A7710F

Part of subcall function 00A65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A652BC

GetCursorPos.USER32(?), ref: 00A7713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A77199

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: aafb60ed35602272de26514e354dae50124543867ff68194db734fdb03b73e8c
Instruction ID: 0ee47d6d96f06bdb826e25664dce606240e0216690bcec76bf39f149351843df
Opcode Fuzzy Hash: aafb60ed35602272de26514e354dae50124543867ff68194db734fdb03b73e8c
Instruction Fuzzy Hash: D331C372505306AFD720DF64DC49A9FB7A9FF88314F004A29F58997191DB30EA05CB92

Function 00A58879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A580C0
Part of subcall function 00A580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A580CA
Part of subcall function 00A580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A580D9
Part of subcall function 00A580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A580E0
Part of subcall function 00A580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A580F6

GetLengthSid.ADVAPI32(?,00000000,00A5842F), ref: 00A588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A588D6
HeapAlloc.KERNEL32(00000000), ref: 00A588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00A588F6
GetProcessHeap.KERNEL32(00000000,00000000,00A5842F), ref: 00A5890A
HeapFree.KERNEL32(00000000), ref: 00A58911

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 78ec00018f9b096689cff1eb70c5c375103434a563f476f055c305d6d52fec5b
Instruction ID: 151fa2a0b8108b734bfc460ab9b2a856df5d52fe44034b7d9ec4ed0164ece627
Opcode Fuzzy Hash: 78ec00018f9b096689cff1eb70c5c375103434a563f476f055c305d6d52fec5b
Instruction Fuzzy Hash: 3E11AF31501209FFDB10DFE4DC09BBEB778FB44316F104128E845A7210DB3AA919DB60

Function 00A585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A585E2
OpenProcessToken.ADVAPI32(00000000), ref: 00A585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A585F8
CloseHandle.KERNEL32(00000004), ref: 00A58603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A58632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00A58646

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 37f413bf5e257567cdcd7b970e432301dec7bb779a23eb5b55ff4bee88ea57d8
Instruction ID: f3bc62d3590abacd8c0c026356b95822b30ad9cb8a5beb74632a634bdc8d24d9
Opcode Fuzzy Hash: 37f413bf5e257567cdcd7b970e432301dec7bb779a23eb5b55ff4bee88ea57d8
Instruction Fuzzy Hash: 9011597250124AAFDF01CFA4ED49BEE7BA9FF08305F144064FE04A2160D7768E65EB60

Function 00A5B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00A5B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00A5B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A5B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00A5B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A5B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00A5B7FE

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 332141c2926e9a0e6ad2f938f73417639dd391999e7c2b6c8963cc96bde8a2cf
Instruction ID: 00fba6698e066a3a1590d5479cb57a7a521766e23317afe91af533ab8b71fc60
Opcode Fuzzy Hash: 332141c2926e9a0e6ad2f938f73417639dd391999e7c2b6c8963cc96bde8a2cf
Instruction Fuzzy Hash: 23018475E00209BFEF109BE69D49A5EBFB8EB48312F004175FE04A7291D6309C11CFA0

Function 00A20162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00A20193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00A2019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00A201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00A201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00A201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00A201C1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: ff883d040a5fa2806003882158101a4625f64463f21d5ae519240e43555a2066
Instruction ID: ddbfd63445d74f59e6cf7224e01a5f1b7faa2f6708cd823b8d1136530b66c8f9
Opcode Fuzzy Hash: ff883d040a5fa2806003882158101a4625f64463f21d5ae519240e43555a2066
Instruction Fuzzy Hash: D7016CB090175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A864CBE5

Function 00A653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A6540F
GetWindowThreadProcessId.USER32(?,?), ref: 00A6541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A65437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A6543E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3c920697bb9e8c6aa521461ddf6ce2f21e4e78e72d8f20bcd3c97988409ab208
Instruction ID: 4a2474a2bdea3987286a6d299e0105840de1ecb0a6909dd14cca0415857aca6b
Opcode Fuzzy Hash: 3c920697bb9e8c6aa521461ddf6ce2f21e4e78e72d8f20bcd3c97988409ab208
Instruction Fuzzy Hash: C2F06231240159BFD3209BE29C0DEAB7A7CEFC6B11F000279FA04D1050E6A41A0287B5

Function 00A67230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00A67243
EnterCriticalSection.KERNEL32(?,?,00A10EE4,?,?), ref: 00A67254
TerminateThread.KERNEL32(00000000,000001F6,?,00A10EE4,?,?), ref: 00A67261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A10EE4,?,?), ref: 00A6726E

Part of subcall function 00A66C35: CloseHandle.KERNEL32(00000000,?,00A6727B,?,00A10EE4,?,?), ref: 00A66C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00A67281
LeaveCriticalSection.KERNEL32(?,?,00A10EE4,?,?), ref: 00A67288

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: d2fa659e501fbc51c04d302f24a9795d95cc7a1cae2cc9ede51bd6b44d6701c9
Instruction ID: da30938aeaa9a39feeb8d676012d1853a70094fe3826ca80ef0e7815c211a7f0
Opcode Fuzzy Hash: d2fa659e501fbc51c04d302f24a9795d95cc7a1cae2cc9ede51bd6b44d6701c9
Instruction Fuzzy Hash: 75F08276540613EFD7115BA4ED4C9DF7739FF45702B100631F603A10A0EB7A5812CB50

Function 00A58992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A5899D
UnloadUserProfile.USERENV(?,?), ref: 00A589A9
CloseHandle.KERNEL32(?), ref: 00A589B2
CloseHandle.KERNEL32(?), ref: 00A589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00A589C3
HeapFree.KERNEL32(00000000), ref: 00A589CA

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: cfd790ac15d675f40321c961b382cc60cef92a08bc2e1e0f33bc78045b030102
Instruction ID: e25650ebfe12a7133cfcbe9080a8cfa6bb7dfd46aab6f2115f1796290891127a
Opcode Fuzzy Hash: cfd790ac15d675f40321c961b382cc60cef92a08bc2e1e0f33bc78045b030102
Instruction Fuzzy Hash: A3E05276104506FFDA019FE5EC0C95ABB69FB89762B508631F329C5474CB329462DB50

Function 00A785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A78613
CharUpperBuffW.USER32(?,?), ref: 00A78722
VariantClear.OLEAUT32(?), ref: 00A7889A

Part of subcall function 00A67562: VariantInit.OLEAUT32(00000000), ref: 00A675A2
Part of subcall function 00A67562: VariantCopy.OLEAUT32(00000000,?), ref: 00A675AB
Part of subcall function 00A67562: VariantClear.OLEAUT32(00000000), ref: 00A675B7

Strings

Incorrect Parameter format, xrefs: 00A7864B, 00A7880D
AUTOIT.ERROR, xrefs: 00A78728

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: b5ecf824e54d656d29d7b689a6c1d79dba8d10b59222a591c22e98f8edb2b99e
Instruction ID: 66b6d2ca20eb979c7a6b31eb132caf119f43d723d02c30881d0faf90344211f2
Opcode Fuzzy Hash: b5ecf824e54d656d29d7b689a6c1d79dba8d10b59222a591c22e98f8edb2b99e
Instruction Fuzzy Hash: 89915B716043059FC710DF24C98495BB7E4EF89754F14C96EF88A8B3A2DB34E905CB52

Function 00A62A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1FC86: _wcscpy.LIBCMT ref: 00A1FCA9

_memset.LIBCMT ref: 00A62B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A62BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A62C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A62C97

Strings

0, xrefs: 00A62B73

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: ca43b84ab8ca6cc7edd5cf07eb2e05f64c4fe0b6924123cce06fac67b73caed0
Instruction ID: 33413c54ea7535929a95353a085e42b5fa9693b0ea4b5a08365599ce6c4fa89d
Opcode Fuzzy Hash: ca43b84ab8ca6cc7edd5cf07eb2e05f64c4fe0b6924123cce06fac67b73caed0
Instruction Fuzzy Hash: 6351CA71608B019ED7249F28D845B6FBBF8EF99350F040A2DF895D6291DB70DC449B92

Function 00A897F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00CADCC8,?), ref: 00A89863
ScreenToClient.USER32(00000002,00000002), ref: 00A89896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00A89903

Strings

@U=u, xrefs: 00A8995E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 982a764b66ba1b73d99dd53440d8499313143db9ddb87319b89426425443d701
Instruction ID: 56a7cbefd1f6bdca3a2def19ab5c8bc7786f4d693b4094534c540bdf8833058e
Opcode Fuzzy Hash: 982a764b66ba1b73d99dd53440d8499313143db9ddb87319b89426425443d701
Instruction Fuzzy Hash: 06512D34A00209AFDB10DF68D984ABE7BB5FF55360F148269F8659B2A0D731AD81CB90

Function 00A59A80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A59AD2
__itow.LIBCMT ref: 00A59B03

Part of subcall function 00A59D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00A59DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00A59B6C
__itow.LIBCMT ref: 00A59BC3

Strings

@U=u, xrefs: 00A59AD2, 00A59B6C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 90b15be44cece3ca813e62317fa444f38b1e762654e2fa6a0333063701beed36
Instruction ID: 320d1a7efc69b50587d6845587ca2fce81b5f90b6cd1d8f26fac6064a0bd15ff
Opcode Fuzzy Hash: 90b15be44cece3ca813e62317fa444f38b1e762654e2fa6a0333063701beed36
Instruction Fuzzy Hash: BF417E74A0020CABEF11EF54E945BEE7BB9EF44755F000069FD05AB291DB70AE49CBA1

Function 00A597F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A59296,?,?,00000034,00000800,?,00000034), ref: 00A614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A5983F

Part of subcall function 00A61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00A614B1

Part of subcall function 00A613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00A61409
Part of subcall function 00A613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A5925A,00000034,?,?,00001004,00000000,00000000), ref: 00A61419
Part of subcall function 00A613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A5925A,00000034,?,?,00001004,00000000,00000000), ref: 00A6142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A598F9

Strings

@U=u, xrefs: 00A5983F, 00A598AC, 00A598F9
@, xrefs: 00A59911

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 5a4073796d15ea2d3537dd72825ee8b58bfb9553dba85e5c4e709bb965bf5f72
Instruction ID: ec9f580eaaa1056781cbe4cd5638d983ac120078bdd9d8da4d20850d9c0f3ef5
Opcode Fuzzy Hash: 5a4073796d15ea2d3537dd72825ee8b58bfb9553dba85e5c4e709bb965bf5f72
Instruction Fuzzy Hash: 70416F7690021CBFCB10DFA4CD85ADEBBB8EB09300F144199FA55B7191DA706E89CBA0

Function 00A5D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A5D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A5D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A5D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A5D69D

Strings

DllGetClassObject, xrefs: 00A5D610

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: a873cce329c35397bd95b595a32a955106010b5e03131ed24c9c23a169e736d5
Instruction ID: d76fe9b4e1e14d6c582c157d7a892379bc7e7a95ee86446302511c24d42d4d87
Opcode Fuzzy Hash: a873cce329c35397bd95b595a32a955106010b5e03131ed24c9c23a169e736d5
Instruction Fuzzy Hash: DF41AEB1600204EFDF24DF64C884A9A7BB9FF48312F1581A9ED09DF205D7B0D949CBA0

Function 00A62753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00A62822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00AC5890,00000000), ref: 00A6286B

