Edit tour

Windows Analysis Report
3FjrbCZgDN.exe

Overview

General Information

Sample name:	3FjrbCZgDN.exe renamed because original name is a hash value
Original sample name:	4f338449a4fa2e63dbc9aac4d96e4a4d47aacc96ea5fe62ef55301a464be0dcf.exe
Analysis ID:	1588619
MD5:	52f3d27880413a677515ebf02774a004
SHA1:	24a8e07105ffdd4fac3b3218dc03ecc60cba485a
SHA256:	4f338449a4fa2e63dbc9aac4d96e4a4d47aacc96ea5fe62ef55301a464be0dcf
Tags:	exeuser-zhuzhu0009
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

3FjrbCZgDN.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\3FjrbCZgDN.exe" MD5: 52F3D27880413A677515EBF02774A004)

RegSvcs.exe (PID: 7804 cmdline: "C:\Users\user\Desktop\3FjrbCZgDN.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.2669944721.0000000003245000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3FjrbCZgDN.exe PID: 7748	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 3FjrbCZgDN.exe PID: 7748	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 3FjrbCZgDN.exe PID: 7748	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7804	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7804	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.3FjrbCZgDN.exe.eb0000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3FjrbCZgDN.exe.eb0000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.3FjrbCZgDN.exe.eb0000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32641:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x326b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3273d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32839:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x328ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32941:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.3FjrbCZgDN.exe.eb0000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f7d3:$s2: GetPrivateProfileString 0x2eea1:$s3: get_OSFullName 0x304d3:$s5: remove_Key 0x306aa:$s5: remove_Key 0x315db:$s6: FtpWebRequest 0x32623:$s7: logins 0x32b95:$s7: logins 0x358a6:$s7: logins 0x35958:$s7: logins 0x372ad:$s7: logins 0x364f2:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34441:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x344b3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3453d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345cf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34639:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x346ab:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34741:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347d1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x315d3:$s2: GetPrivateProfileString 0x30ca1:$s3: get_OSFullName 0x322d3:$s5: remove_Key 0x324aa:$s5: remove_Key 0x333db:$s6: FtpWebRequest 0x34423:$s7: logins 0x34995:$s7: logins 0x376a6:$s7: logins 0x37758:$s7: logins 0x390ad:$s7: logins 0x382f2:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3FjrbCZgDN.exe

Avira: detected

Found malware configuration

Source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.stingatoareincendii.ro", "Username": "mojooooofileeeee@stingatoareincendii.ro", "Password": "3.*RYhlG)lkA"}

Multi AV Scanner detection for submitted file

Source: 3FjrbCZgDN.exe	Virustotal: Detection: 48%			Perma Link
Source: 3FjrbCZgDN.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 3FjrbCZgDN.exe

Joe Sandbox ML: detected

Source: 3FjrbCZgDN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 3FjrbCZgDN.exe, 00000000.00000003.1421857871.0000000003710000.00000004.00001000.00020000.00000000.sdmp, 3FjrbCZgDN.exe, 00000000.00000003.1425175923.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3FjrbCZgDN.exe, 00000000.00000003.1421857871.0000000003710000.00000004.00001000.00020000.00000000.sdmp, 3FjrbCZgDN.exe, 00000000.00000003.1425175923.00000000038B0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C4C2A2 FindFirstFileExW,	0_2_00C4C2A2
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C868EE FindFirstFileW,FindClose,	0_2_00C868EE
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C8698F
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C7D076
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C7D3A9
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C89642
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8979D
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C7DBBE
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C89B2B
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C85C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C85C97

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

TCP traffic: 192.168.2.9:63851 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C8CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_00C8CE44

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: RegSvcs.exe, 00000002.00000002.2669944721.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 3FjrbCZgDN.exe, 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2669944721.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.0000000003211000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3FjrbCZgDN.exe, 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00C8EAFF

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00C8ED6A

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

0_2_00C8EAFF

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_00C7AA57

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00CA9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00CA9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.3FjrbCZgDN.exe.eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.3FjrbCZgDN.exe.eb0000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: 3FjrbCZgDN.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 3FjrbCZgDN.exe, 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1d4a8476-c
Source: 3FjrbCZgDN.exe, 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ddf4e9bb-e
Source: 3FjrbCZgDN.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_163a4854-8
Source: 3FjrbCZgDN.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_15bc09ee-0

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C7D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00C7D5EB

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00C71201

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00C7E8F6

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C82046	0_2_00C82046
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C18060	0_2_00C18060
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C78298	0_2_00C78298
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C4E4FF	0_2_00C4E4FF
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C4676B	0_2_00C4676B
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00CA4873	0_2_00CA4873
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C1CAF0	0_2_00C1CAF0
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C3CAA0	0_2_00C3CAA0
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C2CC39	0_2_00C2CC39
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C46DD9	0_2_00C46DD9
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C191C0	0_2_00C191C0
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C2B119	0_2_00C2B119
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C31394	0_2_00C31394
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C31706	0_2_00C31706
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C3781B	0_2_00C3781B
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C319B0	0_2_00C319B0
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C2997D	0_2_00C2997D
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C17920	0_2_00C17920
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C37A4A	0_2_00C37A4A
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C37CA7	0_2_00C37CA7
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C31C77	0_2_00C31C77
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C49EEE	0_2_00C49EEE
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C9BE44	0_2_00C9BE44
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C31F32	0_2_00C31F32
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_012861A0	0_2_012861A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0169A620	2_2_0169A620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0169D978	2_2_0169D978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01694A80	2_2_01694A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01693E68	2_2_01693E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01699E60	2_2_01699E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016941B0	2_2_016941B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069A2438	2_2_069A2438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069A1288	2_2_069A1288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069A3BD8	2_2_069A3BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069A34F0	2_2_069A34F0

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: String function: 00C19CB3 appears 31 times
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: String function: 00C34963 appears 31 times
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: String function: 00C30A30 appears 46 times
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: String function: 00C2F9F2 appears 40 times

Source: 3FjrbCZgDN.exe, 00000000.00000003.1428153581.0000000003833000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3FjrbCZgDN.exe
Source: 3FjrbCZgDN.exe, 00000000.00000003.1438016654.00000000039DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3FjrbCZgDN.exe
Source: 3FjrbCZgDN.exe, 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamee8300309-2878-4eb6-9fa4-d88c99cb9494.exe4 vs 3FjrbCZgDN.exe

Source: 3FjrbCZgDN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.3FjrbCZgDN.exe.eb0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.3FjrbCZgDN.exe.eb0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C837B5 GetLastError,FormatMessageW,

0_2_00C837B5

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C710BF AdjustTokenPrivileges,CloseHandle,		0_2_00C710BF
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00C716C3

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00C851CD

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00C9A67C

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_00C8648E

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00C142A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

File created: C:\Users\user\AppData\Local\Temp\maneuverability

Jump to behavior

Source: 3FjrbCZgDN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.2669944721.000000000330D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.0000000003320000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 3FjrbCZgDN.exe	Virustotal: Detection: 48%
Source: 3FjrbCZgDN.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\3FjrbCZgDN.exe "C:\Users\user\Desktop\3FjrbCZgDN.exe"
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3FjrbCZgDN.exe"
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3FjrbCZgDN.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 3FjrbCZgDN.exe

Static file information: File size 1428992 > 1048576

Source: 3FjrbCZgDN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3FjrbCZgDN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3FjrbCZgDN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3FjrbCZgDN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3FjrbCZgDN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3FjrbCZgDN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 3FjrbCZgDN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 3FjrbCZgDN.exe, 00000000.00000003.1421857871.0000000003710000.00000004.00001000.00020000.00000000.sdmp, 3FjrbCZgDN.exe, 00000000.00000003.1425175923.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3FjrbCZgDN.exe, 00000000.00000003.1421857871.0000000003710000.00000004.00001000.00020000.00000000.sdmp, 3FjrbCZgDN.exe, 00000000.00000003.1425175923.00000000038B0000.00000004.00001000.00020000.00000000.sdmp

Source: 3FjrbCZgDN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 3FjrbCZgDN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 3FjrbCZgDN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 3FjrbCZgDN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 3FjrbCZgDN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C142DE

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C322CB push ds; ret	0_2_00C322E2
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C30A76 push ecx; ret	0_2_00C30A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_069ACB60 push es; ret	2_2_069ACB70

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C2F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00C2F98E
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00CA1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00CA1C41

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 3FjrbCZgDN.exe PID: 7748, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97568

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

API/Special instruction interceptor: Address: 1285DC4

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 3FjrbCZgDN.exe, 00000000.00000002.1443135576.0000000001231000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE2#~.A
Source: 3FjrbCZgDN.exe, 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.0000000003245000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

API coverage: 3.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C4C2A2 FindFirstFileExW,	0_2_00C4C2A2
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C868EE FindFirstFileW,FindClose,	0_2_00C868EE
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_00C8698F
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C7D076
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00C7D3A9
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C89642
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00C8979D
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00C7DBBE
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00C89B2B
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C85C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00C85C97

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C142DE

Source: RegSvcs.exe, 00000002.00000002.2669944721.0000000003245000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegSvcs.exe, 00000002.00000002.2669944721.0000000003245000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegSvcs.exe, 00000002.00000002.2671068288.00000000064FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_01697068 CheckRemoteDebuggerPresent,

2_2_01697068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C8EAA2 BlockInput,

0_2_00C8EAA2

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00C42622

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C142DE

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C34CE8 mov eax, dword ptr fs:[00000030h]	0_2_00C34CE8
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_01286030 mov eax, dword ptr fs:[00000030h]	0_2_01286030
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_01286090 mov eax, dword ptr fs:[00000030h]	0_2_01286090
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_012849C0 mov eax, dword ptr fs:[00000030h]	0_2_012849C0

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00C70B62

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C42622
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00C3083F
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C309D5 SetUnhandledExceptionFilter,	0_2_00C309D5
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00C30C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10E9008

Jump to behavior

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

0_2_00C71201

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C52BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00C52BA5

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C7B226 SendInput,keybd_event,

0_2_00C7B226

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_00C922DA

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\3FjrbCZgDN.exe"

Jump to behavior

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

0_2_00C70B62

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C71663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00C71663

Source: 3FjrbCZgDN.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 3FjrbCZgDN.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C30698 cpuid

0_2_00C30698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C88195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00C88195

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C6D27A GetUserNameW,

0_2_00C6D27A

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C4B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_00C4B952

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe

Code function: 0_2_00C142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00C142DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.3FjrbCZgDN.exe.eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3FjrbCZgDN.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7804, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: 3FjrbCZgDN.exe	Binary or memory string: WIN_81
Source: 3FjrbCZgDN.exe	Binary or memory string: WIN_XP
Source: 3FjrbCZgDN.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 3FjrbCZgDN.exe	Binary or memory string: WIN_XPe
Source: 3FjrbCZgDN.exe	Binary or memory string: WIN_VISTA
Source: 3FjrbCZgDN.exe	Binary or memory string: WIN_7
Source: 3FjrbCZgDN.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 0.2.3FjrbCZgDN.exe.eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2669944721.0000000003245000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3FjrbCZgDN.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7804, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.3FjrbCZgDN.exe.eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3FjrbCZgDN.exe.eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3FjrbCZgDN.exe PID: 7748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7804, type: MEMORYSTR

Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C91204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00C91204
Source: C:\Users\user\Desktop\3FjrbCZgDN.exe	Code function: 0_2_00C91806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00C91806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	21 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	741 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	32 Virtualization/Sandbox Evasion	Cached Domain Credentials	32 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3FjrbCZgDN.exe	49%	Virustotal		Browse
3FjrbCZgDN.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
3FjrbCZgDN.exe	100%	Avira	DR/AutoIt.Gen8
3FjrbCZgDN.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
206.23.85.13.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	3FjrbCZgDN.exe, 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.2669944721.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.0000000003211000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000002.00000002.2669944721.00000000032F0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.00000000032D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2669944721.0000000003211000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588619
Start date and time:	2025-01-11 03:15:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3FjrbCZgDN.exe renamed because original name is a hash value
Original Sample Name:	4f338449a4fa2e63dbc9aac4d96e4a4d47aacc96ea5fe62ef55301a464be0dcf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 42 Number of non-executed functions: 310
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.85.23.206, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	ewYjhndHg2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	ewYjhndHg2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	ewYjhndHg2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	0I9GLRSiy0.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NUGMrDcg4v.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LMxd0gpIxe.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	rComprobante_swift_8676534657698632.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	28uMwHvbTD.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	e4Iw3lwFJ5.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	uOCavrYu1y.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	XoRPyi5s1i.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\3FjrbCZgDN.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.576685649726326
Encrypted:	false
SSDEEP:	3072:UQMT61uSXVJjDXOz/+Ypmvdx5/O5CBukVVxrqc+iAxtdNy2qpefvvHz9ot5pzaoG:o29x1O5eVQ//+Xcs2U5zFZaynI+S
MD5:	5D5B4F36352FEAB5297062E1782F8A25
SHA1:	8870D7FB4820750C749B84EFAA85CC84B547F13D
SHA-256:	657D0D0F6D0C2D304B1068B38F77DCD1BD5644C4B64B519548BF6F25EED991B9
SHA-512:	EA2146BE8EE79633354DD8DDC2BCFE618B84E02FB7DDE09E8A782328C2546F1622335CB230EE13EC64DE6A898540D22B9661F6B58978F91426D088B155989493
Malicious:	false
Reputation:	low
Preview:	...3UV2TBLTM..JU.CTC34TW.G3VV2TFLTMX3JUZCTC34TWZG3VV2TFLTMX3.UZCZ\.:T.S...W~.g.<$+.:'5$&"^.764)\"vP1f>!#xZ$u...c^[02tJ>\r2TFLTMXc.UZ.U@3...?G3VV2TFL.MZ2ATQCT.04T_ZG3VV2:.OTMx3JU.@TC3tTWzG3VT2TBLTMX3JU^CTC34TWZg7VV0TFLTMX1J..CTS34DWZG3FV2DFLTMX3ZUZCTC34TWZG+.U2.FLTM.0J._CTC34TWZG3VV2TFLTMX3NUVCTC34TWZG3VV2TFLTMX3JUZCTC34TWZG3VV2TFLTMX3JUZCTC34TwZG;VV2TFLTMX3J]zCT.34TWZG3VV2Th815,3JU..WC3.TWZ.0VV0TFLTMX3JUZCTC3.TW:iA%$QTFL.HX3J.YCTE34T.YG3VV2TFLTMX3J.ZC.mAQ889G3ZV2TFLPMX1JUZ.WC34TWZG3VV2TF.TM.3JUZCTC34TWZG3VVb.ELTMX3.UZCVC64..XG.cW2WFLTLX3LUZCTC34TWZG3VV2TFLTMX3JUZCTC34TWZG3VV2TFLTMX3JUZ^......d.Nh\PS.j..0..I..:.{[.O.HB....A...r/E..3.[g..._...9.E]JK.....T_&T/`!y=5.Q....wt....5Z.-..(d.:@h.d...sy....; ...."..7)!z,(C&0t.5%RF=.X.2VV2T........3;...7[InUK.....xF5....=TC3PTWZ53VVSTFL.MX3%UZC:C34WZGMVV2.FLT.X3JbZCTf34T:ZG3rV2T8LTM.NEZ..*@..WZG3Vc..v.9.....m...E.).%....0....]`.Z2.#..s..T..=..C.'Rn.kMT\GQA40W[gIx...uDHPHZ4NVV~Z...v.a..o...=...`0.&CTC34T.ZG.VV2..L.MX3.U.C..34T.G.V.2...T