Strings

0, xrefs: 00A627B5

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: dfefd0c71843d81093896ba5e6c83b280faec5b022a9cd71e97a02eaa3bd470f
Instruction ID: 5b59352a8c95504200c0ce959e1a549f8ab5e3b161ae2bc390e53d7cf1cfa707
Opcode Fuzzy Hash: dfefd0c71843d81093896ba5e6c83b280faec5b022a9cd71e97a02eaa3bd470f
Instruction Fuzzy Hash: 4941AD706047019FD724DF28CC84B6ABBF8EF85314F144A2DF9A59B2D1DB30A805CB62

Function 00A88851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A888DE

Strings

@U=u, xrefs: 00A8892D

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 895f44d6b14f601c828522e6c9b0127b9a2f3e37d17cd018e911e89fde680b03
Instruction ID: d646be904869fa911a40203f91f9ada77003650fd7100f7883d11bbe2e2b461b
Opcode Fuzzy Hash: 895f44d6b14f601c828522e6c9b0127b9a2f3e37d17cd018e911e89fde680b03
Instruction Fuzzy Hash: 1931B434A00109AFEF20BB68CC45FB977B5EB09350FE44111F955E71A1CF78E9909752

Function 00A7D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A7D7C5

Part of subcall function 00A0784B: _memmove.LIBCMT ref: 00A07899

Strings

stdcall, xrefs: 00A7D847
cdecl, xrefs: 00A7D81C
winapi, xrefs: 00A7D836
none, xrefs: 00A7D8A0

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 3b49035e8a93e85abb583cab234ad35d352190feb5b71fca1e522f823a43521c
Instruction ID: 472a28dddea0fd066d02f009029f8eb807963045ef505e78282b81335b1c3a30
Opcode Fuzzy Hash: 3b49035e8a93e85abb583cab234ad35d352190feb5b71fca1e522f823a43521c
Instruction Fuzzy Hash: 94316E71904619AFCF00EF68DD919EEB3B5FF04320B10C629E869976D2DB71A905CB80

Function 00A7182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A71872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A718A2
InternetCloseHandle.WININET(00000000), ref: 00A718E9

Part of subcall function 00A72483: GetLastError.KERNEL32(?,?,00A71817,00000000,00000000,00000001), ref: 00A72498
Part of subcall function 00A72483: SetEvent.KERNEL32(?,?,00A71817,00000000,00000000,00000001), ref: 00A724AD

Strings

, xrefs: 00A71893

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: bdb33f3a92634abc43a4870771c5b8b63f7c775abe3b608401c52931ba35c020
Instruction ID: 7ee097ea223410fdc212ee77be9606ab75df0678d09071f1a6080afce0c06c85
Opcode Fuzzy Hash: bdb33f3a92634abc43a4870771c5b8b63f7c775abe3b608401c52931ba35c020
Instruction Fuzzy Hash: 522180B1600208BFEB119F68DC85FBB77EDEB48744F10C12AF54996140DA249D0557A1

Function 00A863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A01D73
Part of subcall function 00A01D35: GetStockObject.GDI32(00000011), ref: 00A01D87
Part of subcall function 00A01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A01D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A86461
LoadLibraryW.KERNEL32(?), ref: 00A86468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A8647D
DestroyWindow.USER32(?), ref: 00A86485

Strings

SysAnimate32, xrefs: 00A8643C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: ab0c1e7611f09af2f53b4ad21d4445dfac664e53acff73e069f18b41618a3f71
Instruction ID: d48e58b7057d0c9f76870302e62a38e8b9a7ea3c276490d5404bda7e1e0f6006
Opcode Fuzzy Hash: ab0c1e7611f09af2f53b4ad21d4445dfac664e53acff73e069f18b41618a3f71
Instruction Fuzzy Hash: 94219D71210205BFFF10AFA4DD80EBF37ADEB58324F208629FA20961A0D731DC919760

Function 00A66D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00A66DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A66DEF
GetStdHandle.KERNEL32(0000000C), ref: 00A66E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00A66E3B

Strings

nul, xrefs: 00A66E36

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2b7b97ccf11e34724124e7ab4d1ddf0eef9c926f72d152d9e7b362c20dab0927
Instruction ID: 3c44b09c5c93f8555ff6877828b68196073eeb4e15d826d5aecdd5ef4af6f650
Opcode Fuzzy Hash: 2b7b97ccf11e34724124e7ab4d1ddf0eef9c926f72d152d9e7b362c20dab0927
Instruction Fuzzy Hash: 1C21AF7460060AEFDB209F69DC05A9A7BF8FF44720F204A29FDA0D72D0EB719951CB50

Function 00A66E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00A66E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A66EBB
GetStdHandle.KERNEL32(000000F6), ref: 00A66ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00A66F06

Strings

nul, xrefs: 00A66F01

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: be6a96d74dde937501e33ea9266acf81ae14c6decb7b0db15609fcb6b9760c48
Instruction ID: e99026c52debc4d32ed42d6e411acd2abc5abbdf4eb6ad17d9998aaefee6fff3
Opcode Fuzzy Hash: be6a96d74dde937501e33ea9266acf81ae14c6decb7b0db15609fcb6b9760c48
Instruction Fuzzy Hash: 29217F79600706AFDB209F69DC44AAA77B8EF55720F200B19FDA1D72D0EB71A851CB50

Function 00A6AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00A6AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A6ACA8
__swprintf.LIBCMT ref: 00A6ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00A8F910), ref: 00A6ACFF

Strings

%lu, xrefs: 00A6ACBB

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 2550262d2af7b0da9d79c8fb72e7bcae903b0bb7514a958512e2ea7b91d7a14c
Instruction ID: e66fa66a4d2f1b3ba0fcef1550fb1ffbd52949771a909b3e945f1b6f5f49428e
Opcode Fuzzy Hash: 2550262d2af7b0da9d79c8fb72e7bcae903b0bb7514a958512e2ea7b91d7a14c
Instruction Fuzzy Hash: B8217431A00109AFCB10DFA4DA45DEF77B8FF49714B004469F905AB252DA31EA51CB61

Function 00A61AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00A61B19

Strings

REMOVE, xrefs: 00A61B1F
EXISTS, xrefs: 00A61B41
APPEND, xrefs: 00A61B52
KEYS, xrefs: 00A61B30

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 57f57bfb29e85a0ed5c0fe75149332cb47614f5fad539cd7a37ee630dd217324
Instruction ID: 1a8f5308c7dae8cfd5d1ed1e5fff50dd0f41c82adcfcb52a05b2fc7905195537
Opcode Fuzzy Hash: 57f57bfb29e85a0ed5c0fe75149332cb47614f5fad539cd7a37ee630dd217324
Instruction Fuzzy Hash: EB1184309001198FCF00EFA8E9918FEB7B8FF25744B944575D815A7292EB325D06CF50

Function 00A7EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A7EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A7EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00A7ED6A
CloseHandle.KERNEL32(?), ref: 00A7EDEB

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: df78dc2f44ad30de991d120fefbf171f1fbcda7ea9afa23df2cf26242411b199
Instruction ID: 858edef33fd2d3f1f33437a06e542828a66e537c6beabbb8ed7e52028281cec6
Opcode Fuzzy Hash: df78dc2f44ad30de991d120fefbf171f1fbcda7ea9afa23df2cf26242411b199
Instruction Fuzzy Hash: 6B816CB16007009FD720EF28D986B2AB7E5AF88710F04C95DF999DB3D2DAB0AC458B51

Function 00A80037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A7FDAD,?,?), ref: 00A80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A8013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A80183
RegCloseKey.ADVAPI32(?,?), ref: 00A801AF
RegCloseKey.ADVAPI32(00000000), ref: 00A801BC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 4bfe10e527a30e9823097027d02acb5f0189014d1c6e3a4ef4acf5a8cb1ebc65
Instruction ID: 1015bec0531ecdd2fe624b31db098969ffcf5e76635fc4d34044d63639a826f0
Opcode Fuzzy Hash: 4bfe10e527a30e9823097027d02acb5f0189014d1c6e3a4ef4acf5a8cb1ebc65
Instruction Fuzzy Hash: 72515A71608208AFD704EF68D985E6BB7F9FF84314F40892DF595872A2DB31E909CB52

Function 00A7D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A7D927
GetProcAddress.KERNEL32(00000000,?), ref: 00A7D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00A7D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00A7DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00A7DA21

Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A67896,?,?,00000000), ref: 00A05A2C
Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A67896,?,?,00000000,?,?), ref: 00A05A50

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: eee8f8670c7cddbef71ec0ee9ec3db55e45421b47b38b4c41c6de44563804eb3
Instruction ID: 1720fae1c7be011e09733e8a5a5fa81efd2dc45a624e91d2d481bb50193d6885
Opcode Fuzzy Hash: eee8f8670c7cddbef71ec0ee9ec3db55e45421b47b38b4c41c6de44563804eb3
Instruction Fuzzy Hash: 5D511775A00209DFCB00EFA8D9849AEBBF9FF09320B14C165E959AB352D731AD45CF91

Function 00A6E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A6E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00A6E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A6E687

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A6E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A6E6B4

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: d2db6b4e6a74fa7fc58fad47ee7377221f7f149757c302ceb94ce6c295531609
Instruction ID: 70c528616a9a554fe4f918c5ec46ebaca918b9ce2c4bdd4c4df45227f66c6436
Opcode Fuzzy Hash: d2db6b4e6a74fa7fc58fad47ee7377221f7f149757c302ceb94ce6c295531609
Instruction Fuzzy Hash: 3C510D79A00109DFCB01EF64D981AAEBBF5EF09314F1480A5E849AB3A2DB31ED15DF51

Function 00A02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00A02357
ScreenToClient.USER32(00AC57B0,?), ref: 00A02374
GetAsyncKeyState.USER32(00000001), ref: 00A02399
GetAsyncKeyState.USER32(00000002), ref: 00A023A7

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e424c7ff8bc0ecb904cfd6e2cdc2954ecc9c3f2ff5198cb20e42ec5786c43dbf
Instruction ID: 60b50e06ad6dfecb7249a83498c05b3fbc0093c1388b8356f7cb105630063d38
Opcode Fuzzy Hash: e424c7ff8bc0ecb904cfd6e2cdc2954ecc9c3f2ff5198cb20e42ec5786c43dbf
Instruction Fuzzy Hash: 68417D35604219FFDF199FA8DC48AE9FB75BB05364F20431AF829A62E0C7349950DBA1

Function 00A563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00A56433
TranslateMessage.USER32(?), ref: 00A5645C
DispatchMessageW.USER32(?), ref: 00A56466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A56475

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 557dd202b64159b7d99647e438e68325d461260b3b0b27c474b805fd95cd66e5
Instruction ID: 6216f8f5ca5fc4d6a46dab1b1a18e86c6a24e051103aac2c2378d9107c06eeff
Opcode Fuzzy Hash: 557dd202b64159b7d99647e438e68325d461260b3b0b27c474b805fd95cd66e5
Instruction Fuzzy Hash: B7319E71A00646AEDB64CFB0D944FA67BF8BB01312F940565F821C71A1E735A8CEDB60

Function 00A58A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A58A30
PostMessageW.USER32(?,00000201,00000001), ref: 00A58ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00A58AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00A58AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00A58AF8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8906c7f7316a5bd5c5568c462319872d104a2c2ada44a252e6da2b8498cfd72c
Instruction ID: b092c51ba6f88e67592105145941718d27c18effb5bf6282e2496719452d627c
Opcode Fuzzy Hash: 8906c7f7316a5bd5c5568c462319872d104a2c2ada44a252e6da2b8498cfd72c
Instruction Fuzzy Hash: BE31DF71500219EFDF14CFA8D94CA9E3BB5FB04316F11822AFA24E71D1C7B49918CB90

Function 00A8B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

GetWindowLongW.USER32(?,000000F0), ref: 00A8B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00A8B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A8B1CF
GetSystemMetrics.USER32(00000004), ref: 00A8B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00A70E90,00000000), ref: 00A8B216

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: cb869f80e38136db84ce1221fe74e809db15aa3ef728d18c44230788de872d88
Instruction ID: cc56a80d737682433b57be222adad50beeb3be99fb1e104d7c5cfd5ce24a487b
Opcode Fuzzy Hash: cb869f80e38136db84ce1221fe74e809db15aa3ef728d18c44230788de872d88
Instruction Fuzzy Hash: BC218371920656AFCB14AF78DC18A6A7BA4FB05361F154738FD32D71E0E7309851DBA0

Function 00A75A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00A75A6E
GetForegroundWindow.USER32 ref: 00A75A85
GetDC.USER32(00000000), ref: 00A75AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00A75ACD
ReleaseDC.USER32(00000000,00000003), ref: 00A75B08

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 0ead22fae53ad85c466913410fcda188ae9bc937a720c777c0c76f3f40772df4
Instruction ID: 1ac47df95dd8a960173ab900129d1c3e773bc68425901e7c608110fd59e18a38
Opcode Fuzzy Hash: 0ead22fae53ad85c466913410fcda188ae9bc937a720c777c0c76f3f40772df4
Instruction Fuzzy Hash: 77219375A00204AFDB14EFA5DD88A9ABBF9EF48350F14C579F849D7362DA70AD01CB90

Function 00A012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A0134D
SelectObject.GDI32(?,00000000), ref: 00A0135C
BeginPath.GDI32(?), ref: 00A01373
SelectObject.GDI32(?,00000000), ref: 00A0139C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 58ed2caf9d83165755630681770568815d12bfffe52048f8345be722595e9286
Instruction ID: 6a2ecee456436ea098ff798edde2dbe0f5cecd7bda3da65e49e3e86d8487167c
Opcode Fuzzy Hash: 58ed2caf9d83165755630681770568815d12bfffe52048f8345be722595e9286
Instruction Fuzzy Hash: CA214A30C00709EFDB10DFA5EC09BA97BB8EB00361F554226F8109A1E0D770A892EB92

Function 00A64A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00A64ABA
__beginthreadex.LIBCMT ref: 00A64AD8
MessageBoxW.USER32(?,?,?,?), ref: 00A64AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A64B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A64B0A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: ef3aee51c76868ba89f6bfe4137b1178afd88721fbe4fd3c2435baefb669a1ae
Instruction ID: df170ee9b523e15b6de1bcb6c92869c1847ac639e096fc1108a5aa699f2ce122
Opcode Fuzzy Hash: ef3aee51c76868ba89f6bfe4137b1178afd88721fbe4fd3c2435baefb669a1ae
Instruction Fuzzy Hash: 8011E176904219BFC701DBF8EC08ADB7BBCEB49320F154269F925D3250D675994587A0

Function 00A58202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A5821E
GetLastError.KERNEL32(?,00A57CE2,?,?,?), ref: 00A58228
GetProcessHeap.KERNEL32(00000008,?,?,00A57CE2,?,?,?), ref: 00A58237
HeapAlloc.KERNEL32(00000000,?,00A57CE2,?,?,?), ref: 00A5823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A58255

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b479acc5c917bd0ceb5d72de34f5659c2ca68e2e8cc54ed277363025659be4ce
Instruction ID: da9494c4749468b7e7f3d631e9f0768ac430a09f186ae282d0cd595964281ebd
Opcode Fuzzy Hash: b479acc5c917bd0ceb5d72de34f5659c2ca68e2e8cc54ed277363025659be4ce
Instruction Fuzzy Hash: B3016971200205BFDB208FA6DC88DAB7FACFF9A755B500539FD19D2220DA318C15CB60

Function 00A5710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?,?,00A57455), ref: 00A57127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A57142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A57150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?), ref: 00A57160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00A57044,80070057,?,?), ref: 00A5716C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 0a9d04bd6fd3881ff1ea5fad0b8ae6aed91f159562c347c7f1b2d2350e434df8
Instruction ID: e3ffca702dd4ce8941377672b948d7e6e737d1573275cf02652a997b4ba8b247
Opcode Fuzzy Hash: 0a9d04bd6fd3881ff1ea5fad0b8ae6aed91f159562c347c7f1b2d2350e434df8
Instruction Fuzzy Hash: 15017C72601615AFDB118FA5EC44AAE7BADFB44792F140264FD04E2220DB31DD459BA0

Function 00A65244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A65260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A6526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A65276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00A65280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A652BC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 00e1349f4fc7423cea064b8fed53ffaad1f94e2f57bc6e1bfefa9a02dd3e77cd
Instruction ID: dce39dcb1719cb5c6bec7afb4cbf43a357891639f92c5a558fe52642c9eee99a
Opcode Fuzzy Hash: 00e1349f4fc7423cea064b8fed53ffaad1f94e2f57bc6e1bfefa9a02dd3e77cd
Instruction Fuzzy Hash: D2011771D01A2ADBCF00EFF5EC999EDBB78BB09711F400556EA45F2144CB30555187A1

Function 00A5810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A58121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A5812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A58141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A58157

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 6825ef2b602889a8a413cff3e153a5ca0f6866c7a8950bed2cf6696c50a69436
Instruction ID: 5ebb55a90ed506c2e0d515cec28856c746ea9e8805c7306b4d55db756ce60595
Opcode Fuzzy Hash: 6825ef2b602889a8a413cff3e153a5ca0f6866c7a8950bed2cf6696c50a69436
Instruction Fuzzy Hash: A4F0AF70200305AFEB114FA5EC88E673BACFF49755B100125FA45D6150DA749806DB60

Function 00A5C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00A5C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00A5C20E
MessageBeep.USER32(00000000), ref: 00A5C226
KillTimer.USER32(?,0000040A), ref: 00A5C242
EndDialog.USER32(?,00000001), ref: 00A5C25C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 50e83ce93fdb6e551406b08965a220655ed1bbc17845406a789e7d29f253b1c0
Instruction ID: de9a592cacd203a6b8a248f97a9955018f6afd9bcc83d03bb18efb0e55e11133
Opcode Fuzzy Hash: 50e83ce93fdb6e551406b08965a220655ed1bbc17845406a789e7d29f253b1c0
Instruction Fuzzy Hash: 9B018B305047059FEB20AB94ED4EFDA7778FF10716F000669F982E14E1EBF469999B50

Function 00A013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00A013BF
StrokeAndFillPath.GDI32(?,?,00A3B888,00000000,?), ref: 00A013DB
SelectObject.GDI32(?,00000000), ref: 00A013EE
DeleteObject.GDI32 ref: 00A01401
StrokePath.GDI32(?), ref: 00A0141C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 1113c180c58fa5aadfd1f4e9b32426a3bcc437f0ccf96436764346b854d1e9bd
Instruction ID: 9669070f01f1de14e1ccc340d186be380cd1393c3e79cb89371e093cafc9ddfa
Opcode Fuzzy Hash: 1113c180c58fa5aadfd1f4e9b32426a3bcc437f0ccf96436764346b854d1e9bd
Instruction Fuzzy Hash: 97F0C434404A09EFDB11DFA6EC4CB983FB5AB11326F198224F429890F1DB3599A6EF51

Function 00A6C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A6C432
CoCreateInstance.OLE32(00A92D6C,00000000,00000001,00A92BDC,?), ref: 00A6C44A

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

CoUninitialize.OLE32 ref: 00A6C6B7

Strings

.lnk, xrefs: 00A6C3C6, 00A6C3EE, 00A6C3F8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 2a412e1c4f638533ffc3f127efb23ad723a0ee26c1b2cf1eb42b3e3633eaa2d5
Instruction ID: d45959cf00f4800df79274e6039a2c7fb9b281cbf6ce32e24f2b3808849ca47b
Opcode Fuzzy Hash: 2a412e1c4f638533ffc3f127efb23ad723a0ee26c1b2cf1eb42b3e3633eaa2d5
Instruction Fuzzy Hash: CFA14BB1104209AFD700EF64D991EAFB7E8FF89354F00491DF59587192EB71EA09CB52

Function 00A12CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00A20DB6: std::exception::exception.LIBCMT ref: 00A20DEC
Part of subcall function 00A20DB6: __CxxThrowException@8.LIBCMT ref: 00A20E01

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A07A51: _memmove.LIBCMT ref: 00A07AAB

__swprintf.LIBCMT ref: 00A12ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A12D66

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: e172c22bd96216aed5cd9952c0fb21f52d552bff386c8c426a831dd89413363e
Instruction ID: 8ca82fddb78725d265a11d0d4d4ec264d0bbdebf3c172bb53abf4cede64af280
Opcode Fuzzy Hash: e172c22bd96216aed5cd9952c0fb21f52d552bff386c8c426a831dd89413363e
Instruction Fuzzy Hash: 20917D715082159FCB14EF28EA85DAFB7B8EF85750F00491DF4859B2E2EA30ED85CB52

Function 00A6B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00A04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A04743,?,?,00A037AE,?), ref: 00A04770

CoInitialize.OLE32(00000000), ref: 00A6B9BB
CoCreateInstance.OLE32(00A92D6C,00000000,00000001,00A92BDC,?), ref: 00A6B9D4
CoUninitialize.OLE32 ref: 00A6B9F1

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

Strings

.lnk, xrefs: 00A6B99D, 00A6B9AB

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 124e37d6c555f6a7e7512a4bf2cce3576d46b37aab9aee0aa0a449d2dec54705
Instruction ID: 058059e975f4c16c55caf750be3c0d16cce9fbaef11e6f53f09a0c8e7bee99bd
Opcode Fuzzy Hash: 124e37d6c555f6a7e7512a4bf2cce3576d46b37aab9aee0aa0a449d2dec54705
Instruction Fuzzy Hash: 1DA114756042059FCB10DF14C984D6ABBF9FF89314F148998F8999B3A2CB31ED86CB91

Function 00A2501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00A250AD

Part of subcall function 00A300F0: __87except.LIBCMT ref: 00A3012B

Strings

pow, xrefs: 00A25085, 00A250A2

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 830650f68329af35813429cfdc09d1da17aa45cbc344d5dbea3710d6dd61a02a
Instruction ID: 7eec3f1d3c02480992e277a5f99a4600a33e089e7a576c34bcb0c0eb4ef0a06a
Opcode Fuzzy Hash: 830650f68329af35813429cfdc09d1da17aa45cbc344d5dbea3710d6dd61a02a
Instruction Fuzzy Hash: 37517D71E1C5019ADB11B77CDE21BBF2BA0BB40700F208A79F4D5862A9DE348DD4DB86

Function 00A16192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A16248
_memmove.LIBCMT ref: 00A162E4
_memset.LIBCMT ref: 00A16308

Strings

ERCP, xrefs: 00A161B3

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 13a702f9e96ab5d9479df803b5297bd58ef22f9f8121b9dbc4dfdc48bf747429
Instruction ID: 49afdf227f34995e5c3a0910b227cfd64615fb338f4f01cdac72758602479f79
Opcode Fuzzy Hash: 13a702f9e96ab5d9479df803b5297bd58ef22f9f8121b9dbc4dfdc48bf747429
Instruction Fuzzy Hash: 6D517071900715DBDB24CF65C981BEBB7F4AF08314F20456EE95ADB251E770AA84CB50