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.297715556325812
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3FjrbCZgDN.exe
File size:	1'428'992 bytes
MD5:	52f3d27880413a677515ebf02774a004
SHA1:	24a8e07105ffdd4fac3b3218dc03ecc60cba485a
SHA256:	4f338449a4fa2e63dbc9aac4d96e4a4d47aacc96ea5fe62ef55301a464be0dcf
SHA512:	d2e32db4c19e3cec29e84493f8f33a4c89b205203ada48c0228c2bcc4f11e8f75dd7b24a23e1082263d42470b36b2db2de2b1da5985981c3028cc082c428d721
SSDEEP:	24576:HqDEvCTbMWu7rQYlBQcBiT6rprG8anWRq0+Z+HBajhLwvAiETdbUpSFS:HTvC/MTQYxsWR7anWw03hajCojRb6A
TLSH:	DD65D00273D1C022FFAB92334F5AF6515ABC69260523E62F13A81D79BE701B1563E763
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67814B50 [Fri Jan 10 16:31:12 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F367CEABD73h
jmp 00007F367CEAB67Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F367CEAB85Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F367CEAB82Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F367CEAE41Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F367CEAE468h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F367CEAE451h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x863ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15b000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x863ac	0x86400	dbf927b7e2b6d5e7582246ca1c9911fe	False	0.951437383612663	data	7.941253049447768	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15b000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x7d672	data			1.0003231772607808
RT_GROUP_ICON	0x159e2c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x159ea4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x159eb8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x159ecc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x159ee0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x159fbc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:16:30.275057077 CET	49707	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:16:30.280534029 CET	80	49707	208.95.112.1	192.168.2.9
Jan 11, 2025 03:16:30.281485081 CET	49707	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:16:30.281485081 CET	49707	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:16:30.286397934 CET	80	49707	208.95.112.1	192.168.2.9
Jan 11, 2025 03:16:30.801239967 CET	80	49707	208.95.112.1	192.168.2.9
Jan 11, 2025 03:16:30.846946955 CET	49707	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:16:57.011022091 CET	63851	53	192.168.2.9	162.159.36.2
Jan 11, 2025 03:16:57.015865088 CET	53	63851	162.159.36.2	192.168.2.9
Jan 11, 2025 03:16:57.015949011 CET	63851	53	192.168.2.9	162.159.36.2
Jan 11, 2025 03:16:57.020863056 CET	53	63851	162.159.36.2	192.168.2.9
Jan 11, 2025 03:16:57.479980946 CET	63851	53	192.168.2.9	162.159.36.2
Jan 11, 2025 03:16:57.485099077 CET	53	63851	162.159.36.2	192.168.2.9
Jan 11, 2025 03:16:57.485204935 CET	63851	53	192.168.2.9	162.159.36.2
Jan 11, 2025 03:17:44.459459066 CET	80	49707	208.95.112.1	192.168.2.9
Jan 11, 2025 03:17:44.459577084 CET	49707	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:18:10.824752092 CET	49707	80	192.168.2.9	208.95.112.1
Jan 11, 2025 03:18:10.829673052 CET	80	49707	208.95.112.1	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 03:16:30.260629892 CET	49329	53	192.168.2.9	1.1.1.1
Jan 11, 2025 03:16:30.267662048 CET	53	49329	1.1.1.1	192.168.2.9
Jan 11, 2025 03:16:57.010346889 CET	53	56559	162.159.36.2	192.168.2.9
Jan 11, 2025 03:16:57.497087955 CET	64983	53	192.168.2.9	1.1.1.1
Jan 11, 2025 03:16:57.504096985 CET	53	64983	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 03:16:30.260629892 CET	192.168.2.9	1.1.1.1	0xaed0	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:16:57.497087955 CET	192.168.2.9	1.1.1.1	0xed4b	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 03:16:30.267662048 CET	1.1.1.1	192.168.2.9	0xaed0	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 03:16:57.504096985 CET	1.1.1.1	192.168.2.9	0xed4b	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	208.95.112.1	80	7804	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 03:16:30.281485081 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 03:16:30.801239967 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 02:16:30 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	21:16:25
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\3FjrbCZgDN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3FjrbCZgDN.exe"
Imagebase:	0xc10000
File size:	1'428'992 bytes
MD5 hash:	52F3D27880413A677515EBF02774A004
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000000.00000002.1442261998.0000000000EB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:16:26
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3FjrbCZgDN.exe"
Imagebase:	0xf40000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2668640843.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2669944721.0000000003245000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	3.3%
Total number of Nodes:	1574
Total number of Limit Nodes:	39

Executed Functions

Function 00C142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00C1430D

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

GetCurrentProcess.KERNEL32(?,00CACB64,00000000,?,?), ref: 00C14422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00C14429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C14454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C14466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C14474
FreeLibrary.KERNEL32(00000000,?,?), ref: 00C1447B
GetSystemInfo.KERNEL32(?,?,?), ref: 00C144A0

Strings

|O, xrefs: 00C536F8
GetNativeSystemInfo, xrefs: 00C14460
kernel32.dll, xrefs: 00C1444F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9054fbac982b842a12c3b1c6c8d7eca24878a2d8242a3588b87d5245ace48925
Instruction ID: 00ec2336ef1c543ad38023a5fa6d034a1c7892a599ea07c86de51bba0ab7d87e
Opcode Fuzzy Hash: 9054fbac982b842a12c3b1c6c8d7eca24878a2d8242a3588b87d5245ace48925
Instruction Fuzzy Hash: 14A1AF7A91A2C0CFC715C76978C07DD7FE46B27740B0C4899EC919BA32D2304AA8EB35

Function 00C142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C150AA,?,?,00000000,00000000), ref: 00C142B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C150AA,?,?,00000000,00000000), ref: 00C142C9
LoadResource.KERNEL32(?,00000000,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20), ref: 00C535BE
SizeofResource.KERNEL32(?,00000000,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20), ref: 00C535D3
LockResource.KERNEL32(00C150AA,?,?,00C150AA,?,?,00000000,00000000,?,?,?,?,?,?,00C14F20,?), ref: 00C535E6

Strings

SCRIPT, xrefs: 00C142BF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: a81b450935b30b3287b089d41ece0d4693275a3ad6d6da2d72b8b11fd69739a2
Instruction ID: 4c0e2933427ecad6c5d3e03e0c0412d0cbe54eecea7ad962aab9cb8bd1a80479
Opcode Fuzzy Hash: a81b450935b30b3287b089d41ece0d4693275a3ad6d6da2d72b8b11fd69739a2
Instruction Fuzzy Hash: 9C118E74200701BFD7258B65DC88F6B7BBAEBC6B55F104269F412D7290DB71DD809630

Function 00C52BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00C12B6B

Part of subcall function 00C13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CE1418,?,00C12E7F,?,?,?,00000000), ref: 00C13A78

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00CD2224), ref: 00C52C10
ShellExecuteW.SHELL32(00000000,?,?,00CD2224), ref: 00C52C17

Strings

runas, xrefs: 00C52C0B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 48950d405b7b3023e1376b2bc9755442dd5de8137deabd7e9d9b4d95811ad59f
Instruction ID: 043c371ec30d91d6f84e777cb1e76fb961f4dc176c549995510bac20d38490db
Opcode Fuzzy Hash: 48950d405b7b3023e1376b2bc9755442dd5de8137deabd7e9d9b4d95811ad59f
Instruction Fuzzy Hash: D611D2312083819BC714FF60D8A1AFE77A49B93314F48142EB593061A2CF308ADAB752

Function 00C1D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C1D807
timeGetTime.WINMM ref: 00C1DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C1DB28
TranslateMessage.USER32(?), ref: 00C1DB7B
DispatchMessageW.USER32(?), ref: 00C1DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C1DB9F
Sleep.KERNEL32(0000000A), ref: 00C1DBB1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 641786c97f088fe3ad17aa57bc08f3ba585ba4c79572ff839647d6ec95237052
Instruction ID: 90e365294742a14d75217ce096e4bc14b5023af810bcd387cbabac1582fb299d
Opcode Fuzzy Hash: 641786c97f088fe3ad17aa57bc08f3ba585ba4c79572ff839647d6ec95237052
Instruction Fuzzy Hash: B842D130608741EFD738CF25C894BAAB7E0BF86314F18455DE8668B291D774E984EB92

Function 00C12CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C12D07
RegisterClassExW.USER32(00000030), ref: 00C12D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C12D42
InitCommonControlsEx.COMCTL32(?), ref: 00C12D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C12D6F
LoadIconW.USER32(000000A9), ref: 00C12D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C12D94

Strings

AutoIt v3 GUI, xrefs: 00C12D23
TaskbarCreated, xrefs: 00C12D37
0, xrefs: 00C12CE9
+, xrefs: 00C12CF0

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 36a716933413980eb2cb5f4cf1b4d77d3d1495a68966a44cfb71b26ed5d91faf
Instruction ID: 1c7d4c877c04d4dfb3d4564492cf2e7cd79d5ae21b4bb76a43912dfe3b0da3b6
Opcode Fuzzy Hash: 36a716933413980eb2cb5f4cf1b4d77d3d1495a68966a44cfb71b26ed5d91faf
Instruction Fuzzy Hash: CA21C0B5901258AFDB00DFA4E889BEDBBB4FB09704F04811AF911AB2A0D7B54594CFA1

Function 00C5065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C5039A: CreateFileW.KERNELBASE(00000000,00000000,?,00C50704,?,?,00000000,?,00C50704,00000000,0000000C), ref: 00C503B7

GetLastError.KERNEL32 ref: 00C5076F
__dosmaperr.LIBCMT ref: 00C50776
GetFileType.KERNELBASE(00000000), ref: 00C50782
GetLastError.KERNEL32 ref: 00C5078C
__dosmaperr.LIBCMT ref: 00C50795
CloseHandle.KERNEL32(00000000), ref: 00C507B5
CloseHandle.KERNEL32(?), ref: 00C508FF
GetLastError.KERNEL32 ref: 00C50931
__dosmaperr.LIBCMT ref: 00C50938

Strings

H, xrefs: 00C508BD

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 35a7adf53de6d4f703e6893153b5827e42c5896310c07152b4f0b1f9018ea977
Instruction ID: 30d99db9e7d8987fb7ddf2dd052cac0213afdccb5a6eb3ea9ddab646c7530014
Opcode Fuzzy Hash: 35a7adf53de6d4f703e6893153b5827e42c5896310c07152b4f0b1f9018ea977
Instruction Fuzzy Hash: 9EA12636A101448FDF19AF68D891BAE3BA0AB06321F24015DFC21DF2E2DB319957DB95

Function 00C1344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CE1418,?,00C12E7F,?,?,?,00000000), ref: 00C13A78

Part of subcall function 00C13357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C13379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C1356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C5318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C531CE
RegCloseKey.ADVAPI32(?), ref: 00C53210
_wcslen.LIBCMT ref: 00C53277
_wcslen.LIBCMT ref: 00C53286

Strings

\, xrefs: 00C5328C
Software\AutoIt v3\AutoIt, xrefs: 00C13560
Include, xrefs: 00C53184, 00C531C5
\Include\, xrefs: 00C13527

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ef5996b8c1ee8433a0304699ca1f2c52188cf6fae28fd6eae639e50c61675f86
Instruction ID: 8687072356afe90e85c7c45855d5cd7d6f0c682baf913dfb78799dff174b804e
Opcode Fuzzy Hash: ef5996b8c1ee8433a0304699ca1f2c52188cf6fae28fd6eae639e50c61675f86
Instruction Fuzzy Hash: 297148714043819AC314DF65EC82BAFBBECBB86744F40042EF555861B1EB749A89AB62

Function 00C12B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00C12B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00C12B9D
LoadIconW.USER32(00000063), ref: 00C12BB3
LoadIconW.USER32(000000A4), ref: 00C12BC5
LoadIconW.USER32(000000A2), ref: 00C12BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C12BEF
RegisterClassExW.USER32(?), ref: 00C12C40

Part of subcall function 00C12CD4: GetSysColorBrush.USER32(0000000F), ref: 00C12D07
Part of subcall function 00C12CD4: RegisterClassExW.USER32(00000030), ref: 00C12D31
Part of subcall function 00C12CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C12D42
Part of subcall function 00C12CD4: InitCommonControlsEx.COMCTL32(?), ref: 00C12D5F
Part of subcall function 00C12CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C12D6F
Part of subcall function 00C12CD4: LoadIconW.USER32(000000A9), ref: 00C12D85
Part of subcall function 00C12CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C12D94

Strings

0, xrefs: 00C12C0F
#, xrefs: 00C12C16
AutoIt v3, xrefs: 00C12C2F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 1e8d95ca539a424fa21e4a85b22152be31a50f8e700745a489dc7f95bbc2b61a
Instruction ID: 19a7c52f90b5c3769f736ce362bbd25ec9bb12484476cf9ad94fbf5ac86883ab
Opcode Fuzzy Hash: 1e8d95ca539a424fa21e4a85b22152be31a50f8e700745a489dc7f95bbc2b61a
Instruction Fuzzy Hash: 87210974E00358ABDB109FA5ECD5BAD7FB4FB49B54F08001AEA00AB6B0D7B115A0DF90

Function 00C13170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C1316A,?,?), ref: 00C131D8
KillTimer.USER32(?,00000001,?,?,?,?,?,00C1316A,?,?), ref: 00C13204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C13227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C1316A,?,?), ref: 00C13232
CreatePopupMenu.USER32 ref: 00C13246
PostQuitMessage.USER32(00000000), ref: 00C13267

Strings

TaskbarCreated, xrefs: 00C1322D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 039ac230a89d2739593066b7c360b7df18809a245513bd8cbedca2e4ded0b36c
Instruction ID: d46796c791ab758441ec2adf3e18bdbcba7e6592128a4572dddf4386568b1ef1
Opcode Fuzzy Hash: 039ac230a89d2739593066b7c360b7df18809a245513bd8cbedca2e4ded0b36c
Instruction Fuzzy Hash: 6B4104353402C4ABDF156B789D8EBFD3A59E707348F180125FD229A1A2CB718BD0B7A5

Function 01285180 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01285251
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01285477

Memory Dump Source

Source File: 00000000.00000002.1443208572.0000000001282000.00000040.00000020.00020000.00000000.sdmp, Offset: 01282000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1282000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction ID: 267acbfa5b226b33c9ca02efeb754d37dee88994048425023b5457e5f4b1e3f7
Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction Fuzzy Hash: 50A12670E11209EBDB14DFA8C895BEEBBB5FF48305F208599E205BB2C0D7B59A41CB54

Function 00C12C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C12C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C12CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C11CAD,?), ref: 00C12CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00C11CAD,?), ref: 00C12CCF

Strings

AutoIt v3, xrefs: 00C12C89, 00C12C8E, 00C12C8F
edit, xrefs: 00C12CAC

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 04508420b977fb657a491599c7604e435da302b71b7bc093500f792bc9eb9996
Instruction ID: cc0d41caf27f697318ed4449e5c5936f409a6610955256f16a3eda67aebd9d68
Opcode Fuzzy Hash: 04508420b977fb657a491599c7604e435da302b71b7bc093500f792bc9eb9996
Instruction Fuzzy Hash: 32F0DA755402D47AEB311B27AC88F7B2EBDD7C7F54B04005AFD00AB5B0C6755861DAB0

Function 01284F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01284DF0: Sleep.KERNELBASE(000001F4), ref: 01284E01

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01285073

Strings

WZG3VV2TFLTMX3JUZCTC34T, xrefs: 012850D9, 012850DC

Memory Dump Source

Source File: 00000000.00000002.1443208572.0000000001282000.00000040.00000020.00020000.00000000.sdmp, Offset: 01282000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1282000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateFileSleep
String ID: WZG3VV2TFLTMX3JUZCTC34T
API String ID: 2694422964-3705083209
Opcode ID: fe5acefdd81deceae0ff3d59bf237808092159d77a92889f43bfd36c46c138aa
Instruction ID: 0abd880ffae890904f9f7feb928ff03305d1592147353ca48ea6e71c31ee75de
Opcode Fuzzy Hash: fe5acefdd81deceae0ff3d59bf237808092159d77a92889f43bfd36c46c138aa
Instruction Fuzzy Hash: 72619330D14289DBEF11DBE4C8547EEBB75AF19304F044199E248BB2C0D7BA1B49CBA6

Function 00C13B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C13B0F,SwapMouseButtons,00000004,?), ref: 00C13B83

Strings

Control Panel\Mouse, xrefs: 00C13B3E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4428a9c7172f713559f41ab369e4d79d6479e0a584d309a084dbf5b453deedfe
Instruction ID: e54e318c08de62905dd884eedb3853afc9dd9e293f29e7bae4cf01f05654693b
Opcode Fuzzy Hash: 4428a9c7172f713559f41ab369e4d79d6479e0a584d309a084dbf5b453deedfe
Instruction Fuzzy Hash: C6112AB5514248FFDB208FA5DC84AEFB7B8EF06748B104459A805D7110E2319F80A760

Function 01283DF0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0128461D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01284641
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01284663

Memory Dump Source

Source File: 00000000.00000002.1443208572.0000000001282000.00000040.00000020.00020000.00000000.sdmp, Offset: 01282000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1282000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
Instruction ID: 287ca55df51c53e2a96dfea564debe8240e4d197af7a81450af38df1b128c020
Opcode Fuzzy Hash: 932a8f43b2c324a6e880b45aa11ae59a53f266e36399e6caa3e7e9a692624255
Instruction Fuzzy Hash: 83621B30A25259DBEB24DFA4C841BDEB372EF58300F1091A9D20DEB2D4E7759E81CB59

Function 00C1DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C632B7

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: a07dcdec120aaad6cbcbfb530143d99f4172287ee6d1def96b2a0f81aa1dca2b
Instruction ID: 7da0abfe605f0f084025cb4b4cfe46cca7c70a30b66b9f3f026f540c2d0f9ba8
Opcode Fuzzy Hash: a07dcdec120aaad6cbcbfb530143d99f4172287ee6d1def96b2a0f81aa1dca2b
Instruction Fuzzy Hash: A0C27071A00215CFDB24CF59C880BADB7B1BF0A310F248569ED56AB391D375EE82EB51

Function 00C13923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C533A2

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C13A04

Strings

Line: , xrefs: 00C533EB

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 076dbda33cda2686c9714b602d388074aaccedd06cde734dfe7a80e26ed2f0e1
Instruction ID: 202999eec10112e3722dd0046e4c040657baebdadd9527c5fb9dc0e535ad1169
Opcode Fuzzy Hash: 076dbda33cda2686c9714b602d388074aaccedd06cde734dfe7a80e26ed2f0e1
Instruction Fuzzy Hash: D931F471408380AAC321EB20DC45BEFB7D8AF46714F04052AF9A9930A1DB709799E7C2

Function 00C2FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00C30668

Part of subcall function 00C332A4: RaiseException.KERNEL32(?,?,?,00C3068A,?,00CE1444,?,?,?,?,?,?,00C3068A,00C11129,00CD8738,00C11129), ref: 00C33304

__CxxThrowException@8.LIBVCRUNTIME ref: 00C30685

Strings

Unknown exception, xrefs: 00C30692

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 5ed8df610876abc6b0d93e91ad0d67513a478aafd682c3e32fac9d4910807970
Instruction ID: f9ad7160a77ac0d975ef6911af2f38b09e0c2e160a441f63e1f4e2a7f52f226c
Opcode Fuzzy Hash: 5ed8df610876abc6b0d93e91ad0d67513a478aafd682c3e32fac9d4910807970
Instruction Fuzzy Hash: 0EF0CD3591020DB7CB00BAA9E856C9E7B7C9E00310F704536B924D6996EF71EB6ADA90