Function 00A87946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A8F910,00000000,?,?,?,?), ref: 00A879DF
GetWindowLongW.USER32 ref: 00A879FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A87A0C

Strings

SysTreeView32, xrefs: 00A879B1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: c6f4f68c247bf695b95a330276b7e3fe253b22c9a44c59202634465b9774e708
Instruction ID: b22d00911ce7abbde76b7dac63aa88bb2d7239275f3a05f2ecbcb930378d3440
Opcode Fuzzy Hash: c6f4f68c247bf695b95a330276b7e3fe253b22c9a44c59202634465b9774e708
Instruction Fuzzy Hash: FA31BE3120460AAFDB15AF78DC45BEB77A9FB09324F204725F875A32E0D731E9919B50

Function 00A873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A87461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A87475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00A87499

Strings

SysMonthCal32, xrefs: 00A8742C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 82f1b809d20dfa5afe1f58ccdf906c82e42a4140b87e6e303b595a8b5357a019
Instruction ID: d6672705d21c3b128de26b6166c86ed07c8c58c72b609708015996e256820549
Opcode Fuzzy Hash: 82f1b809d20dfa5afe1f58ccdf906c82e42a4140b87e6e303b595a8b5357a019
Instruction Fuzzy Hash: C8218D32500219ABDF15DFA4DC46FEE3B69EB48724F210214FA156B190DA75E8919BA0

Function 00A87B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A87C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A87C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A87C5F

Strings

msctls_updown32, xrefs: 00A87BC4

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 726fb353c656093b9164b49246bf627d2affb8b90f58f8da16f441df73d4ff1e
Instruction ID: cb3f204bb8face7a5f70120b1a59071679442ca9ea40ee33cafa549fb74e5739
Opcode Fuzzy Hash: 726fb353c656093b9164b49246bf627d2affb8b90f58f8da16f441df73d4ff1e
Instruction Fuzzy Hash: 9D219DB5604209AFDB10EF68DCC5DAB37EDEF5A354B240459FA019B3A1CB31EC518BA0

Function 00A86CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A86D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A86D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A86D70

Strings

Listbox, xrefs: 00A86D08

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 9e8c74b5c4a9e14323fc0bf50d66944385267bb8b0c8ea4272ceaec4443d8e83
Instruction ID: f6cd837439c79906118f7d5228245b6169bdf4667efecea0552fe7ada85d3f37
Opcode Fuzzy Hash: 9e8c74b5c4a9e14323fc0bf50d66944385267bb8b0c8ea4272ceaec4443d8e83
Instruction Fuzzy Hash: 8821C672610118BFEF129F54DC45FFB3BBAEF89750F118128F9459B1A0C671AC5287A0

Function 00A58C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A58C6D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A58C84
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00A58CBC

Strings

@U=u, xrefs: 00A58CBC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 3aa1b9b7ab3e026020102893ef9e6e26c168fea77ce2b24e04f6b4b493f30cf8
Instruction ID: d31b9c4717e52625ae4e2cebaf2785287feec7723918c6e0081472699a2ef19e
Opcode Fuzzy Hash: 3aa1b9b7ab3e026020102893ef9e6e26c168fea77ce2b24e04f6b4b493f30cf8
Instruction Fuzzy Hash: E121A132601119BFDB10DBA8DC41DAFB7BDFF44350F11046AE905E3260DA75AD44CBA4

Function 00A8770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A87772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A87787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A87794

Strings

msctls_trackbar32, xrefs: 00A87749

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1f303e9bd2816e892d1bad21742ee619729c507375378ad7df03f6e4d5bd9333
Instruction ID: 88f687c41208f2e86f8c6e1a06e0b7be8ecc0fd8ce788297682a3cd88a89adae
Opcode Fuzzy Hash: 1f303e9bd2816e892d1bad21742ee619729c507375378ad7df03f6e4d5bd9333
Instruction Fuzzy Hash: 74112732200208BEEF10AF60CC01FDB7768EF88B54F110528F64192090D271E851CB20

Function 00A86920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00A869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A869B1

Strings

edit, xrefs: 00A86986
@U=u, xrefs: 00A869B1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 6aa028654736cd51b0b911abab65472fafd6705aa4e87e9e9ae3f7d8dfcfdf00
Instruction ID: 25501da5e512ba78d5c57598cbec758c2ca45cb585fc3e24357bbdf4f0ea1bb2
Opcode Fuzzy Hash: 6aa028654736cd51b0b911abab65472fafd6705aa4e87e9e9ae3f7d8dfcfdf00
Instruction Fuzzy Hash: 17116A71510209AFFB10AF649C45AEB37A9EB053B4F604724F9A5962E0C731DC9197A0

Function 00A58E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A58E73

Strings

@U=u, xrefs: 00A58E73
ComboBox, xrefs: 00A58E12
ListBox, xrefs: 00A58E3D

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: ee10b6eea9213e320ca7ac2d37bb9b7ef8b181a7bc24e57aa0cf3d22f28c868b
Instruction ID: 41a61ef735872de2a8bce56b3e6fb462d012e296033c0a6473493068aa2322d9
Opcode Fuzzy Hash: ee10b6eea9213e320ca7ac2d37bb9b7ef8b181a7bc24e57aa0cf3d22f28c868b
Instruction Fuzzy Hash: 15019EB1A01219BBCB14EBE4DD568FE7379BF46360B540A19FC25672E2EE35980CCA50

Function 00A58CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00A58D6B

Strings

@U=u, xrefs: 00A58D6B
ComboBox, xrefs: 00A58D0A
ListBox, xrefs: 00A58D35

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: f0018eb6675864ac0bc3fef05d9f4194f0fc78c8e08ada0739bf14d781a45518
Instruction ID: b39a02d2ae2e2c4106ce8a6f759d17b90eb1cf61a0ff8a8b5be8f7acf53dac39
Opcode Fuzzy Hash: f0018eb6675864ac0bc3fef05d9f4194f0fc78c8e08ada0739bf14d781a45518
Instruction Fuzzy Hash: C301BCB2B4110DABCF14EBE0DA52AFE73B8AF15381F500429B906772E2DE345A0C9661

Function 00A58D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Part of subcall function 00A5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00A5AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00A58DEE

Strings

@U=u, xrefs: 00A58DEE
ComboBox, xrefs: 00A58D8F
ListBox, xrefs: 00A58DBA

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: fa6d776fa056bb6a533f35f4c91f2494da9f367b983be10bf8f6780d0c87727a
Instruction ID: fa02a0d70b344ae9f928df892446d59302d8aa4d0c5aa5d22707a57d1a27d53a
Opcode Fuzzy Hash: fa6d776fa056bb6a533f35f4c91f2494da9f367b983be10bf8f6780d0c87727a
Instruction Fuzzy Hash: 6901DFB2B41109BBDB10EBE4DA52AFE73ACAB11341F104425BC05732D2DA355E0CD671

Function 00A8ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00AC57B0,00A8D809,000000FC,?,00000000,00000000,?,?,?,00A3B969,?,?,?,?,?), ref: 00A8ACD1
GetFocus.USER32 ref: 00A8ACD9

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

Part of subcall function 00A025DB: GetWindowLongW.USER32(?,000000EB), ref: 00A025EC

SendMessageW.USER32(00CADCC8,000000B0,000001BC,000001C0), ref: 00A8AD4B

Strings

@U=u, xrefs: 00A8AD4B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: f4a7da299d69ef7f64cebb29a8ddffe8ef9b4ed82e5d673d02a4aa7557b64471
Instruction ID: cc5a6e0d9c0b1e31783d2944763e9fead001a842573ffedad33a26f979c6b39b
Opcode Fuzzy Hash: f4a7da299d69ef7f64cebb29a8ddffe8ef9b4ed82e5d673d02a4aa7557b64471
Instruction Fuzzy Hash: 6A014031601A009FD724EB38D898B6677E6EB99325B190279F815C72B1DB31AC468B51

Function 00A16063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A16051

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00A1607F
GetParent.USER32(?), ref: 00A50D46
InvalidateRect.USER32(00000000,?,00A13A4F,?,00000000,00000001), ref: 00A50D4D

Strings

@U=u, xrefs: 00A1607F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: 36a132031ac0b7afb31f7b0e1837770d436efe6487f664fada6d8ced133b3b6d
Instruction ID: 343d6677a88e38b519b205dc69ef6219c883f4841bcfdef4c971560596c0701d
Opcode Fuzzy Hash: 36a132031ac0b7afb31f7b0e1837770d436efe6487f664fada6d8ced133b3b6d
Instruction Fuzzy Hash: 5DF0A031100240FFEF205FA0DC09FD57B6AAB09340F208438F944DA0A0D6B36CD1AB50

Function 00A04C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A04B83,?), ref: 00A04C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A04C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00A04C50
kernel32.dll, xrefs: 00A04C3F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 197e5fe0021adaddeebfcd13f1629d43ab2012cfe88d94503207309f6332ffc0
Instruction ID: e0401dccc69bf2374fd96492dd009b673cf1fb376c0679291aeee6ffad9e14b7
Opcode Fuzzy Hash: 197e5fe0021adaddeebfcd13f1629d43ab2012cfe88d94503207309f6332ffc0
Instruction Fuzzy Hash: 05D01770A10713DFEB209F71E90C64A76E8BF09752B118D3E9696D61A4E670D8C0CB60

Function 00A04C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00A04BD0,?,00A04DEF,?,00AC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00A04C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A04C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00A04C1D
kernel32.dll, xrefs: 00A04C0C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f778917e07bed1f48dc4a89df4eed007aeefa961feb4951780077b395e5c27c4
Instruction ID: 758b2130a83520a6ef08c498e4adb6f61bfb0facf16438a30fdc03798058ff53
Opcode Fuzzy Hash: f778917e07bed1f48dc4a89df4eed007aeefa961feb4951780077b395e5c27c4
Instruction Fuzzy Hash: DCD01270511713DFD720AFB1D90C64AB6D5FF09752B118D3A9585D6190E6B0D481C750

Function 00A80DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00A81039), ref: 00A80DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A80E07

Strings

RegDeleteKeyExW, xrefs: 00A80E01
advapi32.dll, xrefs: 00A80DF0

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 40da59849d664b6edee2d04a7ae890cbf4cf937f63311b9c6ef475ca8f3f50f1
Instruction ID: b167636545faf98667191b756b1a973574bfd95d5cf626a760530fe2608befd5
Opcode Fuzzy Hash: 40da59849d664b6edee2d04a7ae890cbf4cf937f63311b9c6ef475ca8f3f50f1
Instruction Fuzzy Hash: C9D0C730540323DFC320AFB0C808AC372E8BF14342F008D3E96C2C2150E6B4D894CB00

Function 00A790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00A78CF4,?,00A8F910), ref: 00A790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00A79100

Strings

kernel32.dll, xrefs: 00A790E9
GetModuleHandleExW, xrefs: 00A790FA

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 72bcade08ac583412b7949a88d20d211d90ff48b2c2b3d01c681c1569b77857a
Instruction ID: bc7208f6688ddea49442e40fcbe593756d80fc0d3319dda353bb1d81d33ebb0c
Opcode Fuzzy Hash: 72bcade08ac583412b7949a88d20d211d90ff48b2c2b3d01c681c1569b77857a
Instruction Fuzzy Hash: A6D0C730650313DFCB20DF78CC0C20372E8AF00351F02CD3A948AC2190EA70C890CB90

Function 00A41714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00A41718
__swprintf.LIBCMT ref: 00A41749

Strings

%.3d, xrefs: 00A41723
WIN_XPe, xrefs: 00A41788

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: dedd3989be68014ac663f9e3cd1014e49fd5e16fde1cbcae7b61c65f0492ff34
Instruction ID: cd68aa0867e3be1fbd2d6f3a613f672f82560898d7eb72819c7ec7cee6ff874e
Opcode Fuzzy Hash: dedd3989be68014ac663f9e3cd1014e49fd5e16fde1cbcae7b61c65f0492ff34
Instruction Fuzzy Hash: BAD0177A844119FBCB509B90A9888FA73BCAB49311F200562B512A2080E22A9BD4EE21

Function 00A5717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757235ea6afed1163ba2442d5a259462144ee4e212bbabbe65e896cce98375a7
Instruction ID: e9574d85ec20079508a4896fc9303d3daa02d0e80fa0d24f5aa7b916135b36db
Opcode Fuzzy Hash: 757235ea6afed1163ba2442d5a259462144ee4e212bbabbe65e896cce98375a7
Instruction Fuzzy Hash: 1FC16C74A04216EFCB14CFA8D884EAEBBB9FF48715B148598EC05EB251D730ED85DB90

Function 00A7E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00A7E0BE
CharLowerBuffW.USER32(?,?), ref: 00A7E101

Part of subcall function 00A7D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00A7D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00A7E301
_memmove.LIBCMT ref: 00A7E314

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 7c613074c0f0da749f663c4c4996fec0e004ca18a72d31d5a690c9ea39775e15
Instruction ID: 49c32cda29aa25a35e63950410687172ef6d814332720b50099b188884f9df65
Opcode Fuzzy Hash: 7c613074c0f0da749f663c4c4996fec0e004ca18a72d31d5a690c9ea39775e15
Instruction Fuzzy Hash: 6BC13971A083119FC714DF28C88196ABBE4FF89714F14C96EF8999B352D731E946CB81

Function 00A78093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00A780C3
CoUninitialize.OLE32 ref: 00A780CE

Part of subcall function 00A5D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A5D5D4

VariantInit.OLEAUT32(?), ref: 00A780D9
VariantClear.OLEAUT32(?), ref: 00A783AA

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 0185a156c656b77ce2d7a35dd6ec0e38c6a0ae994ad5a01464c43b52a648ac6d
Instruction ID: 148e8eaff0094ee1fe365450295212b4124e717cf208c5b4df8c876bf147858b
Opcode Fuzzy Hash: 0185a156c656b77ce2d7a35dd6ec0e38c6a0ae994ad5a01464c43b52a648ac6d
Instruction Fuzzy Hash: 9EA168756047059FDB00DF68C985B2AB7E4BF89364F04C459F99A9B3A2CB34ED05CB82

Function 00A57530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A92C7C,?), ref: 00A576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A92C7C,?), ref: 00A57702
CLSIDFromProgID.OLE32(?,?,00000000,00A8FB80,000000FF,?,00000000,00000800,00000000,?,00A92C7C,?), ref: 00A57727
_memcmp.LIBCMT ref: 00A57748

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 233b3fa859969fe8a2c9e1714d3a9bf4b0f648756fd0a1fec6adc8a8c2fd2f92
Instruction ID: fe89bb252b126623a2a02c44d8555deeef10de33527995d039c0c2d8f7055b9f
Opcode Fuzzy Hash: 233b3fa859969fe8a2c9e1714d3a9bf4b0f648756fd0a1fec6adc8a8c2fd2f92
Instruction Fuzzy Hash: 5981EC75A00109EFCB04DFA4D984EEEB7B9FF89315F204558E905BB250DB71AE4ACB60

Function 00A5687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00A5688E
SysAllocString.OLEAUT32(00000000), ref: 00A56937
VariantCopy.OLEAUT32 ref: 00A56966
VariantClear.OLEAUT32(?), ref: 00A5698D

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: df68e56d9c94f1940db758b5d252df9ca8b508d7e20d0d72b5b0ecedc75eddf6
Instruction ID: 3abf11e5ccdbc5a5aeca43ee88e6d3f968abc5e6e11bdf4056c716e9533c6b36
Opcode Fuzzy Hash: df68e56d9c94f1940db758b5d252df9ca8b508d7e20d0d72b5b0ecedc75eddf6
Instruction Fuzzy Hash: 3451D3747003029EDF24EF65D891A3AB3F5BF55351FA0C81FEA96EB292DA30D8488700

Function 00A769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00A769D1
WSAGetLastError.WSOCK32(00000000), ref: 00A769E1

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A76A45
WSAGetLastError.WSOCK32(00000000), ref: 00A76A51

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 6fb648d72485d0c0d068b814c7860845c73804ec65d52da0bc7b6af6698eccdb
Instruction ID: 6bf510029c50fc6744475c47273e2a84114064971070bdf04a400d9dea835f97
Opcode Fuzzy Hash: 6fb648d72485d0c0d068b814c7860845c73804ec65d52da0bc7b6af6698eccdb
Instruction Fuzzy Hash: BF41CE75740604AFEB60AF64DD86F2A77A8AB04B50F04C158FA59AB3C3DA749D018B91

Function 00A7641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00A8F910), ref: 00A764A7
_strlen.LIBCMT ref: 00A764D9

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 347841042dd7a46ff7507b8ead4682c798d7d5ebb27772abe68661ea721d5c43
Instruction ID: 41af8bf3d8cf935c20dec7537c8938ebb8f319422c14a02a588cd29c9c5a4f6c
Opcode Fuzzy Hash: 347841042dd7a46ff7507b8ead4682c798d7d5ebb27772abe68661ea721d5c43
Instruction Fuzzy Hash: 8D41A431A00508AFCB14EBA8ED95FAEB7B9AF44310F14C165F919972D3EB30AD05DB50

Function 00A6B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A6B89E
GetLastError.KERNEL32(?,00000000), ref: 00A6B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A6B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A6B915

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 314fa3ddc33e6d2510efed375ef8e1b2dcbc0d13df37a7f52391ac690690ca7e
Instruction ID: 98c3ae2ec2e4f79e75712af40081312d312aafeae6e48cedee5f4eeb6f0eec19
Opcode Fuzzy Hash: 314fa3ddc33e6d2510efed375ef8e1b2dcbc0d13df37a7f52391ac690690ca7e
Instruction Fuzzy Hash: 7F410639600615DFCB11EF15D584A5ABBF5AF4A310F09C098EC4AAB3A2CB30FD45CB91

Function 00A8AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00A8AB60
GetWindowRect.USER32(?,?), ref: 00A8ABD6
PtInRect.USER32(?,?,00A8C014), ref: 00A8ABE6
MessageBeep.USER32(00000000), ref: 00A8AC57

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 24269df187db69464ff87500fbc197243e8901d29be12f2cdd73536850164042
Instruction ID: 1224d350ba499886ea59d9eea2278c7f27639e22cf2e0c6f8575eccf11a76dcf
Opcode Fuzzy Hash: 24269df187db69464ff87500fbc197243e8901d29be12f2cdd73536850164042
Instruction Fuzzy Hash: B8419170A00519DFEB11EF98C884F597BF5FF59310F1481AAE415DB260D730E842DB92

Function 00A60AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00A60B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00A60B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00A60BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00A60BFB

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b724a7a8f0c0f7482e17175a09b4a4dd885497cd6ef8745900734b71593a2eb8
Instruction ID: 523c7641bb10dabbc615805f38a01290cb98bceb25719f39e3f6c046498a3216
Opcode Fuzzy Hash: b724a7a8f0c0f7482e17175a09b4a4dd885497cd6ef8745900734b71593a2eb8
Instruction Fuzzy Hash: D9314470A40208AEFF358B69CC05FFBBBB9EB45319F08826AE491921D1C3B58DC59761

Function 00A60C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00A60C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00A60C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00A60CE1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00A60D33

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 25abce6b9e5dfdd7e0dd52d9879a9e7da8fe52582e6d4481614dd8ca0abdf66c
Instruction ID: dbcf501f7a05ecda9347531a183f83f6a73363cfb5a96acc90b5e1d6e6924e1e
Opcode Fuzzy Hash: 25abce6b9e5dfdd7e0dd52d9879a9e7da8fe52582e6d4481614dd8ca0abdf66c
Instruction Fuzzy Hash: BC312430940618AEFF348B65C814FFFBBB6EB45320F08432AE495921D1C37999D5C7A1

Function 00A361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00A361FB
__isleadbyte_l.LIBCMT ref: 00A36229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A36257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00A3628D

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 562c6faf274dd79e06fc582f960e64c4c07e6eb239efc9889edf8615f6ebea60
Instruction ID: 45ea5eb904206159614eadc9787132bf7ff6612fd4cf3a2af3f51f083a2e910f
Opcode Fuzzy Hash: 562c6faf274dd79e06fc582f960e64c4c07e6eb239efc9889edf8615f6ebea60
Instruction Fuzzy Hash: 1931B031A04256BFDF218FA5CC48BAB7BB9FF42310F168129F864971A1DB31D960DB90

Function 00A84EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00A84F02

Part of subcall function 00A63641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A6365B
Part of subcall function 00A63641: GetCurrentThreadId.KERNEL32 ref: 00A63662
Part of subcall function 00A63641: AttachThreadInput.USER32(00000000,?,00A65005), ref: 00A63669

GetCaretPos.USER32(?), ref: 00A84F13
ClientToScreen.USER32(00000000,?), ref: 00A84F4E
GetForegroundWindow.USER32 ref: 00A84F54

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 92eb8ad285d32cefbdcb67447952b116c96aa8db41cbd9ab53f9d247d3c81302
Instruction ID: 21d165cbc3daad396eebe7acce911d30d355f74e0ad08ea513fbddeea559e60a
Opcode Fuzzy Hash: 92eb8ad285d32cefbdcb67447952b116c96aa8db41cbd9ab53f9d247d3c81302
Instruction Fuzzy Hash: F4311072D00108AFDB00EFB5D9859EFB7F9EF98300F10806AE555E7242EA759E05CBA1

Function 00A8C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

GetCursorPos.USER32(?), ref: 00A8C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A3B9AB,?,?,?,?,?), ref: 00A8C4E7
GetCursorPos.USER32(?), ref: 00A8C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A3B9AB,?,?,?), ref: 00A8C56E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: f5e4ea05beef4e84bce50b74cd5cb815c5eda721b5052b5d796c93e688706bb8
Instruction ID: b635cd267a61de0a1a9731d72dfdb43030d8bda25a9545e1d4de7d3dc723d3f4
Opcode Fuzzy Hash: f5e4ea05beef4e84bce50b74cd5cb815c5eda721b5052b5d796c93e688706bb8
Instruction Fuzzy Hash: 18319135600058EFCF29DF98CC58EEA7BB5EB09320F444169F9058B261C732AD91DFA4

Function 00A58656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00A5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A58121
Part of subcall function 00A5810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A5812B
Part of subcall function 00A5810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A5813A
Part of subcall function 00A5810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A58141
Part of subcall function 00A5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A58157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A586A3
_memcmp.LIBCMT ref: 00A586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A586FC
HeapFree.KERNEL32(00000000), ref: 00A58703

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 9d43f12d025324f6059fe3bc7ae803d7336054802c0063d8a7701b4633082b77
Instruction ID: d4246035edb0e1ddcedd38672bdeb19433411098fc4e80b55f62d5474c98bc96
Opcode Fuzzy Hash: 9d43f12d025324f6059fe3bc7ae803d7336054802c0063d8a7701b4633082b77
Instruction Fuzzy Hash: B4217C71E41109EFDB10DFA4C989BEEB7B8FF44306F154059E844AB240DB34AE09CB50