Function 00C97F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C982F5
TerminateProcess.KERNEL32(00000000), ref: 00C982FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 00C984DD

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 2844d51f4920ed607aed11ef45dab257f9c69eea2eced156c122041d3bca2868
Instruction ID: bedad964b19eb332fd981f9b2fb6ea5268522afc49d86ba49fd41fbfa3cc9dfa
Opcode Fuzzy Hash: 2844d51f4920ed607aed11ef45dab257f9c69eea2eced156c122041d3bca2868
Instruction Fuzzy Hash: 43126C719083019FDB14DF28C494B6ABBE5FF86318F14895DE8998B352CB31E949CF92

Function 00C110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C11BF4
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C11BFC
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C11C07
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C11C12
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C11C1A
Part of subcall function 00C11BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C11C22

Part of subcall function 00C11B4A: RegisterWindowMessageW.USER32(00000004,?,00C112C4), ref: 00C11BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C1136A
OleInitialize.OLE32 ref: 00C11388
CloseHandle.KERNEL32(00000000,00000000), ref: 00C524AB

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ebb3d22319647d3f55b6097646ce9b5596d0c7883132a24c956bb4379d0130f0
Instruction ID: fc474dc0ef742d7fb5baeb16b23db9011aaea6c49752990738dbd2d1299ed5d2
Opcode Fuzzy Hash: ebb3d22319647d3f55b6097646ce9b5596d0c7883132a24c956bb4379d0130f0
Instruction Fuzzy Hash: 8271BEB49023C08EC794DF7AA8C579D3AE4FB8935475D812ADC1ACB3A1EB3444A1DF41

Function 00C486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00C485CC,?,00CD8CC8,0000000C), ref: 00C48704
GetLastError.KERNEL32(?,00C485CC,?,00CD8CC8,0000000C), ref: 00C4870E
__dosmaperr.LIBCMT ref: 00C48739

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 375b93e25a6b703c2776738894e5e3dcee0c766c239baaf777e0eb4359ef7af4
Instruction ID: b26e2f88c076a3347e4d52ad880a107502cb51cd85bd1981d4b343f0c81cb6ef
Opcode Fuzzy Hash: 375b93e25a6b703c2776738894e5e3dcee0c766c239baaf777e0eb4359ef7af4
Instruction Fuzzy Hash: 9C016D33A0566027D6A56734A885BFE77497B82B78F3A011DFC288F1E3DEB1CD859190

Function 00C21310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C217F6

Strings

CALL, xrefs: 00C217C6

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 4c180b458e7a10cb757081434758d9eab5f01f52693864b7c50ceb80fff62840
Instruction ID: 6d7006eb2a0b5f8b9113805a3ad949e9ec53b76c2c948e55d1779e5e2f368381
Opcode Fuzzy Hash: 4c180b458e7a10cb757081434758d9eab5f01f52693864b7c50ceb80fff62840
Instruction Fuzzy Hash: 6822CB706083519FC724DF15D480B2ABBF1BF95314F28896DF89A8B7A2D731E941DB82

Function 00C12DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00C52C8C

Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2

Part of subcall function 00C12DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C12DC4

Strings

X, xrefs: 00C52C5A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 112ee4e29090af4ae7f986d891caa523b0dfc204c57f7261f92e2a804478a6b8
Instruction ID: 7f55a86e3104a6232dceb9939514fc045fb130b1c26d3795573e90d29bace94b
Opcode Fuzzy Hash: 112ee4e29090af4ae7f986d891caa523b0dfc204c57f7261f92e2a804478a6b8
Instruction Fuzzy Hash: 6421C670A002989BDF41DF94C8457EE7BF89F4A305F00405AE505A7341DBB45689EF61

Function 00C13837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C13908

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4b80f5e8fb86e5ac8130dab4a8331028eeb5136f8268e6ea93ca42c4b80ac650
Instruction ID: 25d87affa4e93d937e67209b199a307d4bf01f4e4606dc42664de682d9d818f1
Opcode Fuzzy Hash: 4b80f5e8fb86e5ac8130dab4a8331028eeb5136f8268e6ea93ca42c4b80ac650
Instruction Fuzzy Hash: BE31E670504341CFE720DF24D8847DBBBE8FB4A718F04092EF99987290E771AA84DB52

Function 00C15745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C1949C,?,00008000), ref: 00C15773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00C1949C,?,00008000), ref: 00C54052

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: e4c417faa18e41c13e0a995b479d5c743e373546151b2336eb1d6136759f57bf
Instruction ID: cb8184253ddb915a8c603706a53ca480ec5d1d2c65af3e8dd27f377aa7337b83
Opcode Fuzzy Hash: e4c417faa18e41c13e0a995b479d5c743e373546151b2336eb1d6136759f57bf
Instruction Fuzzy Hash: 86018431245225FAE7310A26CC0EF9B7F54DF42774F108200BB6C5A1E0CBB45594DBD0

Function 00C1B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00C1BB4E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 5ad0651259f64515559152c5ecd794811bf653b0955dc7fbe4e28fe424717f40
Instruction ID: 785b17ffded4520e9ad731b36da90a9a2c1db442cb009d7da7fcfe5bc8f6e441
Opcode Fuzzy Hash: 5ad0651259f64515559152c5ecd794811bf653b0955dc7fbe4e28fe424717f40
Instruction Fuzzy Hash: 9D32A174A00209DFDB24CF55C894BBEB7B9EF46304F248059E915AB2A1C774EE81EF91

Function 01283DED Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0128461D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01284641
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01284663

Memory Dump Source

Source File: 00000000.00000002.1443208572.0000000001282000.00000040.00000020.00020000.00000000.sdmp, Offset: 01282000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1282000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction ID: 0f68a2aabbc2b2eb70cdbc0d6a17b6eb4f9ee0ed6f89a468e564f9922218bcd4
Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction Fuzzy Hash: 1512CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A

Function 00C9709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 14d7cda738027ca1e2215e218db06d4d2d9d24bf6044e4ef80e2a17bb82ad2d5
Instruction ID: 18c81d1923b0ebf901e00f20a557f427294aa18a0981d820f7da7d80c63c0ebf
Opcode Fuzzy Hash: 14d7cda738027ca1e2215e218db06d4d2d9d24bf6044e4ef80e2a17bb82ad2d5
Instruction Fuzzy Hash: B6D17B74A05209EFCF14EF98C8859EDBBB5FF48310F244159E915AB291EB30AE81DF90

Function 00C2FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00C2FD1F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: a70bab6be3137fa4d4a32654adf87c693607bd239599d301ac18b26d8db680ce
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7C31E374A0011D9BD728CF59E490969F7B1FB49300F2486B9E81ACBA56D731EEC2CBC0

Function 00C14ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C14EDD,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E9C
Part of subcall function 00C14E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14EAE
Part of subcall function 00C14E90: FreeLibrary.KERNEL32(00000000,?,?,00C14EDD,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EFD

Part of subcall function 00C14E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C53CDE,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E62
Part of subcall function 00C14E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14E74
Part of subcall function 00C14E59: FreeLibrary.KERNEL32(00000000,?,?,00C53CDE,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E87

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 9d61baab3f7f2ed2ee4a07f0540508bd6b50f2519abf4072cc600783daa51e3f
Instruction ID: e50388d7b155e8791df8578f142b65119f68828a21222c94b3802273f8f76944
Opcode Fuzzy Hash: 9d61baab3f7f2ed2ee4a07f0540508bd6b50f2519abf4072cc600783daa51e3f
Instruction Fuzzy Hash: 0911E732610205ABCF18BBA4DC02FED77A59F82711F20842DF552AA2C1DE719A85F750

Function 00C48402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00C48440

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ef302413b9c89b815779d694f470e37c44befb35b915755b0bfaa517f4b186e9
Instruction ID: e4ee51ea8f577b13497d7c8538df9fa178488406d564013796df84fe08c676ad
Opcode Fuzzy Hash: ef302413b9c89b815779d694f470e37c44befb35b915755b0bfaa517f4b186e9
Instruction Fuzzy Hash: E911187590420AAFCB05DF58E941A9E7BF5FF48314F144059FC18AB312DA31DA15CBA5

Function 00C3E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: e4daa1e4997b67118895c72fbf7925137d7107ec55e65598de56941f08b96584
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 6AF0F432930A18D6D6313A6A9C06B9A33A8AF62335F100719F821921D2CB70D906A7A5

Function 00C43820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 85c983a9527dfcf24be8770c592331207b472f57b958d932958a64eddcbec968
Instruction ID: ced4b39648fdbfd382e93790be35a42c87ee79a31115ecf0153b88ded9b92432
Opcode Fuzzy Hash: 85c983a9527dfcf24be8770c592331207b472f57b958d932958a64eddcbec968
Instruction Fuzzy Hash: 6CE022312002A4AAE7312AB79C00B9FF749BFC27B4F090023BC24964D0DB21EF0196F0

Function 00C14F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14F6D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c80adddd118dc1b783cbf1b1b9de7da262a051322131f519673ead2c08bad2aa
Instruction ID: 804b561c50bec8bd16c1895399c12b3c0bb7412db046869cf437cc266b45d9a6
Opcode Fuzzy Hash: c80adddd118dc1b783cbf1b1b9de7da262a051322131f519673ead2c08bad2aa
Instruction Fuzzy Hash: FBF0A070105301CFCB388FA1D490896B7F0EF02319310897EE1EA87610C7319885EF00

Function 00C7CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00C5EE51,00CD3630,00000002), ref: 00C7CD26

Part of subcall function 00C7CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00C7CD19,?,?,?), ref: 00C7CC59
Part of subcall function 00C7CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00C7CD19,?,?,?,?,00C5EE51,00CD3630,00000002), ref: 00C7CC6E
Part of subcall function 00C7CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00C7CD19,?,?,?,?,00C5EE51,00CD3630,00000002), ref: 00C7CC7A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 61a7f678a4d9c4a67563a308470f9d148c6ead40d079f1ff5bafabf222585681
Instruction ID: 93802810ae028c38e87bb0c602c140e5b7bcdeffc04a2a48982b9295950fabe6
Opcode Fuzzy Hash: 61a7f678a4d9c4a67563a308470f9d148c6ead40d079f1ff5bafabf222585681
Instruction Fuzzy Hash: 6BE06D7A500704EFC7219F8ADD418AABBF9FF85360710852FE99AC2110D7B1AA14DB60

Function 00C12DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C12DC4

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0c6625b0c231b56218a6c8fd57c5693487d7bbc2f7dc14ffcd092ca3902fe1af
Instruction ID: 3d100ef68f3ca39f8b7477208162991d90742ff802e8d9be7e25d2b6853f07f5
Opcode Fuzzy Hash: 0c6625b0c231b56218a6c8fd57c5693487d7bbc2f7dc14ffcd092ca3902fe1af
Instruction Fuzzy Hash: 31E0C276A042245BCB20E6989C0AFEA77EDDFC9790F0501B1FD09E7248DA60ADC49690

Function 00C12B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C13837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C13908

Part of subcall function 00C1D730: GetInputState.USER32 ref: 00C1D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00C12B6B

Part of subcall function 00C130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C1314E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: a4d6ed860dc547f9f9847e5e37ed2a078ae2608b47a7bcdbfe15f7eaae6ac212
Instruction ID: b3e6a785c25b9396e3a64328fdc571ab5ab12e05430ffaf90ac3e0c87b232de3
Opcode Fuzzy Hash: a4d6ed860dc547f9f9847e5e37ed2a078ae2608b47a7bcdbfe15f7eaae6ac212
Instruction Fuzzy Hash: EEE026313042C407CA04BB30A8526EDA3998BD3319F00043EF143472E2CE308AD57352

Function 00C5039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00C50704,?,?,00000000,?,00C50704,00000000,0000000C), ref: 00C503B7

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8678e3a9d1b62abc64c9f296d45c58f3279465bd3b52d68aa2d1e5ec9849570e
Instruction ID: 3d89e53b540e66d35c750de6e90375187ba107a42f7e33baa0d810f9b2d833b0
Opcode Fuzzy Hash: 8678e3a9d1b62abc64c9f296d45c58f3279465bd3b52d68aa2d1e5ec9849570e
Instruction Fuzzy Hash: EDD06C3214010DBBDF028F84DD46EDE3BAAFB48714F014000BE1856020C736E821AB90

Function 00C11CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00C11CBC

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3d67ceb70d14e527785581e1b9f84decc9b200862f71dfa49b701ca1146745cc
Instruction ID: c838fcc5682a6e38b41c8ac5e908f5553f484c40a0e506ed8389af4a87ac3e93
Opcode Fuzzy Hash: 3d67ceb70d14e527785581e1b9f84decc9b200862f71dfa49b701ca1146745cc
Instruction Fuzzy Hash: D6C09B352803449FF2144B80BDCAF287754A348B04F444001F6095D5F3C7B11820F650

Function 00C8744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00C15745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00C1949C,?,00008000), ref: 00C15773

GetLastError.KERNEL32(00000002,00000000), ref: 00C876DE

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 721b1d6e463e73fe3064f2d6e7721b6960dbd428a2896bcbc269a5d698102a36
Instruction ID: a170216413f0b4c7f5f8b7f2c7c23ad9d6f850d90a72f89d2890db6403472786
Opcode Fuzzy Hash: 721b1d6e463e73fe3064f2d6e7721b6960dbd428a2896bcbc269a5d698102a36
Instruction Fuzzy Hash: 118194306087019FC715EF28C491AA9B7E1BF86314F14462DF8955B3A2EB30ED85EB56

Function 01284DEC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01284E01

Memory Dump Source

Source File: 00000000.00000002.1443208572.0000000001282000.00000040.00000020.00020000.00000000.sdmp, Offset: 01282000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1282000_3FjrbCZgDN.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 8b6b0afde18d9d239d721a5253e5b6ed2ea007495aeb27ef2c47b0c62d501bdf
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 0DE0BF7498510EEFDB00EFE4D5496DE7BB4EF04302F1005A5FD05D7681DB309E648A66

Function 00C16246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,00C524E0), ref: 00C16266

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e275fbfbe8c3ca6db54fcce182c37b64520e26bbdfba5b8a4a2efa6d6b7261e1
Instruction ID: 12b02be8196bc4f9d2f97764f6eb083f42468ece802bedf7b504809432bc2f78
Opcode Fuzzy Hash: e275fbfbe8c3ca6db54fcce182c37b64520e26bbdfba5b8a4a2efa6d6b7261e1
Instruction Fuzzy Hash: C5E09275400B01DEC7314F1AE804492FBE5FFE23613204A2ED0E592660D7B05986DB50

Function 01284DF0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01284E01

Memory Dump Source

Source File: 00000000.00000002.1443208572.0000000001282000.00000040.00000020.00020000.00000000.sdmp, Offset: 01282000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1282000_3FjrbCZgDN.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 4782ae9e4ee336df4dffd7faccbce05870c9b0cef9f3496654ad0d198e0915d9
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 67E0E67498510EDFDB00EFF4D54969E7FB4EF04302F100165FD01D2281D6309D608A62

Non-executed Functions

Function 00CA9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00CA961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CA965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00CA969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CA96C9
SendMessageW.USER32 ref: 00CA96F2
GetKeyState.USER32(00000011), ref: 00CA978B
GetKeyState.USER32(00000009), ref: 00CA9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00CA97AE
GetKeyState.USER32(00000010), ref: 00CA97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CA97E9
SendMessageW.USER32 ref: 00CA9810
SendMessageW.USER32(?,00001030,?,00CA7E95), ref: 00CA9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00CA992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00CA9941
SetCapture.USER32(?), ref: 00CA994A
ClientToScreen.USER32(?,?), ref: 00CA99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00CA99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CA99D6
ReleaseCapture.USER32 ref: 00CA99E1
GetCursorPos.USER32(?), ref: 00CA9A19
ScreenToClient.USER32(?,?), ref: 00CA9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CA9A80
SendMessageW.USER32 ref: 00CA9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CA9AEB
SendMessageW.USER32 ref: 00CA9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00CA9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00CA9B4A
GetCursorPos.USER32(?), ref: 00CA9B68
ScreenToClient.USER32(?,?), ref: 00CA9B75
GetParent.USER32(?), ref: 00CA9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00CA9BFA
SendMessageW.USER32 ref: 00CA9C2B
ClientToScreen.USER32(?,?), ref: 00CA9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00CA9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00CA9CDE
SendMessageW.USER32 ref: 00CA9D01
ClientToScreen.USER32(?,?), ref: 00CA9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00CA9D82

Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952

GetWindowLongW.USER32(?,000000F0), ref: 00CA9E05

Strings

F, xrefs: 00CA9D07
@GUI_DRAGID, xrefs: 00CA997D
@U=u, xrefs: 00CA965B, 00CA96C9, 00CA96F2, 00CA97AE, 00CA97E9, 00CA9810, 00CA9918, 00CA9A80, 00CA9AAE, 00CA9AEB, 00CA9B1A, 00CA9BFA, 00CA9C2B, 00CA9CDE, 00CA9D01

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3429851547-1007936534
Opcode ID: f7dc11941d8284e1bffe9e5f3ec71ce59d4e1047926dafca464021488d40499b
Instruction ID: d303cc1e76eb2ab5ab980daf74531a1f711105e4c26a8a7512629bc0a1a2a662
Opcode Fuzzy Hash: f7dc11941d8284e1bffe9e5f3ec71ce59d4e1047926dafca464021488d40499b
Instruction Fuzzy Hash: 8842AE34604642AFDB24CF24CC85BAABBF5FF4A328F140619FA69872A1D731D960DF51