Function 00A2098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00A209AE

Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A67896,?,?,00000000), ref: 00A05A2C
Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A67896,?,?,00000000,?,?), ref: 00A05A50

_fprintf.LIBCMT ref: 00A209E5
OutputDebugStringW.KERNEL32(?), ref: 00A55DBB

Part of subcall function 00A24AAA: _flsall.LIBCMT ref: 00A24AC3

__setmode.LIBCMT ref: 00A20A1A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f1298b74c0fc578c2cd4385cf1176e036471a7155768b9acaeeeec32b3387e15
Instruction ID: 35943fef931035d30666250b1ff445a49324333d13ca09770d8e258f32c3d9c4
Opcode Fuzzy Hash: f1298b74c0fc578c2cd4385cf1176e036471a7155768b9acaeeeec32b3387e15
Instruction Fuzzy Hash: 5C112472A042187FDB04B7B8BC4ADBEB7BCAF49360F644165F105561C3EE20584687A1

Function 00A71767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A717A3

Part of subcall function 00A7182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A7184C
Part of subcall function 00A7182D: InternetCloseHandle.WININET(00000000), ref: 00A718E9

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a5345e86887104664e507dcb8a4bd2c78fbb012c756d9dd094e968e8cb427fcf
Instruction ID: 0c1de1a63afd35505993145ab00d241a487678934d7a223dd078cfaa1f5a2143
Opcode Fuzzy Hash: a5345e86887104664e507dcb8a4bd2c78fbb012c756d9dd094e968e8cb427fcf
Instruction Fuzzy Hash: 8821A432200605BFEB169F64DC01FBABBE9FF48710F10C02AF91996550D771D811ABA5

Function 00A63A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00A8FAC0), ref: 00A63A64
GetLastError.KERNEL32 ref: 00A63A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00A63A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A8FAC0), ref: 00A63ADF

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 1e85c4fbca3b5236421e0165640067b642807309ed86507e5b0d84f6d855ff2f
Instruction ID: 1af1695ed73c15066fadcd386caae6f54e69dbd415bdfd6c06d86c949217ec05
Opcode Fuzzy Hash: 1e85c4fbca3b5236421e0165640067b642807309ed86507e5b0d84f6d855ff2f
Instruction Fuzzy Hash: 182182355082059FCB00EF64D9818AEB7F4AE653A4F144A1DF499C72E1D7319E47DB42

Function 00A350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00A35101

Part of subcall function 00A2571C: __FF_MSGBANNER.LIBCMT ref: 00A25733
Part of subcall function 00A2571C: __NMSG_WRITE.LIBCMT ref: 00A2573A
Part of subcall function 00A2571C: RtlAllocateHeap.NTDLL(00C90000,00000000,00000001,00000000,?,?,?,00A20DD3,?), ref: 00A2575F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: c4c8f7cbdbabf6ff409fb9d1008689e2fd5be621b77f0e75499c953fb81631e4
Instruction ID: 5c25ae002a3c5b039b914cff853acefa276408bfbeddad76525bba1a31b7fcdc
Opcode Fuzzy Hash: c4c8f7cbdbabf6ff409fb9d1008689e2fd5be621b77f0e75499c953fb81631e4
Instruction Fuzzy Hash: AB11C272D01A26AFCF317FBCFD45B5E3BA8AF153A1F104A3AF9049A150DE3489419790

Function 00A76369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00A67896,?,?,00000000), ref: 00A05A2C
Part of subcall function 00A05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00A67896,?,?,00000000,?,?), ref: 00A05A50

gethostbyname.WSOCK32(?,?,?), ref: 00A76399
WSAGetLastError.WSOCK32(00000000), ref: 00A763A4
_memmove.LIBCMT ref: 00A763D1
inet_ntoa.WSOCK32(?), ref: 00A763DC

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 4dcb520420791d9418600615299368aca95519d4558fcab41e0e4eb9ff92eb3f
Instruction ID: f90eea7cf97152c9c0fd818b5de2d411e0e5b6a281154b7221ddf789f4ec6271
Opcode Fuzzy Hash: 4dcb520420791d9418600615299368aca95519d4558fcab41e0e4eb9ff92eb3f
Instruction Fuzzy Hash: 0B113371900109AFCF04FFA4EE46DEF77B8AF04310B548065F505A71A2DB309E15DB61

Function 00A58B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00A58B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A58B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A58B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A58BA4

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c5f8119faa3060b4d29bdfb483d72743a086d8643eb896ef7be995e2ed17acc9
Instruction ID: 88f21628569fde54a3c7d8e7d3952bd730b57adba808bd70fc3eff92f1cb6fff
Opcode Fuzzy Hash: c5f8119faa3060b4d29bdfb483d72743a086d8643eb896ef7be995e2ed17acc9
Instruction Fuzzy Hash: 45115A79900218FFEB10DFA5CC84FADBBB8FB48710F2141A5EA00B7290DA716E11DB94

Function 00A01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DefDlgProcW.USER32(?,00000020,?), ref: 00A012D8
GetClientRect.USER32(?,?), ref: 00A3B5FB
GetCursorPos.USER32(?), ref: 00A3B605
ScreenToClient.USER32(?,?), ref: 00A3B610

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 3a1026a2fb0cc778ad6c7a3cee28a7018eed3d26a0eeed78b79a111fdfb91b5d
Instruction ID: 63350f6a8a424afdf0078566a6f91cf1303963f55853fb82219fb0a97764ba7a
Opcode Fuzzy Hash: 3a1026a2fb0cc778ad6c7a3cee28a7018eed3d26a0eeed78b79a111fdfb91b5d
Instruction Fuzzy Hash: 78113D3590011DEFCB04DFA4E989DEE77B8EB09300F500466F901E7180D730BA529BA5

Function 00A61142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A5FCED,?,00A60D40,?,00008000), ref: 00A6115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00A5FCED,?,00A60D40,?,00008000), ref: 00A61184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00A5FCED,?,00A60D40,?,00008000), ref: 00A6118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00A5FCED,?,00A60D40,?,00008000), ref: 00A611C1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e058c730d5d01adf200447953cab09b629045a86171b70dbb300a434985435ef
Instruction ID: f5ebdad6d5157469fe328d28a93ce225c73459c18b215b2d2da4d950d9622c74
Opcode Fuzzy Hash: e058c730d5d01adf200447953cab09b629045a86171b70dbb300a434985435ef
Instruction Fuzzy Hash: 65111831D0062DDBCF00DFE5D948AEEBFB8FB0A711F04465AEA45B2240CA749591CB95

Function 00A5D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00A5D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A5D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A5D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A5D897

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4176139eaafaff9a053f9fc6ed1531c4bde79a94040101adda6beb45b91c41fe
Instruction ID: 10df62a28f614b2fdadf8812328f259c52064c104a0c2aa22a69b9b3933162eb
Opcode Fuzzy Hash: 4176139eaafaff9a053f9fc6ed1531c4bde79a94040101adda6beb45b91c41fe
Instruction Fuzzy Hash: 13116175605305EFE330CF90EC08F93BBBCFB00B01F10856AAA16DA051D7B0E5499BA1

Function 00A36FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00A36FDB

Part of subcall function 00A376C2: __fltout2.LIBCMT ref: 00A376EB

__cftog_l.LIBCMT ref: 00A37001
__cftoe_l.LIBCMT ref: 00A37033

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 66641cdf2bb7be8f676e5274c5845f51c02317959ad6c7990907acbd4b4e7a3c
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: DD014CB244814ABBCF2A5F88DC42CEE3F62BB19350F588415FE1958031D736CAB1BB81

Function 00A8B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00A8B2E4
ScreenToClient.USER32(?,?), ref: 00A8B2FC
ScreenToClient.USER32(?,?), ref: 00A8B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00A8B33B

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 16cc49551ee02f343ed6562e15e8c2dcd11da1b6306a3fb9792dcf8fdce3da13
Instruction ID: 595add61a0b9fad9cbe3bd66f6c83f31ffdf1db5eb6847baaef45e3fa7ddde35
Opcode Fuzzy Hash: 16cc49551ee02f343ed6562e15e8c2dcd11da1b6306a3fb9792dcf8fdce3da13
Instruction Fuzzy Hash: 9D114775D0024AEFDB41DF99C4449EEBBF5FF18310F104166E914E3620D735AA558F50

Function 00A8B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A8B644
_memset.LIBCMT ref: 00A8B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00AC6F20,00AC6F64), ref: 00A8B682
CloseHandle.KERNEL32 ref: 00A8B694

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: d157eef3c86527abc2c33c65e30bae3e1af311f5346c7be9031ace365fcafc90
Instruction ID: 2fa24a5c31be7f675073dd09fc522840420e71864ec564a0bd3591d6737c6198
Opcode Fuzzy Hash: d157eef3c86527abc2c33c65e30bae3e1af311f5346c7be9031ace365fcafc90
Instruction Fuzzy Hash: EBF05EB25403107EF610E7A5BC06FBB3A9CEB08395F014038FA08E9192D7758C0187E8

Function 00A66BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00A66BE6

Part of subcall function 00A676C4: _memset.LIBCMT ref: 00A676F9

_memmove.LIBCMT ref: 00A66C09
_memset.LIBCMT ref: 00A66C16
LeaveCriticalSection.KERNEL32(?), ref: 00A66C26

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: b5258232c598ea5586e35717d8cfb5158b28a009245fe4c64c62435d2b2139b0
Instruction ID: dc0e7de1c02a61a65dd9e647cf504ceca7cb8ce177a9b4e8ef5453dc7d60cf92
Opcode Fuzzy Hash: b5258232c598ea5586e35717d8cfb5158b28a009245fe4c64c62435d2b2139b0
Instruction Fuzzy Hash: CBF05E3A200110BFCF01AF95EC85E8ABB29EF45320F088061FE085E227D735E811CBB4

Function 00A02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00A02231
SetTextColor.GDI32(?,000000FF), ref: 00A0223B
SetBkMode.GDI32(?,00000001), ref: 00A02250
GetStockObject.GDI32(00000005), ref: 00A02258
GetWindowDC.USER32(?,00000000), ref: 00A3BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00A3BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00A3BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00A3BEC2
GetPixel.GDI32(00000000,?,?), ref: 00A3BEE2
ReleaseDC.USER32(?,00000000), ref: 00A3BEED

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: fa9ec3f9f00f392e8b974ada6afcd4587e2d262716ce4723696c6597bd61b92b
Instruction ID: 94b811f73f8e785fefd3131e205b521a92cb998f9afa46f61efca60abde5ce0b
Opcode Fuzzy Hash: fa9ec3f9f00f392e8b974ada6afcd4587e2d262716ce4723696c6597bd61b92b
Instruction Fuzzy Hash: 1DE06D32104245EEDF219FA8FC4D7D83F11EB05332F108366FB69480E187714991DB22

Function 00A58712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00A5871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00A582E6), ref: 00A58722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A582E6), ref: 00A5872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00A582E6), ref: 00A58736

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 0c43d600eff07983e52d0654779bc2e5329a5118bf740a91c33080ee3a6b7dfd
Instruction ID: 2953d37f1bbd021c7116dec258d5a598029f7b7c150cea2373dbbb2f8f2c1b13
Opcode Fuzzy Hash: 0c43d600eff07983e52d0654779bc2e5329a5118bf740a91c33080ee3a6b7dfd
Instruction Fuzzy Hash: 68E086366113129FD7209FF05D0CB963BBCEF54B92F244828BA45D9050EA388446C750