Function 00CA4873 Relevance: 61.8, APIs: 33, Strings: 2, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00CA48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00CA4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00CA4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00CA494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00CA495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00CA497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00CA49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00CA49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00CA4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CA4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00CA4A7E
IsMenu.USER32(?), ref: 00CA4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CA4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CA4B20
GetWindowLongW.USER32(?,000000F0), ref: 00CA4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00CA4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00CA4C82
wsprintfW.USER32 ref: 00CA4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CA4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CA4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00CA4D5A

Strings

@U=u, xrefs: 00CA48F3, 00CA4908, 00CA495C, 00CA4A0F, 00CA4A56, 00CA4A7E, 00CA4BE3, 00CA4C82, 00CA4CC9, 00CA4D13, 00CA4D33, 00CA4E15, 00CA4E4E, 00CA4EA5, 00CA4F10
%d/%02d/%02d, xrefs: 00CA4CA8

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d$@U=u
API String ID: 4054740463-2764005415
Opcode ID: d9de95665164ca5d8bfbd33e283e63e0d0271a35b85ead0c9dda24ac752505a1
Instruction ID: e9447693c7b19b627af0f9c804cd16e079563ffe6c411d6af2d604d0cd925304
Opcode Fuzzy Hash: d9de95665164ca5d8bfbd33e283e63e0d0271a35b85ead0c9dda24ac752505a1
Instruction Fuzzy Hash: E4121631500215AFEB298F64DC49FAE7BF8EF86318F104129F525EB1E1DBB49A41CB50

Function 00C2F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C2F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C6F474
IsIconic.USER32(00000000), ref: 00C6F47D
ShowWindow.USER32(00000000,00000009), ref: 00C6F48A
SetForegroundWindow.USER32(00000000), ref: 00C6F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6F4AA
GetCurrentThreadId.KERNEL32 ref: 00C6F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C6F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C6F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C6F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C6F4DE
SetForegroundWindow.USER32(00000000), ref: 00C6F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F4F6
keybd_event.USER32(00000012,00000000), ref: 00C6F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F50B
keybd_event.USER32(00000012,00000000), ref: 00C6F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F519
keybd_event.USER32(00000012,00000000), ref: 00C6F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C6F528
keybd_event.USER32(00000012,00000000), ref: 00C6F52D
SetForegroundWindow.USER32(00000000), ref: 00C6F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C6F557

Strings

Shell_TrayWnd, xrefs: 00C6F46F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: e35c545211c605e56ddc1407cd67be39b372d3167805377b7615c36675da43b9
Instruction ID: 923f81d4c0974491dce129f99dc01ca37a52a3ed33cf28bcc7bc4a06abf24b69
Opcode Fuzzy Hash: e35c545211c605e56ddc1407cd67be39b372d3167805377b7615c36675da43b9
Instruction Fuzzy Hash: 5F313271A40218BFEB316BB55C8AFBF7E7CEB45B54F100069FA01E71D1CAB15D11AA60

Function 00C71201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
Part of subcall function 00C716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
Part of subcall function 00C716C3: GetLastError.KERNEL32 ref: 00C7174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C71286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C712A8
CloseHandle.KERNEL32(?), ref: 00C712B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C712D1
GetProcessWindowStation.USER32 ref: 00C712EA
SetProcessWindowStation.USER32(00000000), ref: 00C712F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C71310

Part of subcall function 00C710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C711FC), ref: 00C710D4
Part of subcall function 00C710BF: CloseHandle.KERNEL32(?,?,00C711FC), ref: 00C710E9

Strings

winsta0, xrefs: 00C712CC
, xrefs: 00C7125A
default, xrefs: 00C7130B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b6687788e433454b208950a33f05b1840faf6cb7b8d752fad29ed1b22b06bd76
Instruction ID: b830dcd230acb9578e5415b3137293b6edf47fa91ccd28ca38c50db1c3b290b1
Opcode Fuzzy Hash: b6687788e433454b208950a33f05b1840faf6cb7b8d752fad29ed1b22b06bd76
Instruction Fuzzy Hash: 5881A171900209AFDF219FA9DC49FEE7BB9EF05704F188129FD28E61A0D7348A44CB60

Function 00C70B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
Part of subcall function 00C710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
Part of subcall function 00C710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
Part of subcall function 00C710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C70BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C70C00
GetLengthSid.ADVAPI32(?), ref: 00C70C17
GetAce.ADVAPI32(?,00000000,?), ref: 00C70C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C70C6D
GetLengthSid.ADVAPI32(?), ref: 00C70C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C70C8C
HeapAlloc.KERNEL32(00000000), ref: 00C70C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C70CB4
CopySid.ADVAPI32(00000000), ref: 00C70CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C70CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C70D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C70D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D45
HeapFree.KERNEL32(00000000), ref: 00C70D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D55
HeapFree.KERNEL32(00000000), ref: 00C70D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70D65
HeapFree.KERNEL32(00000000), ref: 00C70D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C70D78
HeapFree.KERNEL32(00000000), ref: 00C70D7F

Part of subcall function 00C71193: GetProcessHeap.KERNEL32(00000008,00C70BB1,?,00000000,?,00C70BB1,?), ref: 00C711A1
Part of subcall function 00C71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C70BB1,?), ref: 00C711A8
Part of subcall function 00C71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C70BB1,?), ref: 00C711B7

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 32623099828cf343ad759f6529ff5581a51bbaa13d6ad15ad31d3a161c0c6b35
Instruction ID: 9b3526b69e50e148c8fc96943df08977017a289bd129e5063c991da881bc2f0f
Opcode Fuzzy Hash: 32623099828cf343ad759f6529ff5581a51bbaa13d6ad15ad31d3a161c0c6b35
Instruction Fuzzy Hash: 3F716D71A0020AEBDF10DFA5DC84FEEBBB8BF15304F148519F929A7291D771AA05CB60

Function 00C8EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00CACC08), ref: 00C8EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C8EB37
GetClipboardData.USER32(0000000D), ref: 00C8EB43
CloseClipboard.USER32 ref: 00C8EB4F
GlobalLock.KERNEL32(00000000), ref: 00C8EB87
CloseClipboard.USER32 ref: 00C8EB91
GlobalUnlock.KERNEL32(00000000), ref: 00C8EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 00C8EBC9
GetClipboardData.USER32(00000001), ref: 00C8EBD1
GlobalLock.KERNEL32(00000000), ref: 00C8EBE2
GlobalUnlock.KERNEL32(00000000), ref: 00C8EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C8EC38
GetClipboardData.USER32(0000000F), ref: 00C8EC44
GlobalLock.KERNEL32(00000000), ref: 00C8EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C8EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C8EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C8ECD2
GlobalUnlock.KERNEL32(00000000), ref: 00C8ECF3
CountClipboardFormats.USER32 ref: 00C8ED14
CloseClipboard.USER32 ref: 00C8ED59

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: ab582d547fa1a0e494a7cf840864fb9bd43abfa697df63c013885e150f8d67ac
Instruction ID: b3054bbf44e5fb664a5d2af0fd31b6c5089bafd1c599c9345f04ff831cb53158
Opcode Fuzzy Hash: ab582d547fa1a0e494a7cf840864fb9bd43abfa697df63c013885e150f8d67ac
Instruction Fuzzy Hash: 8861BF342042019FD300EF24D895F7EB7E4EF86718F144519F466972A2DB31EE4ADBA6

Function 00C8698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C869BE
FindClose.KERNEL32(00000000), ref: 00C86A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C86A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C86A75

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C86AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C86ADF

Strings

%4d, xrefs: 00C86BB1
%02d, xrefs: 00C86C00, 00C86C0A, 00C86C5A, 00C86CAA, 00C86CFA, 00C86D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C86B32
%4d%02d%02d%02d%02d%02d, xrefs: 00C86B6A
%03d, xrefs: 00C86DA2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 36488f5929d42c4ba16e75b520ea4266a0c9476be346b227772453784affd4c1
Instruction ID: c16cc7276f3858ae5a934261cd0b74fa9111227c9dea95d06642a1db20d35975
Opcode Fuzzy Hash: 36488f5929d42c4ba16e75b520ea4266a0c9476be346b227772453784affd4c1
Instruction Fuzzy Hash: 1DD15E72508300AFC314EBA4D891EAFB7ECAF89704F04492DF595C7291EB74DA45EB62

Function 00C89642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C89663
GetFileAttributesW.KERNEL32(?), ref: 00C896A1
SetFileAttributesW.KERNEL32(?,?), ref: 00C896BB
FindNextFileW.KERNEL32(00000000,?), ref: 00C896D3
FindClose.KERNEL32(00000000), ref: 00C896DE
FindFirstFileW.KERNEL32(*.*,?), ref: 00C896FA
SetCurrentDirectoryW.KERNEL32(?), ref: 00C8974A
SetCurrentDirectoryW.KERNEL32(00CD6B7C), ref: 00C89768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C89772
FindClose.KERNEL32(00000000), ref: 00C8977F
FindClose.KERNEL32(00000000), ref: 00C8978F

Strings

*.*, xrefs: 00C896F5

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 2efca4a01feb5f7e0a26a879f5e22daff292350ba86c56e87fa5db827f0d1363
Instruction ID: 5864703d5ce4aeb124cca40ab01f5983de2ac4ca1127a3afc97061857f7e6aff
Opcode Fuzzy Hash: 2efca4a01feb5f7e0a26a879f5e22daff292350ba86c56e87fa5db827f0d1363
Instruction Fuzzy Hash: 4531B0325012197ADB14BFB4DC49BEE77ACDF4A328F184166F915E31A0EB34DE408B58

Function 00C8979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00C897BE
FindNextFileW.KERNEL32(00000000,?), ref: 00C89819
FindClose.KERNEL32(00000000), ref: 00C89824
FindFirstFileW.KERNEL32(*.*,?), ref: 00C89840
SetCurrentDirectoryW.KERNEL32(?), ref: 00C89890
SetCurrentDirectoryW.KERNEL32(00CD6B7C), ref: 00C898AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C898B8
FindClose.KERNEL32(00000000), ref: 00C898C5
FindClose.KERNEL32(00000000), ref: 00C898D5

Part of subcall function 00C7DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C7DB00

Strings

*.*, xrefs: 00C8983B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9e22c776942402643d04734d45fce189ca331edd2803b126a9885d47d9fdf7f5
Instruction ID: 9f4eaa2f47800a5430fee4fd252755d82378d8c59968c8c5712c003688f9528c
Opcode Fuzzy Hash: 9e22c776942402643d04734d45fce189ca331edd2803b126a9885d47d9fdf7f5
Instruction Fuzzy Hash: 5731923150161A7ADF14BFA4DC48BEE77ACDF06328F184166E924A31E0DB31DE44DB68

Function 00C88195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C88257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C88267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C88273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C88310
SetCurrentDirectoryW.KERNEL32(?), ref: 00C88324
SetCurrentDirectoryW.KERNEL32(?), ref: 00C88356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C8838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C88395

Strings

*.*, xrefs: 00C8839B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 57004ca5c9f19fbe13cf5d8a875840798b9e97350820e2e10f749e9b1c919864
Instruction ID: 00dd1889fdd3c7ef77a8edcd24473cfd6a4942c0c2674699fc445a1bec6809a8
Opcode Fuzzy Hash: 57004ca5c9f19fbe13cf5d8a875840798b9e97350820e2e10f749e9b1c919864
Instruction Fuzzy Hash: 3C61AF725043059FCB10EF64C884AAEB3E8FF89314F44891EF999C7251EB31E949DB96

Function 00C7D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2

Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C7D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C7D1DD
MoveFileW.KERNEL32(?,?), ref: 00C7D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C7D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7D237

Part of subcall function 00C7D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C7D21C,?,?), ref: 00C7D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 00C7D253
FindClose.KERNEL32(00000000), ref: 00C7D264

Strings

\*.*, xrefs: 00C7D0CD, 00C7D0D6, 00C7D0EB

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d3d523f5a327b94fc5b66fd2ee058aae99d99a17ce19e3fdb91e3b7b5c422841
Instruction ID: 346603091191f4baccfbad29ac0497b520a665c36da269716e70684a4875cb74
Opcode Fuzzy Hash: d3d523f5a327b94fc5b66fd2ee058aae99d99a17ce19e3fdb91e3b7b5c422841
Instruction Fuzzy Hash: C7619F31C0114D9FCF05EBE0C992AEDB7B5AF56304F648165E41A771A2EB306F4AEB60

Function 00C8ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C8ED91
EmptyClipboard.USER32 ref: 00C8ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 00C8EDAC
CloseClipboard.USER32 ref: 00C8EEA3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f5f17989e915222f1495c918e21ceef1ac91ef38faa81022fbd1d9311da75b0d
Instruction ID: ae2a4e78ac24e53f7135333d19a614ac30d6e6a7c44fcfc904dd62565cc66dd7
Opcode Fuzzy Hash: f5f17989e915222f1495c918e21ceef1ac91ef38faa81022fbd1d9311da75b0d
Instruction Fuzzy Hash: 59418B35204611AFE720EF15D888B59BBE5EF4532CF14C099F4298B7A2C735ED42CB94

Function 00C7E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
Part of subcall function 00C716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
Part of subcall function 00C716C3: GetLastError.KERNEL32 ref: 00C7174A

ExitWindowsEx.USER32(?,00000000), ref: 00C7E932

Strings

SeShutdownPrivilege, xrefs: 00C7E902
, xrefs: 00C7E95C
@, xrefs: 00C7E925
, xrefs: 00C7E920

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 2cbe07943716d6222a9297ce9e09c8ff6081105087fe7c9f8e64ce2c456a3288
Instruction ID: 5ba57ae9c2c6692cac9b92d5975b65f7302b6dba7432f4e8264bb98a3cd179b1
Opcode Fuzzy Hash: 2cbe07943716d6222a9297ce9e09c8ff6081105087fe7c9f8e64ce2c456a3288
Instruction Fuzzy Hash: 3A014933610211AFEB6426B99CCAFFF725C9708754F18C462FE1BE31D1D6A05D409290

Function 00C91204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 00C91276
WSAGetLastError.WSOCK32 ref: 00C91283
bind.WSOCK32(00000000,?,00000010), ref: 00C912BA
WSAGetLastError.WSOCK32 ref: 00C912C5
closesocket.WSOCK32(00000000), ref: 00C912F4
listen.WSOCK32(00000000,00000005), ref: 00C91303
WSAGetLastError.WSOCK32 ref: 00C9130D
closesocket.WSOCK32(00000000), ref: 00C9133C

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 4277d29b679ae937f560bda7b154a6af7dd75b9707a6b951ebe5d2a7c6d4eb67
Instruction ID: 50d5365d644ff7cd108697e16cc3d1b0be8b01e63d005c3da042485e372f8447
Opcode Fuzzy Hash: 4277d29b679ae937f560bda7b154a6af7dd75b9707a6b951ebe5d2a7c6d4eb67
Instruction Fuzzy Hash: CD4173316001419FDB10EF64C4C9B69BBE5BF46318F188198E8669F2D2C775ED81CBE1

Function 00C4B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C4B9D4
_free.LIBCMT ref: 00C4B9F8
_free.LIBCMT ref: 00C4BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CB3700), ref: 00C4BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00CE121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C4BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00CE1270,000000FF,?,0000003F,00000000,?), ref: 00C4BC36
_free.LIBCMT ref: 00C4BD4B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 93f63ace2c4a43a70f07d520a5e9d341bbd5a02c9721c6c4007e8c37b70e50ea
Instruction ID: 8e6adf1439aec34dce70b9ecef397bc017950c00f6fd34bf1717aeb3e7bea8c9
Opcode Fuzzy Hash: 93f63ace2c4a43a70f07d520a5e9d341bbd5a02c9721c6c4007e8c37b70e50ea
Instruction Fuzzy Hash: 35C11671A04245AFDB209F69CC81BAEBBB9FF51320F18419AE9A4DB251EB30DE41D750

Function 00C7D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2

Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A

FindFirstFileW.KERNEL32(?,?), ref: 00C7D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C7D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7D481
FindClose.KERNEL32(00000000), ref: 00C7D498
FindClose.KERNEL32(00000000), ref: 00C7D4A1

Strings

\*.*, xrefs: 00C7D3F2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 69417e6b4654bb148b4ec3b6afce32375e88d7cef51da8c7434f0d24f4821a4f
Instruction ID: 6842e7528b7086087198afd85b1549ff7594323606f316ccdfc8776edc8dd0ef
Opcode Fuzzy Hash: 69417e6b4654bb148b4ec3b6afce32375e88d7cef51da8c7434f0d24f4821a4f
Instruction Fuzzy Hash: 223182710093419FC300EF64C8959EFB7E8BE92314F448A1DF4E6531A1EB30AA49EB63

Function 00C4E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C4E645

Strings

1#QNAN, xrefs: 00C4F84B
1#SNAN, xrefs: 00C4F844
1#INF, xrefs: 00C4F852
1#IND, xrefs: 00C4F83D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 410ef73c84bd9a56208c392662da350cc741968523cac10b96c0a74efe3d7c87
Instruction ID: a83fd9730878d486a1dc7fca97311a091d81e5397e0b51e8a639bc602c3393c2
Opcode Fuzzy Hash: 410ef73c84bd9a56208c392662da350cc741968523cac10b96c0a74efe3d7c87
Instruction Fuzzy Hash: A4C23A72E046288FDB25CE28DD407EAB7B5FB49315F1541EAD85DE7280E774AE828F40

Function 00C8648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C864DC
CoInitialize.OLE32(00000000), ref: 00C86639
CoCreateInstance.OLE32(00CAFCF8,00000000,00000001,00CAFB68,?), ref: 00C86650
CoUninitialize.OLE32 ref: 00C868D4

Strings

.lnk, xrefs: 00C864BA, 00C86524, 00C865E0

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1ef4eff4fd1909fe1d7694d4576304a2f4313b8595020a7192cfcadd3a52f7b0
Instruction ID: a1ee4467611bf2f71af9663140abd31a7e1f63a0ece63222326b3847c22105be
Opcode Fuzzy Hash: 1ef4eff4fd1909fe1d7694d4576304a2f4313b8595020a7192cfcadd3a52f7b0
Instruction Fuzzy Hash: 2AD14B71508301AFD304EF64C891AABB7E8FF99708F00496DF5958B291DB70EE46DB92

Function 00C922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00C922E8

Part of subcall function 00C8E4EC: GetWindowRect.USER32(?,?), ref: 00C8E504

GetDesktopWindow.USER32 ref: 00C92312
GetWindowRect.USER32(00000000), ref: 00C92319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C92355
GetCursorPos.USER32(?), ref: 00C92381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C923DF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: b81d616df88a976d8a95ff010932c24f8e72aff0a500cbbf2e2460f38ed5c356
Instruction ID: 9d5d4be7bc95b757c138a3acdefb6ab89f140163e27e25b19d7aa6fb04eebd38
Opcode Fuzzy Hash: b81d616df88a976d8a95ff010932c24f8e72aff0a500cbbf2e2460f38ed5c356
Instruction Fuzzy Hash: 2031FE72504315AFCB20DF14C849F9BBBADFF88714F000919F99897191DB34EA08CB92

Function 00C89B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C89B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C89C8B

Part of subcall function 00C83874: GetInputState.USER32 ref: 00C838CB
Part of subcall function 00C83874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C89BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C89C75

Strings

*.*, xrefs: 00C89B5D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cfd9b39f80ff6c258302822064668e23c6786815251343e8b2b4d56524b03cbb
Instruction ID: 3ac44d4ff78999e4f74b1ea33c8873cadde8860617dcecc82b4f1edb507b8333
Opcode Fuzzy Hash: cfd9b39f80ff6c258302822064668e23c6786815251343e8b2b4d56524b03cbb
Instruction Fuzzy Hash: 4541717190020AAFDF15EFA4C885AFEBBB4EF46314F14415AE815A3191EB319F84DF64

Function 00C2997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00C29A4E
GetSysColor.USER32(0000000F), ref: 00C29B23
SetBkColor.GDI32(?,00000000), ref: 00C29B36

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 95f9e1c0417b10cf0901eb4a7801236ec78a4380d3bffb4c27e412d5ef429c91
Instruction ID: ff0996f53c95b79afa399f1ae77a3d5149b16e116aec00ae80e0c45a4e75c88b
Opcode Fuzzy Hash: 95f9e1c0417b10cf0901eb4a7801236ec78a4380d3bffb4c27e412d5ef429c91
Instruction Fuzzy Hash: F3A13770108564EEE739AA2DACC9E7F269DDF43308F150609F522DADA1CA35DE41E271

Function 00C91806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9304E: inet_addr.WSOCK32(?), ref: 00C9307A
Part of subcall function 00C9304E: _wcslen.LIBCMT ref: 00C9309B

socket.WSOCK32(00000002,00000002,00000011), ref: 00C9185D
WSAGetLastError.WSOCK32 ref: 00C91884
bind.WSOCK32(00000000,?,00000010), ref: 00C918DB
WSAGetLastError.WSOCK32 ref: 00C918E6
closesocket.WSOCK32(00000000), ref: 00C91915

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 722c28c48615a5d6fe5660fd411ba61465aef6c286d4e14202123984ddc28ea1
Instruction ID: 3d5584aac58c5453319ee5b3a5e6110b8948b8ee40130347cc91b7d1dfcb5fe0
Opcode Fuzzy Hash: 722c28c48615a5d6fe5660fd411ba61465aef6c286d4e14202123984ddc28ea1
Instruction Fuzzy Hash: D651B371A00210AFDB10AF24D88AF6A77E5AB45718F188098F9159F3D3D771ED41EBA1

Function 00CA1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00CA1CC0
IsWindowEnabled.USER32 ref: 00CA1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00CA1CDB
IsIconic.USER32 ref: 00CA1CE9
IsZoomed.USER32 ref: 00CA1CF7

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 965189be93c78b4bcd2a5cc7af28b0b3097fe1e03be2cecd9f80c05680f928d7
Instruction ID: 52459e67f90c1292a1c9c0ce949a117be2bbf1a752b3bc49b672a58e89a346f3
Opcode Fuzzy Hash: 965189be93c78b4bcd2a5cc7af28b0b3097fe1e03be2cecd9f80c05680f928d7
Instruction Fuzzy Hash: 66219F317406125FD7218F2AC884B6A7BE5EF8632CF1D8068E8568B351CB71ED42DB94

Function 00C18060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00C183E8
VUUU, xrefs: 00C183FA
ERCP, xrefs: 00C1813C
VUUU, xrefs: 00C1843C
VUUU, xrefs: 00C55DF0

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1a38536d152957bac10c73461c9699d211b5c5b5de7b6ec4b75f7ae0d24172de
Instruction ID: fe406dc31e7628f22cc89dd2df615f0e82a2a9415cb22bdb497157a3d48a6544
Opcode Fuzzy Hash: 1a38536d152957bac10c73461c9699d211b5c5b5de7b6ec4b75f7ae0d24172de
Instruction Fuzzy Hash: 41A2AE74E0461ACBDF24CF58C8507EEB7B1BB55311F6481A9EC25A7280EB309EC9DB94

Function 00C9A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C9A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 00C9A6BA

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Process32NextW.KERNEL32(00000000,?), ref: 00C9A79C
CloseHandle.KERNEL32(00000000), ref: 00C9A7AB

Part of subcall function 00C2CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00C53303,?), ref: 00C2CE8A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 4d75bedbea5fd160ea6cfc310011a45428bb3fea09ecdd8b95ecc5fd3d236d7a
Instruction ID: 87d1226208ae7f8bd34dadf69b56f9e7adfb33f89a69ddd7400186edd0b8f14f
Opcode Fuzzy Hash: 4d75bedbea5fd160ea6cfc310011a45428bb3fea09ecdd8b95ecc5fd3d236d7a
Instruction Fuzzy Hash: 95517D71508300AFD710EF24D886AAFBBE8FF89754F00891DF595972A1EB30D945DB92

Function 00C7AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C7AAAC
SetKeyboardState.USER32(00000080), ref: 00C7AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C7AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C7AB88

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 02f17f708fb345e748fc4d95405730061295b07a539c662b5f0ee1eb2e912122
Instruction ID: f2b0867b383ab15e6023c237aa8df25e781761fb8164e487c19ef1caeb707cf3
Opcode Fuzzy Hash: 02f17f708fb345e748fc4d95405730061295b07a539c662b5f0ee1eb2e912122
Instruction Fuzzy Hash: 0C311870A40208AFFF35CA65CC05BFE7BA6EBC5310F04C21AF199561D1D3749A85D7A2

Function 00C8CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C8CE89
GetLastError.KERNEL32(?,00000000), ref: 00C8CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 00C8CEFE

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 23610c7ac831c0e3ba280ac5e41b62580356e9fd803e50357c981c966e46277d
Instruction ID: f72ce9c5a990b5995e92bf70b9c9cc8d674e1a75c593d77ff1f933ee7c3f7191
Opcode Fuzzy Hash: 23610c7ac831c0e3ba280ac5e41b62580356e9fd803e50357c981c966e46277d
Instruction Fuzzy Hash: 5321BD71500305ABEB30EFA5C988BAAB7F8EB50318F10441EE656D2151EB74EE049B68

Function 00C7DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00C55222), ref: 00C7DBCE
GetFileAttributesW.KERNEL32(?), ref: 00C7DBDD
FindFirstFileW.KERNEL32(?,?), ref: 00C7DBEE
FindClose.KERNEL32(00000000), ref: 00C7DBFA

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 09936a12f3b828499f5ad5561e9a90abf904e6ea74b02d1446beaba855f16bad
Instruction ID: e0794c964b10a23d153e378ba6399be198a66a8eee4deb213e2b266c6d930c75
Opcode Fuzzy Hash: 09936a12f3b828499f5ad5561e9a90abf904e6ea74b02d1446beaba855f16bad
Instruction Fuzzy Hash: 43F0A9308109106783216B78AC4DAAE37BC9F02338F108702F83BC20F0EBB09E948696

Function 00C78298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C782AA

Strings

|, xrefs: 00C782DA
(, xrefs: 00C782F0

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 1653d977777b29c11fb9f59aab8ff9c839cf72000102b3d82840b3aa12d5f767
Instruction ID: ae9bd85e39902a8ff3419827db06c5350606f1c3d08549a44b5cd1cf9f165d30
Opcode Fuzzy Hash: 1653d977777b29c11fb9f59aab8ff9c839cf72000102b3d82840b3aa12d5f767
Instruction Fuzzy Hash: C9323674A007059FCB28CF69C085A6AB7F0FF48710B15C56EE5AADB7A1EB70E941CB50

Function 00C85C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C85CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00C85D17
FindClose.KERNEL32(?), ref: 00C85D5F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 986cfb807db1a60ea4465d6709ef1d593460d462e796f29a568ab07a4ba79775
Instruction ID: 31bfc3ddfbca2101ed57623dd027a17c45aa67d015f4031f2540ef8a09a4aa63
Opcode Fuzzy Hash: 986cfb807db1a60ea4465d6709ef1d593460d462e796f29a568ab07a4ba79775
Instruction Fuzzy Hash: 27519974604A019FC714EF28C494A9AB7E4FF4A318F14855EE96A8B3A2CB70ED45CF91

Function 00C42622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00C4271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00C42724
UnhandledExceptionFilter.KERNEL32(?), ref: 00C42731

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b2a2e7f47e5e7b916f240b3926fbcc8c6ab46d69a26f538d0bff18c11d64a6b9
Instruction ID: 8c30f725d9dec06c0dd91ae06de8547ee204fd7c8bfb8ed0fc42230bda738134
Opcode Fuzzy Hash: b2a2e7f47e5e7b916f240b3926fbcc8c6ab46d69a26f538d0bff18c11d64a6b9
Instruction Fuzzy Hash: E531A27591121CABCB21DF68D9897DDBBB8BF08310F5041EAE81CA7261E7709F819F45

Function 00C851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C851DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C85238
SetErrorMode.KERNEL32(00000000), ref: 00C852A1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cd57ff228f3b2430ba7b32fc8d2e35d163823a9a3ef9feef6c51dd38eee506aa
Instruction ID: 61caebde287bb17ff8940858f865fa32334aa1ca2f121f1d68023dcc5453e6e0
Opcode Fuzzy Hash: cd57ff228f3b2430ba7b32fc8d2e35d163823a9a3ef9feef6c51dd38eee506aa
Instruction Fuzzy Hash: BC312B75A005189FDB00EF94D8C4FADBBB5FF49318F048099E905AB3A2DB71E956CB90

Function 00C716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00C2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C30668
Part of subcall function 00C2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00C30685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C7170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C7173A
GetLastError.KERNEL32 ref: 00C7174A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: ea4cd1d3e2e2a9fa6cd0e921f28a90ee5d57ecedfd4663376f30da08931be011
Instruction ID: 95afc9644fc49420901adc2015bfe554fce427b6e08aecd6252694bed578d075
Opcode Fuzzy Hash: ea4cd1d3e2e2a9fa6cd0e921f28a90ee5d57ecedfd4663376f30da08931be011
Instruction Fuzzy Hash: 2E1191B2414308AFD7189F54ECC6E6AB7BDEB44714B24C52EF45657641EB70BC428A20

Function 00C7D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C7D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C7D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C7D650

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: c7855c093ac968e1313c3222559917f35219d161852a5147b9f8f63ebaa309cf
Instruction ID: eed8662c7cf55e8935ce41db6e9080b8e44a9254a1029fd949942f90c9a45d6f
Opcode Fuzzy Hash: c7855c093ac968e1313c3222559917f35219d161852a5147b9f8f63ebaa309cf
Instruction Fuzzy Hash: F6115E75E05228BFDB108F95DC85FAFBBBCEB45B60F108515F918E7290D6704A058BA1

Function 00C71663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00C7168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C716A1
FreeSid.ADVAPI32(?), ref: 00C716B1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: bff7a0d9a5cb832bfb21b234867fe59d512c323820def197e7ea3a00f5fd32e8
Instruction ID: 898343ee388d655ec6f12f1e0bc00277d922201809b093cc4f8b6086b2058117
Opcode Fuzzy Hash: bff7a0d9a5cb832bfb21b234867fe59d512c323820def197e7ea3a00f5fd32e8
Instruction Fuzzy Hash: B4F0F47195030DFBDB00DFE4DC89AAEBBBCEB08604F508565E901E2181E774AA448A50

Function 00C34CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000,?,00C428E9), ref: 00C34D09
TerminateProcess.KERNEL32(00000000,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000,?,00C428E9), ref: 00C34D10
ExitProcess.KERNEL32 ref: 00C34D22

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e75662ccd4da236ffea0e86434a227be8e05ef92e74809bf54268809dfef3741
Instruction ID: 429575f8c5f58df28a44c2bd8217250b843c43b2bb9ab45a6a6a540bd2adab8f
Opcode Fuzzy Hash: e75662ccd4da236ffea0e86434a227be8e05ef92e74809bf54268809dfef3741
Instruction Fuzzy Hash: 20E0B631011148ABCF15AF54DD49B9D3B79FB42795F104014FD159B132CB39EE42DA80

Function 00C4C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00C4C36C

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f94071236b47a1ca53a748fe42fcea7a6fb71b72b2e9059d838bc96de5282e45
Instruction ID: aa57329da45b31abb9fd35af3afd230cff4767010fdb172cf06c7ec3e17eb33b
Opcode Fuzzy Hash: f94071236b47a1ca53a748fe42fcea7a6fb71b72b2e9059d838bc96de5282e45
Instruction Fuzzy Hash: 12412676901219ABCB249FB9CC89EFB77B8FB84314F504269F915D71A0E6709E81CB50

Function 00C6D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C6D28C

Strings

X64, xrefs: 00C6D2A8

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: be7f165c43e8ae9649a83f4ff9f4f0fe053e62017de12ad1a16b1745a99e20e0
Instruction ID: cbc79ea8dae363fc5df70ce96358180b562a8a6ce589af106061b0a5be7de481
Opcode Fuzzy Hash: be7f165c43e8ae9649a83f4ff9f4f0fe053e62017de12ad1a16b1745a99e20e0
Instruction Fuzzy Hash: DBD0CAB480116DEACBA0CBA0ECC8EDEB7BCBB14309F100292F106A2000DB309A488F20

Function 00C3CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 8894962b4598f3fe915d4ca39a0204fc49701403902d9fcb38243183b20ce92a
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F2021D72E102199BDF14DFA9D8C06ADFBF1EF48314F258169D829F7384D731AA418B94

Function 00C868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C86918
FindClose.KERNEL32(00000000), ref: 00C86961

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: eb4d9e66360b8a78f79573fa8fb2ba595ac58953673f747a709655c2c9e33bac
Instruction ID: 5a1de72ba758379a097a29bf80ed1de3cb38a48bdaacd57cb4514d162d054e32
Opcode Fuzzy Hash: eb4d9e66360b8a78f79573fa8fb2ba595ac58953673f747a709655c2c9e33bac
Instruction Fuzzy Hash: 1B117C316042109FC710DF69D488A1ABBE5EF85328F14C699E4698B7A2CB30EC45CB91

Function 00C837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C94891,?,?,00000035,?), ref: 00C837E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C94891,?,?,00000035,?), ref: 00C837F4

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e43ce31e6a99222dc2997b5631f50ecdfc0c11d0d62e5cd3084d3c6ed89b303e
Instruction ID: cb73d12b166f1e19a0a27626f7a8fe1f3b4cce4565741aed640d70d5c22dd2ea
Opcode Fuzzy Hash: e43ce31e6a99222dc2997b5631f50ecdfc0c11d0d62e5cd3084d3c6ed89b303e
Instruction Fuzzy Hash: 38F0EC707052142AD71067664C8DFDB369DDFC5B65F000275F505D32D1D9609944C7B0

Function 00C7B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C7B25D
keybd_event.USER32(?,753DC0D0,?,00000000), ref: 00C7B270

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bc23a3b532b469837c1af17165f28f159e5f4f61b62308a9e8e3b725311218c3
Instruction ID: e16f186d3bd8d0b67185c778b6b6608db78b5e7884a08d45f57ec85398ce212b
Opcode Fuzzy Hash: bc23a3b532b469837c1af17165f28f159e5f4f61b62308a9e8e3b725311218c3
Instruction Fuzzy Hash: 63F0177180428EABDB059FA1C806BBE7BB4FF09309F00800AF965A61A2C37986119F94

Function 00C710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C711FC), ref: 00C710D4
CloseHandle.KERNEL32(?,?,00C711FC), ref: 00C710E9

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dd17fb47d44349b929031e39034595ed86dffc985fa1f65b4a3cbc7095af739f
Instruction ID: 1bf079d85bd97b1309aa5e3218651f9687a906fe9dbff86da87f3f35ff50a1ac
Opcode Fuzzy Hash: dd17fb47d44349b929031e39034595ed86dffc985fa1f65b4a3cbc7095af739f
Instruction Fuzzy Hash: EEE04F32004610AEE7252B15FC05FB777A9EF04320F14882DF4A6814B1DB626C90EB10

Function 00C1CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00C60C40

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: edb3d7fbcb3c2f4b83874dfa1fd70865cb2078bf4de37a5815a1f31ab9201c35
Instruction ID: 5a7f2ca92053cd82ee79e8c1a6cdb1a61c29ffaf67184bf4616391ccaec4885d
Opcode Fuzzy Hash: edb3d7fbcb3c2f4b83874dfa1fd70865cb2078bf4de37a5815a1f31ab9201c35
Instruction Fuzzy Hash: DB32AE30940218DBCF24DF94D8D1AEEB7B5FF06304F248059F816AB292D735AE86EB51

Function 00C4676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00C46766,?,?,00000008,?,?,00C4FEFE,00000000), ref: 00C46998

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 6f7e0484133966bb2604fb18c379eb1b12d0b42764fbd87d34a67e041b2ec68f
Instruction ID: 0925d2ffd9d8a33951c5a309b2772b0767da1d4e6bad6e5f0d2a04d9e028f324
Opcode Fuzzy Hash: 6f7e0484133966bb2604fb18c379eb1b12d0b42764fbd87d34a67e041b2ec68f
Instruction Fuzzy Hash: 2EB14C316106089FD715CF28C486B657BE0FF46368F258658E8E9CF2E6C335EA91CB41

Function 00C2B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 00C6851F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 3196eb8806bcf009b612c7e23ca401bd271dd0cea73bfd2cca6050edd52228d1
Instruction ID: dfe0c99ed0e16f95f08f602380d8ce1aae399e6a3624bfc857e2ede2558a2488
Opcode Fuzzy Hash: 3196eb8806bcf009b612c7e23ca401bd271dd0cea73bfd2cca6050edd52228d1
Instruction Fuzzy Hash: 91127E71D002299BCB24DF59D8806EEB7F5FF48310F1481AAE859EB251DB309E85DF90

Function 00C8EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C8EABD

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2726b5a806b37ab9c7252284116c77cd4e646d98368d6a27c337248c587e7782
Instruction ID: 66d9ef0073953bd7545f71ba37ef35e0037187c3a25581f5ec9156968ab65642
Opcode Fuzzy Hash: 2726b5a806b37ab9c7252284116c77cd4e646d98368d6a27c337248c587e7782
Instruction Fuzzy Hash: 86E01A31200204AFC710EF5AD844E9ABBE9AF99764F008416FC49C7351DA70E881AB90

Function 00C309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00C303EE), ref: 00C309DA

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: fe9d2f5e2414aa138904cbd89e183879a4ac44fa8df305a4ccf03c403a4390aa
Instruction ID: bcd5e5b7ac518b4d10a9a3abc5cdc8a01e7340b3ceedb4279bfa92d12fd79366
Opcode Fuzzy Hash: fe9d2f5e2414aa138904cbd89e183879a4ac44fa8df305a4ccf03c403a4390aa
Instruction Fuzzy Hash:

Function 00C3781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00C3798B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 3fb99e9943a86ff3dcaf643888caa725ae425c106688d0badbddf5a3c03b1c09
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 345168F163C7456BDF388569895EBBE63D99B06300F180B09E8A2EB2C2C615DF05E353

Function 00C46DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f13ecc687bd88667465eb24ecf397931a71fcb07ff248d553a8dbc6d7dfc077
Instruction ID: d2077ef76cba0b0e5c03431ffe619f395ff722b22e1f6bb21134b3159823f6f7
Opcode Fuzzy Hash: 8f13ecc687bd88667465eb24ecf397931a71fcb07ff248d553a8dbc6d7dfc077
Instruction Fuzzy Hash: BC321332D29F414DDB239635CC2233AA649BFB73C5F15D737E82AB5AA5EB29C5834100

Function 00C2CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89413fba1c3d778ee3237d6e3c89706a67a1afe8d13432c3e3442958e0eebbc
Instruction ID: eb0ebfad99496317d305605af0bc04efb408d1450eec7ecf53559cd84f238466
Opcode Fuzzy Hash: a89413fba1c3d778ee3237d6e3c89706a67a1afe8d13432c3e3442958e0eebbc
Instruction Fuzzy Hash: 50320531A042658BCF38CF69D8D467D7BA1EB45300F28856BD4EADB692D234DF81EB41

Function 00C17920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc1cc42b82b193dbec21baeb8f953462e602e0d6db16161db4238088ba9a54f5
Instruction ID: e44d7eefcba407515c2434a493a258d1f61a5c3d9e2f578758de0499de92dbc4
Opcode Fuzzy Hash: cc1cc42b82b193dbec21baeb8f953462e602e0d6db16161db4238088ba9a54f5
Instruction Fuzzy Hash: 2422F470A04609DFDF04CF65D891AEEB3F5FF45300F204229E816A72A1EB359E95EB54

Function 00C191C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33fef8339a95280352924ea7dc9226e248f20e4d597b853f43e1e3980c299590
Instruction ID: 05a39719ba85eb05b98ed9cbcb165f4f2bc05c520f3a78dcd83d55e0ccdc46a1
Opcode Fuzzy Hash: 33fef8339a95280352924ea7dc9226e248f20e4d597b853f43e1e3980c299590
Instruction Fuzzy Hash: 5102E7B5E00209EBDB04DF64D881AAEB7B5FF44300F118169E816DB290EB31EF95DB95

Function 00C31C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 43338182a2d6a5f3ff183443a6a9bd893b949779adc219cc9a276c837356eab1
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: BC9179721280A34EDB6A463E857407EFFE15A523A1B1E079DDCF2CA1C5FE14CA54D620

Function 00C319B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: a9b82f9d75931e5631de39726bbb90f50f40b317f2a3a9231650aeba284e67ad
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 129187722190E34EDB2D427A857403DFFE15A923A6B1E079DD8F2CA1C1FD14C764E620

Function 00C37A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0e6c0761db7c23f07272b0b7a30dd4369b62ae0542d33859df5373bfe1e60d
Instruction ID: 643904d3a0b8dded7f6f7d9b4c675b06ab938f8e7f3d3393e007c86f766faf78
Opcode Fuzzy Hash: 3e0e6c0761db7c23f07272b0b7a30dd4369b62ae0542d33859df5373bfe1e60d
Instruction Fuzzy Hash: 88618AF1238309A7DE349A2C8CA5BBEB3A4DF41708F101B1AF853DB281D6119F46E755

Function 00C37CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00483d1692421cf4d7de9aaa8fe928b5afb94107b427faf4014b85e0458c3f8
Instruction ID: 20783a467cc73c73d66115a0ac3fb730ac9ed82e1e303e1df077d8fc2d714c0e
Opcode Fuzzy Hash: f00483d1692421cf4d7de9aaa8fe928b5afb94107b427faf4014b85e0458c3f8
Instruction Fuzzy Hash: 57617AF12387096BDE389A288896BFF2398DF41700F100B59F863DB281DA129F469355

Function 00C31706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: fdd2b72d5224a755e2735ab1c4006bdc2c01ad347278ae12fdfbef849f14083a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 988187336191A34DDB6D863A853453EFFE15A923A1B1E079DD8F2CB1C1EE24C754E620

Function 00C82046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5550a333b2ee5a4d0324193588281bbc428a8f87a40c879ae749dc54e17023df
Instruction ID: 4896f08b01dbe2ad31923af2ea2efadf89ec975c4f780b72df6a0269d898cbea
Opcode Fuzzy Hash: 5550a333b2ee5a4d0324193588281bbc428a8f87a40c879ae749dc54e17023df
Instruction Fuzzy Hash: 7821E7326206118BDB28CF79C82377E73E9A794314F14862EE4A7C73D0DE75A904CB84

Function 00C92ADE Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C92B30
DeleteObject.GDI32(00000000), ref: 00C92B43
DestroyWindow.USER32 ref: 00C92B52
GetDesktopWindow.USER32 ref: 00C92B6D
GetWindowRect.USER32(00000000), ref: 00C92B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C92CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C92CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92CF8
GetClientRect.USER32(00000000,?), ref: 00C92D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C92D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D80
GlobalLock.KERNEL32(00000000), ref: 00C92D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92D98
GlobalUnlock.KERNEL32(00000000), ref: 00C92DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92DA8
GlobalFree.KERNEL32(00000000), ref: 00C92DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CAFC38,00000000), ref: 00C92DDB
GlobalFree.KERNEL32(00000000), ref: 00C92DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C92E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C92E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C92E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C9303F

Strings

static, xrefs: 00C92D3A, 00C92E91
DISPLAY, xrefs: 00C92EA2
@U=u, xrefs: 00C92E30, 00C92FBF
, xrefs: 00C92FC5
AutoIt v3, xrefs: 00C92CF2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 6d607390641683a0ce40343edc66ff78a358d93fc7321751818443f9a491bd32
Instruction ID: 10dcbc83a2aa7fb9b659812adb289d66c99a7221f211a1db8fe5f5c058258945
Opcode Fuzzy Hash: 6d607390641683a0ce40343edc66ff78a358d93fc7321751818443f9a491bd32
Instruction Fuzzy Hash: 05027A71A00215AFDB14DFA4CC89FAE7BB9EB4A314F048158F915AB2A1DB74ED41CF60

Function 00CA70D5 Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00CA712F
GetSysColorBrush.USER32(0000000F), ref: 00CA7160
GetSysColor.USER32(0000000F), ref: 00CA716C
SetBkColor.GDI32(?,000000FF), ref: 00CA7186
SelectObject.GDI32(?,?), ref: 00CA7195
InflateRect.USER32(?,000000FF,000000FF), ref: 00CA71C0
GetSysColor.USER32(00000010), ref: 00CA71C8
CreateSolidBrush.GDI32(00000000), ref: 00CA71CF
FrameRect.USER32(?,?,00000000), ref: 00CA71DE
DeleteObject.GDI32(00000000), ref: 00CA71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00CA7230
FillRect.USER32(?,?,?), ref: 00CA7262
GetWindowLongW.USER32(?,000000F0), ref: 00CA7284

Part of subcall function 00CA73E8: GetSysColor.USER32(00000012), ref: 00CA7421
Part of subcall function 00CA73E8: SetTextColor.GDI32(?,?), ref: 00CA7425
Part of subcall function 00CA73E8: GetSysColorBrush.USER32(0000000F), ref: 00CA743B
Part of subcall function 00CA73E8: GetSysColor.USER32(0000000F), ref: 00CA7446
Part of subcall function 00CA73E8: GetSysColor.USER32(00000011), ref: 00CA7463
Part of subcall function 00CA73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CA7471
Part of subcall function 00CA73E8: SelectObject.GDI32(?,00000000), ref: 00CA7482
Part of subcall function 00CA73E8: SetBkColor.GDI32(?,00000000), ref: 00CA748B
Part of subcall function 00CA73E8: SelectObject.GDI32(?,?), ref: 00CA7498
Part of subcall function 00CA73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00CA74B7
Part of subcall function 00CA73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CA74CE
Part of subcall function 00CA73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00CA74DB

Strings

@U=u, xrefs: 00CA72CC

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID: @U=u
API String ID: 4124339563-2594219639
Opcode ID: fde7069f6d1d2bb2180303c70f2bec8d8fe963ef053a3e472f1a943a93358d28
Instruction ID: 1825546b286a3a670e1151d135764433183956d729aa00566dcbe3a44da242f0
Opcode Fuzzy Hash: fde7069f6d1d2bb2180303c70f2bec8d8fe963ef053a3e472f1a943a93358d28
Instruction Fuzzy Hash: 70A18D72508302AFDB119F60DC88B6F7BE9FB4A328F100B19FA62971A1D771E9449B51

Function 00C28D85 Relevance: 49.5, APIs: 26, Strings: 2, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00C28E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00C66AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C66AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C66F43

Part of subcall function 00C28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C28BE8,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28FC5

SendMessageW.USER32(?,00001053), ref: 00C66F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C66F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C66FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00C66FB7

Strings

0, xrefs: 00C66DCF
@U=u, xrefs: 00C66AC5, 00C66BD6, 00C66EBF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 2760611726-975001249
Opcode ID: 18cfb282dc00eb57ac06d01982bc30b9e6b85a9065c0ee7caec26a0af51497c3
Instruction ID: 423f5199a2726ac168f175ca6106aa1df45e47ac56e33e74fddcd6d1c7c6aab7
Opcode Fuzzy Hash: 18cfb282dc00eb57ac06d01982bc30b9e6b85a9065c0ee7caec26a0af51497c3
Instruction Fuzzy Hash: D612CB34201251EFDB25CF28D8C4BAAB7E1FB45300F184469F4A58B662CB32ED66DF91

Function 00C92711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C9273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C9286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C928A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C928B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C92900
GetClientRect.USER32(00000000,?), ref: 00C9290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C92955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C92964
GetStockObject.GDI32(00000011), ref: 00C92974
SelectObject.GDI32(00000000,00000000), ref: 00C92978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C92988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C92991
DeleteDC.GDI32(00000000), ref: 00C9299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C929C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C929DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C92A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C92A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C92A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C92A77
GetStockObject.GDI32(00000011), ref: 00C92A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C92A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C92A97

Strings

static, xrefs: 00C9294F, 00C92A71
DISPLAY, xrefs: 00C9295A
@U=u, xrefs: 00C929CC
AutoIt v3, xrefs: 00C928F8
msctls_progress32, xrefs: 00C92A13

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: d9fe5674911840252d6cf6cc3ec526857399f12511b5f1b30713aa76edd1fa8d
Instruction ID: 14286c5f5c91f5e0945c844052df509b28b25d93db7abdbd4c14f05409be830b
Opcode Fuzzy Hash: d9fe5674911840252d6cf6cc3ec526857399f12511b5f1b30713aa76edd1fa8d
Instruction Fuzzy Hash: 24B14B71A00215BFEB14DFA8DC89FAE7BB9EB09714F044114FA15EB2A0D774AD40DBA4

Function 00CA73E8 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00CA7421
SetTextColor.GDI32(?,?), ref: 00CA7425
GetSysColorBrush.USER32(0000000F), ref: 00CA743B
GetSysColor.USER32(0000000F), ref: 00CA7446
CreateSolidBrush.GDI32(?), ref: 00CA744B
GetSysColor.USER32(00000011), ref: 00CA7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00CA7471
SelectObject.GDI32(?,00000000), ref: 00CA7482
SetBkColor.GDI32(?,00000000), ref: 00CA748B
SelectObject.GDI32(?,?), ref: 00CA7498
InflateRect.USER32(?,000000FF,000000FF), ref: 00CA74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00CA74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 00CA74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00CA752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00CA7554
InflateRect.USER32(?,000000FD,000000FD), ref: 00CA7572
DrawFocusRect.USER32(?,?), ref: 00CA757D
GetSysColor.USER32(00000011), ref: 00CA758E
SetTextColor.GDI32(?,00000000), ref: 00CA7596
DrawTextW.USER32(?,00CA70F5,000000FF,?,00000000), ref: 00CA75A8
SelectObject.GDI32(?,?), ref: 00CA75BF
DeleteObject.GDI32(?), ref: 00CA75CA
SelectObject.GDI32(?,?), ref: 00CA75D0
DeleteObject.GDI32(?), ref: 00CA75D5
SetTextColor.GDI32(?,?), ref: 00CA75DB
SetBkColor.GDI32(?,?), ref: 00CA75E5

Strings

@U=u, xrefs: 00CA752A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 36113d6956983f0703839ce423d4a414e8e484f927d86368cb0a1274d00574e5
Instruction ID: 473ee47aa2a1b511768ca825ac890939da090013599805de6514dcbf9cbe9347
Opcode Fuzzy Hash: 36113d6956983f0703839ce423d4a414e8e484f927d86368cb0a1274d00574e5
Instruction Fuzzy Hash: 85615172D04219AFDB019FA4DC49BDE7FB9FB0A324F114125FA15A72A1D7709940DF90

Function 00C84ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C84AED
GetDriveTypeW.KERNEL32(?,00CACB68,?,\\.\,00CACC08), ref: 00C84BCA
SetErrorMode.KERNEL32(00000000,00CACB68,?,\\.\,00CACC08), ref: 00C84D36

Strings

FileBackedVirtual, xrefs: 00C84CEC
SAS, xrefs: 00C84CC9
SSD, xrefs: 00C84C4A
SATA, xrefs: 00C84CD0
RAID, xrefs: 00C84CBB
RAMDisk, xrefs: 00C84BF4
ATAPI, xrefs: 00C84C91
1394, xrefs: 00C84C9F
Unknown, xrefs: 00C84BED, 00C84C83
MMC, xrefs: 00C84CDE
SCSI, xrefs: 00C84C8A
\\.\, xrefs: 00C84B3F
CDROM, xrefs: 00C84BFB
SSA, xrefs: 00C84CA6
iSCSI, xrefs: 00C84CC2
Fibre, xrefs: 00C84CAD
Fixed, xrefs: 00C84C09
Removable, xrefs: 00C84C10, 00C84C15
Network, xrefs: 00C84C02
ATA, xrefs: 00C84C98
USB, xrefs: 00C84CB4
PhysicalDrive, xrefs: 00C84B76
Virtual, xrefs: 00C84CE5