Function 00A5B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00A5B4BE

Strings

Container, xrefs: 00A5B43B
AutoIt3GUI, xrefs: 00A5B436

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: d65b79bc3660a9ff703dfb7d1eb7173bc12df5110dee40fd88f4f1ca66b32d62
Instruction ID: ba8e9b4d56021450023ac8492a4b2be38ebae9d32ae3bc18b99836671be5e1ff
Opcode Fuzzy Hash: d65b79bc3660a9ff703dfb7d1eb7173bc12df5110dee40fd88f4f1ca66b32d62
Instruction Fuzzy Hash: 7C913970610601AFDB14DF68C884A6ABBF9FF49712F20856DED46CB691EB70E845CB60

Function 00A6AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1FC86: _wcscpy.LIBCMT ref: 00A1FCA9

Part of subcall function 00A09837: __itow.LIBCMT ref: 00A09862
Part of subcall function 00A09837: __swprintf.LIBCMT ref: 00A098AC

__wcsnicmp.LIBCMT ref: 00A6B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00A6B0F6

Strings

LPT, xrefs: 00A6B027

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 38ed48ca69b8f2ea86f73cb31497651ab835ecb4a3e5fb107a46eac0e6856c66
Instruction ID: 474e5f6c52b5a046e0c8d5a806b4d00563c6e00e89610fd4cb3e46bc46c144d0
Opcode Fuzzy Hash: 38ed48ca69b8f2ea86f73cb31497651ab835ecb4a3e5fb107a46eac0e6856c66
Instruction Fuzzy Hash: CF619375A10219EFCB14DF94D991EAEB7B8EF09310F118169F916EB391D730AE84CB60

Function 00A12957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00A12968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00A12981

Strings

@, xrefs: 00A12975

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f89107aa1ddffb8dfd97fb208187d1bfec2a713de8c2fa211e7aefc321a9b6f2
Instruction ID: 3ad021380d774021588f62560dc32285732319607a4f671150908d725969da90
Opcode Fuzzy Hash: f89107aa1ddffb8dfd97fb208187d1bfec2a713de8c2fa211e7aefc321a9b6f2
Instruction Fuzzy Hash: 5D5148724087489BD320EF54E986BAFBBE8FF85344F41885DF2D8411A2DB708529CB66

Function 00A69734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00A04F0B: __fread_nolock.LIBCMT ref: 00A04F29

_wcscmp.LIBCMT ref: 00A69824
_wcscmp.LIBCMT ref: 00A69837

Strings

FILE, xrefs: 00A69770

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: fe9c5c8389f3384f1da4e3d28001ccb0f9e5473277daa7c6ad68a10762a5c1ec
Instruction ID: 249d6f3ff85bd418cb6787318a440ba13048af3533d8441d27f8b44f41df2e51
Opcode Fuzzy Hash: fe9c5c8389f3384f1da4e3d28001ccb0f9e5473277daa7c6ad68a10762a5c1ec
Instruction Fuzzy Hash: 4C41BA71A4021ABADF209BA4DD45FEF7BBDEF49710F000469FA04E71C1DA75A9048B61

Function 00A7258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A7259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A725D4

Strings

|, xrefs: 00A725A5

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 79235f6d67e47e7b2f624b4590111d73d99bf45cc6ecddbc7121b39bfe488333
Instruction ID: fd1a7cbd5238d06ff2d571b100a5a344d68be16f218b1bf15fe3feb6dc1d566a
Opcode Fuzzy Hash: 79235f6d67e47e7b2f624b4590111d73d99bf45cc6ecddbc7121b39bfe488333
Instruction Fuzzy Hash: DB313571D00119ABCF11EFA0DD85EEEBFB8FF08340F10406AF918A6162EB315916DB60

Function 00A87A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00A87B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A87B76

Strings

', xrefs: 00A87ACA

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ea20fa861063b63ee892662a163ee233efcab3006dcada5389456edadb5a5841
Instruction ID: 668b69f965261ea70b531593579ddacbfdd972a3e4340449989af637c0b5f334
Opcode Fuzzy Hash: ea20fa861063b63ee892662a163ee233efcab3006dcada5389456edadb5a5841
Instruction Fuzzy Hash: B8410874A0520A9FDB14DF68C985BEEBBB5FB09340F20016AE905AB391D770A951DF90

Function 00A86A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00A86B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A86B53

Strings

static, xrefs: 00A86AB3

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 73bfebd5089a1ef870e2f0ad25436f33fa033c6825512084de30fb5e83e68c93
Instruction ID: cd6fb4df29df882dbe5818ea53e3c37741cf5621df26f3d89747202c688c548f
Opcode Fuzzy Hash: 73bfebd5089a1ef870e2f0ad25436f33fa033c6825512084de30fb5e83e68c93
Instruction Fuzzy Hash: 5F318D71200604AEEB10AF64DC81BFB73B9FF48764F108619F9A5D7190DA30AC81C760

Function 00A5994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00A59965
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00A5999F

Strings

@U=u, xrefs: 00A59965, 00A5999F

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 49ba0e2aec634d15a6b087242b2bdbc36c0a13d947ded0dd0a2685b77182740e
Instruction ID: 9a6f0fcd87361fa274f3b40adca3b723717f7078ff968d3829e6fda9beac3cf1
Opcode Fuzzy Hash: 49ba0e2aec634d15a6b087242b2bdbc36c0a13d947ded0dd0a2685b77182740e
Instruction Fuzzy Hash: 3A21C531D00209EFCF10EBA4D881DAFB779FF88751B114069FE15AB290EA716C46C760

Function 00A628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00A6294C

Strings

0, xrefs: 00A6290A

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 4afa86ae7583312a3a70b5a3ca6890c75d4acb644c919897a078e7a965b6520a
Instruction ID: a183fcdbadbe94154b994c9cea03b920c883ca321a09ec17e86a14ddbe81dfce
Opcode Fuzzy Hash: 4afa86ae7583312a3a70b5a3ca6890c75d4acb644c919897a078e7a965b6520a
Instruction Fuzzy Hash: 5231D632A00705AFEB25CF98DD85BEEBBF9EF85350F180029E985A71A1DB709944CB51

Function 00A739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00A73A66

Part of subcall function 00A07DE1: _memmove.LIBCMT ref: 00A07E22

Strings

, $, xrefs: 00A73AA6
AUTOITCALLVARIABLE%d, xrefs: 00A73A58

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: e15ea30c36f0dee5dfc7974857a1de45d9a01a2bc78409d3f92d7a1171b73185
Instruction ID: ca4ad246f4b6be41f4d19365d2399217cf1fa9465ec19b6b82649063114d2005
Opcode Fuzzy Hash: e15ea30c36f0dee5dfc7974857a1de45d9a01a2bc78409d3f92d7a1171b73185
Instruction Fuzzy Hash: 0721BD71A0021DAECF10EF68DD82AAE77B9BF44340F408454E849AB182DB35EA45DBA5

Function 00A5A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A1603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A16051

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A5AA10
_strlen.LIBCMT ref: 00A5AA1B

Strings

@U=u, xrefs: 00A5AA10

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 4ea6234fc37c533b665bd55ed9637c42599d9978372bdec2c07f26c567dae9ca
Instruction ID: e931549a03ebdf25db712f6f55ab7a09283fcb05684046bcd77b490ddb115635
Opcode Fuzzy Hash: 4ea6234fc37c533b665bd55ed9637c42599d9978372bdec2c07f26c567dae9ca
Instruction Fuzzy Hash: D31105327001056ADF14AF78EE829BE7BA9AF69381F00013DFE0ACB193DD349949C661

Function 00A86865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A655FD: GetLocalTime.KERNEL32 ref: 00A6560A
Part of subcall function 00A655FD: _wcsncpy.LIBCMT ref: 00A6563F
Part of subcall function 00A655FD: _wcsncpy.LIBCMT ref: 00A65671
Part of subcall function 00A655FD: _wcsncpy.LIBCMT ref: 00A656A4
Part of subcall function 00A655FD: _wcsncpy.LIBCMT ref: 00A656E6

SendMessageW.USER32(?,00001002,00000000,?), ref: 00A868FF

Strings

@U=u, xrefs: 00A868FF
SysDateTimePick32, xrefs: 00A868BD

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: ee6fbaef54215fe867c50372522c57f3b6e3f547adcba57b454ba111ad56680f
Instruction ID: 4a77be90265546018c120fb929dc76af9cae000b0dae5c285d905590003be294
Opcode Fuzzy Hash: ee6fbaef54215fe867c50372522c57f3b6e3f547adcba57b454ba111ad56680f
Instruction Fuzzy Hash: 462129717402096FFF21AF64DC82FEF73AAEB44750F200519F994AB1D0D6B1AC918760

Function 00A59225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A5923E

Part of subcall function 00A613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00A61409
Part of subcall function 00A613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A5925A,00000034,?,?,00001004,00000000,00000000), ref: 00A61419
Part of subcall function 00A613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A5925A,00000034,?,?,00001004,00000000,00000000), ref: 00A6142F

Part of subcall function 00A614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A59296,?,?,00000034,00000800,?,00000034), ref: 00A614E6

SendMessageW.USER32(?,00001073,00000000,?), ref: 00A592A5

Part of subcall function 00A61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00A614B1

Strings

@U=u, xrefs: 00A5923E, 00A592A5

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 30a9dd04dda86fc03f5a575fac18c1e84ea2766296c3b7be4aba21f69034a8b2
Instruction ID: e856a26467bfc979cfca03bc7c3e3dbf4af7e57917d72d40298481052dd80c06
Opcode Fuzzy Hash: 30a9dd04dda86fc03f5a575fac18c1e84ea2766296c3b7be4aba21f69034a8b2
Instruction Fuzzy Hash: 3D215E71901129FBDF11DBA4DD81FDEBBB8FF09310F1001A5F948AB190EA705A84CB90

Function 00A866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A86761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A8676C

Strings

Combobox, xrefs: 00A8672E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: c0762703e5bdb18eef489b5f07b59ca32f78e1e4212e517d9c68059818f0631b
Instruction ID: a8248ed42f4a478d2090b098717b9c9efbe4d1ed2e60dc2fddd0eda20f7ec387
Opcode Fuzzy Hash: c0762703e5bdb18eef489b5f07b59ca32f78e1e4212e517d9c68059818f0631b
Instruction Fuzzy Hash: 6511B271600208AFFF15EF54DC81EEB376AEB483A8F100129F91497290D6319C5187A0

Function 00A896F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00A89778, 00A897A1

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 9014f1a1d2412107273687edb4616707d68684d381c68afe19712fad1561aff3
Instruction ID: c015927c6578d5fe1383265fe3f4bd9df4ef8c59a0f647f945c20ee8b2b31568
Opcode Fuzzy Hash: 9014f1a1d2412107273687edb4616707d68684d381c68afe19712fad1561aff3
Instruction Fuzzy Hash: 03218E35624208BFEB10AF68CC85FFB37E4EB09310F584165FA52DA1E0D672EA51DB60

Function 00A86C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00A01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A01D73
Part of subcall function 00A01D35: GetStockObject.GDI32(00000011), ref: 00A01D87
Part of subcall function 00A01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A01D91

GetWindowRect.USER32(00000000,?), ref: 00A86C71
GetSysColor.USER32(00000012), ref: 00A86C8B