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 94622d19af580d075ff0c7d095787dcea38049ab352d9ed9cf1bca58a2d28247
Instruction ID: 3deffb1f39202e7161e36c2d0435b6debddd5299b1dadc7fd2ea00d573e44cad
Opcode Fuzzy Hash: 94622d19af580d075ff0c7d095787dcea38049ab352d9ed9cf1bca58a2d28247
Instruction Fuzzy Hash: 9F61B030705207DBCB08FF25CA819BDB7B5AB45308B248426F916AB791DB71EE41EB49

Function 00CA0241 Relevance: 37.1, APIs: 7, Strings: 14, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA02E5
_wcslen.LIBCMT ref: 00CA031F
_wcslen.LIBCMT ref: 00CA0389
_wcslen.LIBCMT ref: 00CA03F1
_wcslen.LIBCMT ref: 00CA0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00CA04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CA0504

Part of subcall function 00C2F9F2: _wcslen.LIBCMT ref: 00C2F9FD

Part of subcall function 00C7223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C72258
Part of subcall function 00C7223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C7228A

Strings

GETSUBITEMCOUNT, xrefs: 00CA0384, 00CA039F
GETITEMCOUNT, xrefs: 00CA0316, 00CA0337
@U=u, xrefs: 00CA04C5, 00CA0504
DESELECT, xrefs: 00CA059C
VIEWCHANGE, xrefs: 00CA0675
ISSELECTED, xrefs: 00CA04DD
SELECT, xrefs: 00CA0548
GETTEXT, xrefs: 00CA03EC, 00CA0407
SELECTCLEAR, xrefs: 00CA052D
SELECTINVERT, xrefs: 00CA057E
GETSELECTEDCOUNT, xrefs: 00CA0470, 00CA048B
FINDITEM, xrefs: 00CA0627
SELECTALL, xrefs: 00CA0515
GETSELECTED, xrefs: 00CA05E1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-1753161424
Opcode ID: e975b82b9b9445e00f0966817c11d6079142773816aac0ebd2f0b4eb39aab4e0
Instruction ID: 50eb709ac88ae6304268bdb91c0490f6eb821d0a2c30ae79e94ecc0616ae472d
Opcode Fuzzy Hash: e975b82b9b9445e00f0966817c11d6079142773816aac0ebd2f0b4eb39aab4e0
Instruction Fuzzy Hash: AEE191312182028FCB14DF24C45196EB7E6BFCA358F644A6DF8969B3A1D730EE46DB41

Function 00CA0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00CA1128
GetDesktopWindow.USER32 ref: 00CA113D
GetWindowRect.USER32(00000000), ref: 00CA1144
GetWindowLongW.USER32(?,000000F0), ref: 00CA1199
DestroyWindow.USER32(?), ref: 00CA11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00CA11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CA121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00CA1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00CA1245
IsWindowVisible.USER32(00000000), ref: 00CA12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00CA12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00CA12D0
GetWindowRect.USER32(00000000,?), ref: 00CA12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 00CA130E
GetMonitorInfoW.USER32(00000000,?), ref: 00CA1328
CopyRect.USER32(?,?), ref: 00CA133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 00CA13AA

Strings

tooltips_class32, xrefs: 00CA11E6
0, xrefs: 00CA10D3
(, xrefs: 00CA131B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f151216f7176fec2266e9f7e5717ec91a6084737bf69819f1f8c394831d0f28a
Instruction ID: 01c94dd985fbad93a4d2b98f6737169a776292fd5b43b44fa0cc6fdc284c0cc7
Opcode Fuzzy Hash: f151216f7176fec2266e9f7e5717ec91a6084737bf69819f1f8c394831d0f28a
Instruction Fuzzy Hash: A6B1AD71608342AFDB10DF64C884BAEBBE4FF86358F048918F9999B261C731EC45DB91

Function 00C28891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C28968
GetSystemMetrics.USER32(00000007), ref: 00C28970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C2899B
GetSystemMetrics.USER32(00000008), ref: 00C289A3
GetSystemMetrics.USER32(00000004), ref: 00C289C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C289E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C289F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C28A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C28A3C
GetClientRect.USER32(00000000,000000FF), ref: 00C28A5A
GetStockObject.GDI32(00000011), ref: 00C28A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C28A81

Part of subcall function 00C2912D: GetCursorPos.USER32(?), ref: 00C29141
Part of subcall function 00C2912D: ScreenToClient.USER32(00000000,?), ref: 00C2915E
Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000001), ref: 00C29183
Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000002), ref: 00C2919D

SetTimer.USER32(00000000,00000000,00000028,00C290FC), ref: 00C28AA8

Strings

AutoIt v3 GUI, xrefs: 00C28A20
@U=u, xrefs: 00C28A81

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: d8de2b5461b630f9a86dddf8078b82914078b7d17129203b3344393f85e8a458
Instruction ID: fdeb915b3375add4de256f22df95b1081f7364a6fa61dc1be5b67e374744cd1d
Opcode Fuzzy Hash: d8de2b5461b630f9a86dddf8078b82914078b7d17129203b3344393f85e8a458
Instruction Fuzzy Hash: 62B19B75A0021A9FDF24DFA8DD85BAE3BB5FB48314F154229FA15AB2D0DB34E940CB50

Function 00C75A1B Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C75A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C75A40
SetWindowTextW.USER32(?,?), ref: 00C75A57
GetDlgItem.USER32(?,000003EA), ref: 00C75A6C
SetWindowTextW.USER32(00000000,?), ref: 00C75A72
GetDlgItem.USER32(?,000003E9), ref: 00C75A82
SetWindowTextW.USER32(00000000,?), ref: 00C75A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C75AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C75AC3
GetWindowRect.USER32(?,?), ref: 00C75ACC
_wcslen.LIBCMT ref: 00C75B33
SetWindowTextW.USER32(?,?), ref: 00C75B6F
GetDesktopWindow.USER32 ref: 00C75B75
GetWindowRect.USER32(00000000), ref: 00C75B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C75BD3
GetClientRect.USER32(?,?), ref: 00C75BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C75C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C75C2F

Strings

@U=u, xrefs: 00C75A40

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID: @U=u
API String ID: 895679908-2594219639
Opcode ID: 5081271993cbc065a35dc6ec66285121f8a6a0d1117831e3be27de50ae1670fa
Instruction ID: 629b699b4e3e19c9c5b2598afc6c9c9c3cfd6a60f0df3b77c742de448ce3e4a7
Opcode Fuzzy Hash: 5081271993cbc065a35dc6ec66285121f8a6a0d1117831e3be27de50ae1670fa
Instruction Fuzzy Hash: 1B718131900B09AFDB20DFA9CE85BAEBBF5FF48704F104918E556A35A0D7B5EA44CB50

Function 00CA091E Relevance: 31.9, APIs: 6, Strings: 12, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00CA09C6
_wcslen.LIBCMT ref: 00CA0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA0A54
_wcslen.LIBCMT ref: 00CA0A8A
_wcslen.LIBCMT ref: 00CA0B06
_wcslen.LIBCMT ref: 00CA0B81

Part of subcall function 00C2F9F2: _wcslen.LIBCMT ref: 00C2F9FD

Part of subcall function 00C72BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C72BFA

Strings

CHECK, xrefs: 00CA0A85, 00CA0AA0
SELECT, xrefs: 00CA0D11
UNCHECK, xrefs: 00CA0D3E
GETTEXT, xrefs: 00CA0C97
EXPAND, xrefs: 00CA0BF8
EXISTS, xrefs: 00CA0B7C, 00CA0B97
GETITEMCOUNT, xrefs: 00CA0C1E
@U=u, xrefs: 00CA0A54
COLLAPSE, xrefs: 00CA0B01, 00CA0B1C
ISCHECKED, xrefs: 00CA0CE1
GETSELECTED, xrefs: 00CA0C4E
GETTOTALCOUNT, xrefs: 00CA09F2, 00CA0A17

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-383632319
Opcode ID: 02787938357308798475753ab6d8d9cc38043b05b44ca0f5edcfa98d1b81755f
Instruction ID: 93c145f0e6eb6e7cc42f9fee53d24bd75a92f64f1bd70dd73ff55337d7f67e74
Opcode Fuzzy Hash: 02787938357308798475753ab6d8d9cc38043b05b44ca0f5edcfa98d1b81755f
Instruction Fuzzy Hash: C8E1B0312083028FC714DF25C45096AB7E2FF9A358F248A5DF8A69B362D731EE45DB81

Function 00C70D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
Part of subcall function 00C710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
Part of subcall function 00C710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
Part of subcall function 00C710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
Part of subcall function 00C710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C70DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C70E29
GetLengthSid.ADVAPI32(?), ref: 00C70E40
GetAce.ADVAPI32(?,00000000,?), ref: 00C70E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C70E96
GetLengthSid.ADVAPI32(?), ref: 00C70EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C70EB5
HeapAlloc.KERNEL32(00000000), ref: 00C70EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C70EDD
CopySid.ADVAPI32(00000000), ref: 00C70EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C70F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C70F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C70F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F6E
HeapFree.KERNEL32(00000000), ref: 00C70F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F7E
HeapFree.KERNEL32(00000000), ref: 00C70F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C70F8E
HeapFree.KERNEL32(00000000), ref: 00C70F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00C70FA1
HeapFree.KERNEL32(00000000), ref: 00C70FA8

Part of subcall function 00C71193: GetProcessHeap.KERNEL32(00000008,00C70BB1,?,00000000,?,00C70BB1,?), ref: 00C711A1
Part of subcall function 00C71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C70BB1,?), ref: 00C711A8
Part of subcall function 00C71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C70BB1,?), ref: 00C711B7

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7f5bb584b72fef82ec10573a069492f0917c533908a339dc98a5c02ca1ac5fcc
Instruction ID: 2844660dddd7b29a36d6e20d3af79d3c051397fe4af869a22a18e3fa1760dd32
Opcode Fuzzy Hash: 7f5bb584b72fef82ec10573a069492f0917c533908a339dc98a5c02ca1ac5fcc
Instruction Fuzzy Hash: E2715B72A0020AEBDF20DFA4DC85FAEBBB8BF05304F148115F969E7191D7719A15CB60

Function 00CA833C Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00CA835A
_wcslen.LIBCMT ref: 00CA836E
_wcslen.LIBCMT ref: 00CA8391
_wcslen.LIBCMT ref: 00CA83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00CA83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00CA361A,?), ref: 00CA844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CA8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00CA84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00CA8501
FreeLibrary.KERNEL32(?), ref: 00CA850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00CA851D
DestroyIcon.USER32(?), ref: 00CA852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00CA8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00CA8555

Strings

.exe, xrefs: 00CA8388
@U=u, xrefs: 00CA8535
.dll, xrefs: 00CA83AB
.icl, xrefs: 00CA8368

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl$@U=u
API String ID: 799131459-1639919054
Opcode ID: 591b6666dbd1993e9106271b20b004e3d433ad4220c5ab75c0912026f7e9f756
Instruction ID: 320cb0206bb972ff8fbc0009d0e9566b97cb1d4d7336b6c1928f58978f05b749
Opcode Fuzzy Hash: 591b6666dbd1993e9106271b20b004e3d433ad4220c5ab75c0912026f7e9f756
Instruction Fuzzy Hash: 9B61027190020ABFEB14DF64CC85BBE77ACBF0A724F104609F825D61D0EB74AA84D7A0

Function 00C9C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,00CACC08,00000000,?,00000000,?,?), ref: 00C9C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C9C5A4
_wcslen.LIBCMT ref: 00C9C5F4
_wcslen.LIBCMT ref: 00C9C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C9C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C9C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C9C84D
RegCloseKey.ADVAPI32(?), ref: 00C9C881
RegCloseKey.ADVAPI32(00000000), ref: 00C9C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C9C960

Strings

REG_QWORD, xrefs: 00C9C8C3
REG_SZ, xrefs: 00C9C644
REG_BINARY, xrefs: 00C9C913
REG_EXPAND_SZ, xrefs: 00C9C5CD
REG_DWORD, xrefs: 00C9C804
REG_MULTI_SZ, xrefs: 00C9C6F5

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d784fd5589d16d8eeabd5f5d9e2f09f90f878eb0d287113db69b2a9d8d902a52
Instruction ID: aef9daaf552421f2b8e7ee10ab3f11d36551ef1073dbe0d3a4f0dc8ee3c0c4df
Opcode Fuzzy Hash: d784fd5589d16d8eeabd5f5d9e2f09f90f878eb0d287113db69b2a9d8d902a52
Instruction Fuzzy Hash: EC1278312042019FDB14DF14C895B6AB7E5EF89714F05899CF89A9B3A2DB31FD41EB81

Function 00C9C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
_wcslen.LIBCMT ref: 00C9C9F1
_wcslen.LIBCMT ref: 00C9CA68
_wcslen.LIBCMT ref: 00C9CA9E
_wcslen.LIBCMT ref: 00C9CAF9
_wcslen.LIBCMT ref: 00C9CB2F
_wcslen.LIBCMT ref: 00C9CB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 00C9CB79, 00C9CB7E
HKEY_CLASSES_ROOT, xrefs: 00C9CAF3, 00C9CAF8
HKCR, xrefs: 00C9CB29, 00C9CB2E
HKU, xrefs: 00C9CBF0
HKEY_LOCAL_MACHINE, xrefs: 00C9CA62, 00C9CA67
HKLM, xrefs: 00C9CA98, 00C9CA9D
HKEY_USERS, xrefs: 00C9CBDF
HKEY_CURRENT_USER, xrefs: 00C9CBBD
HKCC, xrefs: 00C9CBAC
HKCU, xrefs: 00C9CBCE

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f59425fb1c330587880c34c170adf3104843c9871ec1bef43117db06200bb7f9
Instruction ID: efce02abb90c35067623be1112106340a05f58c833c9bb3c8481aa2313e101af
Opcode Fuzzy Hash: f59425fb1c330587880c34c170adf3104843c9871ec1bef43117db06200bb7f9
Instruction Fuzzy Hash: DA71053260016A8BCF20DE78CDD56BE3395AB61764F150629F87697284FA30CF81E3A0

Function 00C17778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 00C177E7
#include, xrefs: 00C17847
#ce, xrefs: 00C178ED
#pragma compile, xrefs: 00C177D3
#requireadmin, xrefs: 00C177FF
Unterminated group of comments, xrefs: 00C5528C
#cs, xrefs: 00C17873, 00C178C5
Cannot parse #include, xrefs: 00C55279
#comments-end, xrefs: 00C178D9
#include-once, xrefs: 00C1782F
', xrefs: 00C55169
#comments-start, xrefs: 00C1785F, 00C178B1
Bad directive syntax error, xrefs: 00C5519A
", xrefs: 00C55153
#OnAutoItStartRegister, xrefs: 00C17817

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: daa0ad6138bfe365d8afb4ee34c696efad5ee39ed430f1db22fb7080baaf71f6
Instruction ID: df10d9ed2b38cd7402120ea73c2faa75a8f3f6ca9b364e49252391cd844681c5
Opcode Fuzzy Hash: daa0ad6138bfe365d8afb4ee34c696efad5ee39ed430f1db22fb7080baaf71f6
Instruction Fuzzy Hash: 6F810575600605ABDB21AF61DC52FEF3BB8AF16304F044024FD05AA2D2EB70DA95E7E5

Function 00CA856F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00CA8592
GetFileSize.KERNEL32(00000000,00000000), ref: 00CA85A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00CA85AD
CloseHandle.KERNEL32(00000000), ref: 00CA85BA
GlobalLock.KERNEL32(00000000), ref: 00CA85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00CA85D7
GlobalUnlock.KERNEL32(00000000), ref: 00CA85E0
CloseHandle.KERNEL32(00000000), ref: 00CA85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00CA85F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,00CAFC38,?), ref: 00CA8611
GlobalFree.KERNEL32(00000000), ref: 00CA8621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00CA8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00CA8671
DeleteObject.GDI32(00000000), ref: 00CA8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00CA86AF

Strings

@U=u, xrefs: 00CA86AF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: cc9cf16b65e88e12cd5b2e3fd1d7c28602beecd6a3ff87cd97549ca9c752a4e6
Instruction ID: 1ffe2f0452f7b42b5dd65a8ca35e6a6f798675042cb268a55b37665f26dcac73
Opcode Fuzzy Hash: cc9cf16b65e88e12cd5b2e3fd1d7c28602beecd6a3ff87cd97549ca9c752a4e6
Instruction Fuzzy Hash: 02410775600209AFDB119FA5CC88FAE7BB8FF8AB19F104159F915E7260DB309A05CB60

Function 00C300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C300C6

Part of subcall function 00C300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00CE070C,00000FA0,9EFDF135,?,?,?,?,00C523B3,000000FF), ref: 00C3011C
Part of subcall function 00C300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00C523B3,000000FF), ref: 00C30127
Part of subcall function 00C300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00C523B3,000000FF), ref: 00C30138
Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C3014E
Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C3015C
Part of subcall function 00C300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C3016A
Part of subcall function 00C300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C30195
Part of subcall function 00C300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C301A0

___scrt_fastfail.LIBCMT ref: 00C300E7

Part of subcall function 00C300A3: __onexit.LIBCMT ref: 00C300A9

Strings

kernel32.dll, xrefs: 00C30133
WakeAllConditionVariable, xrefs: 00C30162
SleepConditionVariableCS, xrefs: 00C30154
InitializeConditionVariable, xrefs: 00C30148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C30122

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: deb592b73c740bcc8cad521f44a0488b0b979e3ab8237a63cee572e48e46b0a6
Instruction ID: dc6ece1f8418497ab6f2270070478a26bf25bcb62cdbdf7eb51f258f83a26e2c
Opcode Fuzzy Hash: deb592b73c740bcc8cad521f44a0488b0b979e3ab8237a63cee572e48e46b0a6
Instruction Fuzzy Hash: C2213833A507116FE7216FE4AC96B2E33E4EB06B65F20013EF901E7691DFB09C008A90

Function 00C730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C7318D
_wcslen.LIBCMT ref: 00C731F8

Strings

CLASS, xrefs: 00C73188, 00C731A5
REGEXPCLASS, xrefs: 00C73255, 00C73266
TEXT, xrefs: 00C7347C
NAME, xrefs: 00C73335, 00C73346
INSTANCE, xrefs: 00C73453
CLASSNN, xrefs: 00C731F3, 00C73204

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 63ac9a01d1657a3ad7ca3453fe000aadcec2d504ba2169d874b1a502bfd9a511
Instruction ID: 4fc390fe69ecf2fc44b4c771d03ba099afea422f4986e1818d7e50e6a679c811
Opcode Fuzzy Hash: 63ac9a01d1657a3ad7ca3453fe000aadcec2d504ba2169d874b1a502bfd9a511
Instruction Fuzzy Hash: 02E1F632A00556ABCB18DF78C8517EEBBB4BF44710F54C12AE46AB7240DB30AF85B790

Function 00C844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00CACC08), ref: 00C84527
_wcslen.LIBCMT ref: 00C8453B
_wcslen.LIBCMT ref: 00C84599
_wcslen.LIBCMT ref: 00C845F4
_wcslen.LIBCMT ref: 00C8463F
_wcslen.LIBCMT ref: 00C846A7

Part of subcall function 00C2F9F2: _wcslen.LIBCMT ref: 00C2F9FD

GetDriveTypeW.KERNEL32(?,00CD6BF0,00000061), ref: 00C84743

Strings

cdrom, xrefs: 00C8458F, 00C84594
removable, xrefs: 00C845EA, 00C845EF
ramdisk, xrefs: 00C846F1
all, xrefs: 00C84531, 00C84536
fixed, xrefs: 00C84635, 00C8463A
network, xrefs: 00C8469D, 00C846A2
unknown, xrefs: 00C84708

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: db74fe15780fa5ed619ab20b41e6db826be47000b2055c2ac5ffb17d4b3502fe
Instruction ID: f6ab543bb81330903e82af0acdbcee9e7f7bde532b73e82030ea571f59842830
Opcode Fuzzy Hash: db74fe15780fa5ed619ab20b41e6db826be47000b2055c2ac5ffb17d4b3502fe
Instruction Fuzzy Hash: F7B126716083039FC718EF28C890A6EB7E5BFA6728F50491DF4A6C7291E730D944DB96

Function 00CA6CD9 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00CA6DEB

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00CA6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00CA6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA6E94
DestroyWindow.USER32(?), ref: 00CA6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C10000,00000000), ref: 00CA6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00CA6EFD
GetDesktopWindow.USER32 ref: 00CA6F16
GetWindowRect.USER32(00000000), ref: 00CA6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00CA6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00CA6F4D

Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952

Strings

tooltips_class32, xrefs: 00CA6E58, 00CA6EDD
@U=u, xrefs: 00CA6E81, 00CA6E94, 00CA6EFD, 00CA6F27
0, xrefs: 00CA6D98

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$@U=u$tooltips_class32
API String ID: 2429346358-1130792468
Opcode ID: e5eb1bb84b3a6f2eb479b38a84bf083fac208f66559ab0e6697f179613b62cde
Instruction ID: d86adaad1d91b6df57930090250a799a0e0131a6fd329c620001859ce7f620d9
Opcode Fuzzy Hash: e5eb1bb84b3a6f2eb479b38a84bf083fac208f66559ab0e6697f179613b62cde
Instruction Fuzzy Hash: 45715874144245AFDB21CF58DC84FAABBE9FB8A308F08051EF999872A1C771AA45DB11

Function 00CA911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

DragQueryPoint.SHELL32(?,?), ref: 00CA9147

Part of subcall function 00CA7674: ClientToScreen.USER32(?,?), ref: 00CA769A
Part of subcall function 00CA7674: GetWindowRect.USER32(?,?), ref: 00CA7710
Part of subcall function 00CA7674: PtInRect.USER32(?,?,00CA8B89), ref: 00CA7720

SendMessageW.USER32(?,000000B0,?,?), ref: 00CA91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00CA91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00CA91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00CA9225
SendMessageW.USER32(?,000000B0,?,?), ref: 00CA923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00CA9255
SendMessageW.USER32(?,000000B1,?,?), ref: 00CA9277
DragFinish.SHELL32(?), ref: 00CA927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00CA9371

Strings

@GUI_DRAGFILE, xrefs: 00CA9320
@GUI_DRAGID, xrefs: 00CA92E9
@U=u, xrefs: 00CA91B0, 00CA9225, 00CA923E, 00CA9255, 00CA9277
@GUI_DROPID, xrefs: 00CA929E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 221274066-762882726
Opcode ID: 3eab43e114240217e93f5e1db1356bc478af007ac0dd7a030a7f0a74c23b910b
Instruction ID: f340fa3b9d9a7f562813b4643dafe99d0cdad8092e4324f0a27b49054e7c89a0
Opcode Fuzzy Hash: 3eab43e114240217e93f5e1db1356bc478af007ac0dd7a030a7f0a74c23b910b
Instruction Fuzzy Hash: 32617F71108301AFD701DF94DC95EAFBBE8EF8A754F00091EF595931A1DB309A45DB52

Function 00C9AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B1D4
_wcslen.LIBCMT ref: 00C9B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C9B236
_wcslen.LIBCMT ref: 00C9B332

Part of subcall function 00C805A7: GetStdHandle.KERNEL32(000000F6), ref: 00C805C6

_wcslen.LIBCMT ref: 00C9B34B
_wcslen.LIBCMT ref: 00C9B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C9B3B6
GetLastError.KERNEL32(00000000), ref: 00C9B407
CloseHandle.KERNEL32(?), ref: 00C9B439
CloseHandle.KERNEL32(00000000), ref: 00C9B44A
CloseHandle.KERNEL32(00000000), ref: 00C9B45C
CloseHandle.KERNEL32(00000000), ref: 00C9B46E
CloseHandle.KERNEL32(?), ref: 00C9B4E3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: b9832e6edc69ea4e32fa00033133515e4d7b5d789ba4f28f0614f21705f60abf
Instruction ID: b5a8aa7ba803b0b4d8a8e503a6206523dae2da3d936dcf593ce183da7a799fde
Opcode Fuzzy Hash: b9832e6edc69ea4e32fa00033133515e4d7b5d789ba4f28f0614f21705f60abf
Instruction Fuzzy Hash: 73F1CC31608300AFCB14EF24D995B6EBBE1BF86314F14855DF8998B2A2DB30ED45DB52

Function 00C1326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00CE1990), ref: 00C52F8D
GetMenuItemCount.USER32(00CE1990), ref: 00C5303D
GetCursorPos.USER32(?), ref: 00C53081
SetForegroundWindow.USER32(00000000), ref: 00C5308A
TrackPopupMenuEx.USER32(00CE1990,00000000,?,00000000,00000000,00000000), ref: 00C5309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C530A9

Strings

0, xrefs: 00C1327D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 0626926988ad1f1c1d2ea2b0d1821e137d7cf6f6c422979175946080b4506aa8
Instruction ID: f8d78dd76491d8501dbe58242d26f9e13917a574817d6b82d396b8e455f29db4
Opcode Fuzzy Hash: 0626926988ad1f1c1d2ea2b0d1821e137d7cf6f6c422979175946080b4506aa8
Instruction Fuzzy Hash: F5716E34600255BEEB21DF64DC89F9EBFA4FF02368F204206F924661E1C7B1AE94E754

Function 00C8C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C8C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C8C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C8C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C8C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C8C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C8C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C8C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C8C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C8C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C8C5F0
InternetCloseHandle.WININET(00000000), ref: 00C8C5FB

Strings

, xrefs: 00C8C575

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 33b3c52a32e8c866b7b33777e47b1a5cea4066f15159bca8be76418d4d8c1ce6
Instruction ID: 6ad501ce9e8873a833ac2a1e92689d190feff01f6e4a2d812fc46e7d1921f50a
Opcode Fuzzy Hash: 33b3c52a32e8c866b7b33777e47b1a5cea4066f15159bca8be76418d4d8c1ce6
Instruction Fuzzy Hash: 6C513BB1500608BFDB21AF61C9C8BBB7BBCEB09758F004419F955D7650DB34EA44AB74

Function 00C814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00C81502
VariantCopy.OLEAUT32(?,?), ref: 00C8150B
VariantClear.OLEAUT32(?), ref: 00C81517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00C815FB
VarR8FromDec.OLEAUT32(?,?), ref: 00C81657
VariantInit.OLEAUT32(?), ref: 00C81708
SysFreeString.OLEAUT32(?), ref: 00C8178C
VariantClear.OLEAUT32(?), ref: 00C817D8
VariantClear.OLEAUT32(?), ref: 00C817E7
VariantInit.OLEAUT32(00000000), ref: 00C81823

Strings

Default, xrefs: 00C816AF
%4d%02d%02d%02d%02d%02d, xrefs: 00C81625

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: a9f60f3aa3bc3d6a85b405d7e03cb1269d91a74b6416e02e6fc6d5ed2f0ea6dd
Instruction ID: 578080c336b441c3062679b0290ddfb760ce8036f2f7355a43fa7e383d430df2
Opcode Fuzzy Hash: a9f60f3aa3bc3d6a85b405d7e03cb1269d91a74b6416e02e6fc6d5ed2f0ea6dd
Instruction Fuzzy Hash: A6D10531600119DBDB10AF66E885B7DB7F9BF46708F18806AFC46AB580DB30DD42EB65

Function 00C9B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9B772
RegDeleteValueW.ADVAPI32(?,?), ref: 00C9B80A
RegCloseKey.ADVAPI32(?), ref: 00C9B87E
RegCloseKey.ADVAPI32(?), ref: 00C9B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C9B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C9B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C9B922
FreeLibrary.KERNEL32(00000000), ref: 00C9B983
RegCloseKey.ADVAPI32(00000000), ref: 00C9B994

Strings

RegDeleteKeyExW, xrefs: 00C9B8FE
advapi32.dll, xrefs: 00C9B8ED

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 84f954c0553f23750e674cfe74e9e1b025764a25bffaaf0199cbb780552fcb8e
Instruction ID: 7dbafb7a622aa88fc536aa8fcf835baf4d861a4881fcad9d2c8b205f85bc94fd
Opcode Fuzzy Hash: 84f954c0553f23750e674cfe74e9e1b025764a25bffaaf0199cbb780552fcb8e
Instruction Fuzzy Hash: E5C19E30204201AFDB10DF14D598F2ABBE5FF85308F15859CF5AA4B2A2CB71ED86DB91

Function 00CA541D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00CA5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA5515
CharNextW.USER32(00000158), ref: 00CA5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00CA5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00CA559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA55AC

Strings

@U=u, xrefs: 00CA5504, 00CA5515, 00CA554A, 00CA55C9, 00CA562B, 00CA5816

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$CharNext
String ID: @U=u
API String ID: 1350042424-2594219639
Opcode ID: a350eff7a0b8690eea8a47f783445c3ca02c8bf74f50abff32c2d342338b1e3f
Instruction ID: 98758c65d8e06e5ad5483114f2a9b277d7ca06fc5aa90e10e1f631f99587f384
Opcode Fuzzy Hash: a350eff7a0b8690eea8a47f783445c3ca02c8bf74f50abff32c2d342338b1e3f
Instruction Fuzzy Hash: A461727190060AEBDF10CFA5CC84AFE7BB9EB0B728F148145F9259B290D7748A81DB60

Function 00C9255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C925D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C925E8
CreateCompatibleDC.GDI32(?), ref: 00C925F4
SelectObject.GDI32(00000000,?), ref: 00C92601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C9266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C926AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C926D0
SelectObject.GDI32(?,?), ref: 00C926D8
DeleteObject.GDI32(?), ref: 00C926E1
DeleteDC.GDI32(?), ref: 00C926E8
ReleaseDC.USER32(00000000,?), ref: 00C926F3

Strings

(, xrefs: 00C9268D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4821fa0a964e9d8f684e3c0c4c78483c2b450d37335a105fedf57165359243de
Instruction ID: 60dda1baba4a847382234595482497a9e7cb0f4389b0a6071f432e4d452fbadd
Opcode Fuzzy Hash: 4821fa0a964e9d8f684e3c0c4c78483c2b450d37335a105fedf57165359243de
Instruction Fuzzy Hash: 6061E475E00219EFCF05CFA4D984AAEBBF5FF48314F208529E955A7250D770A941DF90

Function 00C7E6B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C7E6B4

Part of subcall function 00C2E551: timeGetTime.WINMM(?,?,00C7E6D4), ref: 00C2E555

Sleep.KERNEL32(0000000A), ref: 00C7E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00C7E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C7E727
SetActiveWindow.USER32 ref: 00C7E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C7E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C7E773
Sleep.KERNEL32(000000FA), ref: 00C7E77E
IsWindow.USER32 ref: 00C7E78A
EndDialog.USER32(00000000), ref: 00C7E79B

Strings

BUTTON, xrefs: 00C7E719
@U=u, xrefs: 00C7E754, 00C7E773

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 8a54efd2d907f33047ea16b0b064b2578400f35fe1fe094da5b3de1a18dec356
Instruction ID: 2a3e38cae76345f5b234d2deb4d795bcd7507f94f76381b4705683ee6376d165
Opcode Fuzzy Hash: 8a54efd2d907f33047ea16b0b064b2578400f35fe1fe094da5b3de1a18dec356
Instruction Fuzzy Hash: D1218172200685AFEB009F64ECC9B2D3B6DF75A34DB109465F919C61B1DBB1AD10AB24

Function 00C4DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00C4DAA1

Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D659
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D66B
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D67D
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D68F
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6A1
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6B3
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6C5
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6D7
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6E9
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D6FB
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D70D
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D71F
Part of subcall function 00C4D63C: _free.LIBCMT ref: 00C4D731

_free.LIBCMT ref: 00C4DA96

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C4DAB8
_free.LIBCMT ref: 00C4DACD
_free.LIBCMT ref: 00C4DAD8
_free.LIBCMT ref: 00C4DAFA
_free.LIBCMT ref: 00C4DB0D
_free.LIBCMT ref: 00C4DB1B
_free.LIBCMT ref: 00C4DB26
_free.LIBCMT ref: 00C4DB5E
_free.LIBCMT ref: 00C4DB65
_free.LIBCMT ref: 00C4DB82
_free.LIBCMT ref: 00C4DB9A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 7a586c190c7a38f96f4f0b8a1e4d92889406a6418c3f1f75c17357e2184dbbe4
Instruction ID: 6a6b1dbf659a48bfbfe750638e9b256610eef0ec29d6ebe81b2caf75d9e200dc
Opcode Fuzzy Hash: 7a586c190c7a38f96f4f0b8a1e4d92889406a6418c3f1f75c17357e2184dbbe4
Instruction Fuzzy Hash: A23170316047059FEB22BA39E846B5A77E9FF10310F55441AF46AD7291DF31EE80E720

Function 00C7365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00C7369C
_wcslen.LIBCMT ref: 00C736A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C73797
GetClassNameW.USER32(?,?,00000400), ref: 00C7380C
GetDlgCtrlID.USER32(?), ref: 00C7385D
GetWindowRect.USER32(?,?), ref: 00C73882
GetParent.USER32(?), ref: 00C738A0
ScreenToClient.USER32(00000000), ref: 00C738A7
GetClassNameW.USER32(?,?,00000100), ref: 00C73921
GetWindowTextW.USER32(?,?,00000400), ref: 00C7395D

Strings

%s%u, xrefs: 00C73734

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 212ad9d4ef94725f2f15dc11627f7572663d611d24247f57b1a034da9c919a49
Instruction ID: c8fc642e309b90861957ddb370a27d14f283ea504a7f3fbac825ab68928e8970
Opcode Fuzzy Hash: 212ad9d4ef94725f2f15dc11627f7572663d611d24247f57b1a034da9c919a49
Instruction Fuzzy Hash: 0091BF71204646AFD719DF24C885BAAF7A8FF44354F00C629FAADD2190DB30EB45DBA1

Function 00C74954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C74994
GetWindowTextW.USER32(?,?,00000400), ref: 00C749DA
_wcslen.LIBCMT ref: 00C749EB
CharUpperBuffW.USER32(?,00000000), ref: 00C749F7
_wcsstr.LIBVCRUNTIME ref: 00C74A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00C74A64
GetWindowTextW.USER32(?,?,00000400), ref: 00C74A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00C74AE6
GetClassNameW.USER32(?,?,00000400), ref: 00C74B20
GetWindowRect.USER32(?,?), ref: 00C74B8B

Strings

ThumbnailClass, xrefs: 00C74A6F, 00C74AF1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f3fda545cef709739035f171468c5c6e480d5980847bb3d79bfbfd68ae86569c
Instruction ID: e6ec6619e052fbc965b7fa7ed5db851164746e3ff46e20486ff06b0be274f062
Opcode Fuzzy Hash: f3fda545cef709739035f171468c5c6e480d5980847bb3d79bfbfd68ae86569c
Instruction Fuzzy Hash: 3791DE311042059FDB09DF14C985FAAB7E8FF84314F04C46AFD999A096EB30EE45DBA1

Function 00CA8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CA8D5A
GetFocus.USER32 ref: 00CA8D6A
GetDlgCtrlID.USER32(00000000), ref: 00CA8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00CA8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00CA8ECF
GetMenuItemCount.USER32(?), ref: 