Strings

static, xrefs: 00A86C4E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: d49e20403282b1d34443305db26485b501af528fc4858aeb99c119ddac03416c
Instruction ID: e0e2856ad08c910fa6111f9d485a37c6324d37a7046a3037907795e732199a42
Opcode Fuzzy Hash: d49e20403282b1d34443305db26485b501af528fc4858aeb99c119ddac03416c
Instruction Fuzzy Hash: B02129B261020AAFDF04EFB8DC45EEA7BB8FB08315F004629F995D2250D635E861DB60

Function 00A629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00A62A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00A62A41

Strings

0, xrefs: 00A62A18

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f2d3d50fbf387e878188c411138da56c6cbf4bfa6d727ab0f4f5a82a205cc4b6
Instruction ID: 11a4871c4d7d03695c5f7157b019baa4b3df39683f5fbfca4b44ebcab92e24f7
Opcode Fuzzy Hash: f2d3d50fbf387e878188c411138da56c6cbf4bfa6d727ab0f4f5a82a205cc4b6
Instruction Fuzzy Hash: FB11D072D01914ABDB30DFE8D844BEA77B8AB95384F054021EA95F7290D7B0AD0AC791

Function 00A721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A7222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A72255

Strings

<local>, xrefs: 00A7221D

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 5dfe692965c0c00b2ba1c0a797d49eafa1e3bdaf302ec0589050d6e8b00ea123
Instruction ID: 2dd48ebc2ac83bed80c1bcc66fe6e55c8d1cdee29b614aa57b50740772006ca1
Opcode Fuzzy Hash: 5dfe692965c0c00b2ba1c0a797d49eafa1e3bdaf302ec0589050d6e8b00ea123
Instruction Fuzzy Hash: F611A070541225BADB258F518C84FFBFBACFF1A751F10C22AF91986101D6709991D7F0

Function 00A884E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00A88530

Strings

@U=u, xrefs: 00A88530, 00A8856C

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ee718fcd89ab361dab2441cb5348e8c3410330d5834d23efef693a65a6d51a37
Instruction ID: 997ab4652fc59f6fb135128fd5b582859e7bc3aa59502bbac6703756f40ad8e0
Opcode Fuzzy Hash: ee718fcd89ab361dab2441cb5348e8c3410330d5834d23efef693a65a6d51a37
Instruction Fuzzy Hash: A321E775A0020AEFCB19EFA4D940CEA7BB5FB4C350B514158FD05A7360DB35AD61DB90

Function 00A865B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00A8662C

Strings

@U=u, xrefs: 00A8662C
button, xrefs: 00A86603

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 0d1ed8e4ea054e58cf3de1e92476f3f6cf756cb8ea45a81f6aaefb04a74f5d85
Instruction ID: 5a45e3b1bd3765263359acaa9585ba0a4d6722a437283a70d6c602df0f05b1c1
Opcode Fuzzy Hash: 0d1ed8e4ea054e58cf3de1e92476f3f6cf756cb8ea45a81f6aaefb04a74f5d85
Instruction Fuzzy Hash: DE110432150209ABEF15AF60DC11FEA376AFF08314F114628FA51A7190D776ECA29B20

Function 00A8788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00A878D8

Strings

@U=u, xrefs: 00A878D8

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 89d90a77dfefa12c93e75e22e093c5fd8c02b0d1a8201a270fad5b2b856cf5bc
Instruction ID: 3da5c8c4286dc34dab4c2b30b32e7b29ed2f01da31a9b6cc74b68656537ce7be
Opcode Fuzzy Hash: 89d90a77dfefa12c93e75e22e093c5fd8c02b0d1a8201a270fad5b2b856cf5bc
Instruction Fuzzy Hash: 1D11E630504744AFD720DF74C891AEBB7E9FF05310F20851DE8AA47391DB716941DB60

Function 00A594A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A59296,?,?,00000034,00000800,?,00000034), ref: 00A614E6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00A59509
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00A5952E

Strings

@U=u, xrefs: 00A59509, 00A5952E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 2fcb97e83f58f84c6fcf8ca1238e04ea353261d81ae998517828d610609ca43c
Instruction ID: 8a6d9b0c9fdbfa9bbe64b9b6f0f7a6b913a7b787a1d164930aaf53efe93b61c0
Opcode Fuzzy Hash: 2fcb97e83f58f84c6fcf8ca1238e04ea353261d81ae998517828d610609ca43c
Instruction Fuzzy Hash: B601DF71900119EBDB11AF54DC45FDABB7CEB14310F10416AF915A71D1EB705D55CB60

Function 00A595D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00A595FB
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00A5962E

Part of subcall function 00A61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00A614B1

Part of subcall function 00A07BCC: _memmove.LIBCMT ref: 00A07C06

Strings

@U=u, xrefs: 00A595FB, 00A5962E

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: f5dc965249852b43190f06692e44e7770ef12f54059ec352f55ecb28eb22121b
Instruction ID: 71b37c390075322cdbd2f26eda3c52ad2667064792657aa5c1b73b74c36f20fa
Opcode Fuzzy Hash: f5dc965249852b43190f06692e44e7770ef12f54059ec352f55ecb28eb22121b
Instruction Fuzzy Hash: BE015B71900118AFDB50EE90DD81EDA7BBCFB14340F8081AABA4997150DE315E99CF90

Function 00A8C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00A02612: GetWindowLongW.USER32(?,000000EB), ref: 00A02623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00A3B93A,?,?,?), ref: 00A8C5F1

Part of subcall function 00A025DB: GetWindowLongW.USER32(?,000000EB), ref: 00A025EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00A8C5D7

Strings

@U=u, xrefs: 00A8C5D7

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: fa6e514f6394d0213d04aac9c873a0d60fa9419c3c9244bb96af52581f96e839
Instruction ID: f43c904f66a61c3c158ea2daf92d04e5a8d2746b13907c25a288c922ea6f0e91
Opcode Fuzzy Hash: fa6e514f6394d0213d04aac9c873a0d60fa9419c3c9244bb96af52581f96e839
Instruction Fuzzy Hash: 2E01B531240604AFCB29AF54DC58F6A3BA6FB85774F140528F9411B2E0CB31B852EFA0

Function 00A5953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A5954C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A59564

Strings

@U=u, xrefs: 00A5954C, 00A59564

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a0de2b13a65f4f673c449b32ef8c5f4593dd048811c8cd50c65d399d7adf322a
Instruction ID: 05decc6b6e5e4133c9d818e3a0b58594a5e6869d2586864288ae8908dc6e48f6
Opcode Fuzzy Hash: a0de2b13a65f4f673c449b32ef8c5f4593dd048811c8cd50c65d399d7adf322a
Instruction Fuzzy Hash: 2FE02B35342352F6F23117658D4AFD71F1AEB88BA2F240034FF019D0D1EAE20DAA83A0

Function 00A64F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00A64F46
_wcscmp.LIBCMT ref: 00A64F58

Strings

#32770, xrefs: 00A64F52

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 416245cb9016e7113ce43b19044cafcde90221dd659b23e79a7d3ac5f56bee05
Instruction ID: 2c85c0acfde7f114c8e13660c845c527844d08287d4c045a774d1d18266b44b2
Opcode Fuzzy Hash: 416245cb9016e7113ce43b19044cafcde90221dd659b23e79a7d3ac5f56bee05
Instruction Fuzzy Hash: 5CE092326002292AE720DB99AC49EA7F7ACEB55B60F11016AFD04D2051D960AA5687E0

Function 00A3B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00A3B314: _memset.LIBCMT ref: 00A3B321

Part of subcall function 00A20940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00A3B2F0,?,?,?,00A0100A), ref: 00A20945

IsDebuggerPresent.KERNEL32(?,?,?,00A0100A), ref: 00A3B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A0100A), ref: 00A3B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00A3B2FE

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 57299f6792795bb465aef62471023956afc0a3bf4e701e1e016479773a74482f
Instruction ID: 8871801aee77ce5e3e840ce79deb20fba43fc30e32e7a3152c071a81eb6cfc25
Opcode Fuzzy Hash: 57299f6792795bb465aef62471023956afc0a3bf4e701e1e016479773a74482f
Instruction Fuzzy Hash: 90E06D702107218FD720EF68E504782BAE4BF10304F00893CF856CB691EBB4E485CBB1

Function 00A41935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00A41775

Part of subcall function 00A7BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00A4195E,?), ref: 00A7BFFE
Part of subcall function 00A7BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00A7C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00A4196D

Strings

WIN_XPe, xrefs: 00A41788

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: cccd2e0d490afc83aa707c750a19fc6d45384e812786a678b6931160917129c9
Instruction ID: 55c55b53489ebbb89e0554273d05a8f2f94bdd8741867a06ce4da8b4c2bc9e5f
Opcode Fuzzy Hash: cccd2e0d490afc83aa707c750a19fc6d45384e812786a678b6931160917129c9
Instruction Fuzzy Hash: D4F0E5B4800109EFDB25DBA1CA88BECBBF8BB88301F640095E112A60A0D7759F85DF64

Function 00A85998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A859AE
PostMessageW.USER32(00000000), ref: 00A859B5

Part of subcall function 00A65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A652BC

Strings

Shell_TrayWnd, xrefs: 00A859A7

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: aa2f5a990c3467d70084210286465c5951eafdb7240bb9f0fc317e53849352b1
Instruction ID: a2503d1a42e64e52a99d54249c74b66d58f9830911e1f0165182170906a288e2
Opcode Fuzzy Hash: aa2f5a990c3467d70084210286465c5951eafdb7240bb9f0fc317e53849352b1
Instruction Fuzzy Hash: D8D0C9317803127AE668BBB09C0BFD66628BB04B50F000935B246AA1D1D9E4A801C754

Function 00A85964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A8596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A85981

Part of subcall function 00A65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00A652BC

Strings

Shell_TrayWnd, xrefs: 00A85967

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1b28249e23ff8ca7330d3d242435d3382df7bcc990727e3317636753b37cd817
Instruction ID: 84a7322bdec74111cf2f21ff15a9b13d5495725385c00b71a802b87c5604d2aa
Opcode Fuzzy Hash: 1b28249e23ff8ca7330d3d242435d3382df7bcc990727e3317636753b37cd817
Instruction Fuzzy Hash: 83D0C931784312BAE668BBB09C1BFD66A28BB00B50F000935B24AAA1D1D9E4A801C754

Function 00A593DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A593E9
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00A593F7

Strings

@U=u, xrefs: 00A593E9, 00A593F7

Memory Dump Source

Source File: 00000000.00000002.1459944685.0000000000A01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00A00000, based on PE: true

Associated: 00000000.00000002.1459931334.0000000000A00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000A8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460058237.0000000000AB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460224674.0000000000ABE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1460245962.0000000000AC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a00000_ewYjhndHg2.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 84775ec098c2c73426ed54a43f1c071e125b4e968b62642b5a15938afb45b248
Instruction ID: 9f53e151105bc973a8cfb2aa3b226d3df507ed2ebd6c197bd5ec534040f52d7c
Opcode Fuzzy Hash: 84775ec098c2c73426ed54a43f1c071e125b4e968b62642b5a15938afb45b248
Instruction Fuzzy Hash: 17C002311511C1BAEA215BB7AC0DD873E3DE7CAF52721026CB211950B5966500A6D624

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ewYjhndHg2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut6BCF.tmp

C:\Users\user\AppData\Local\Temp\intemeration

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
ewYjhndHg2.exe

Function 00A03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00A049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00A04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00A69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00A03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70
windowregistryCOMMON

Function 00A03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00A0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00A03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00A03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00A03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 00CDD640 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00A039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00CDD3F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Function 00A0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00A2541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre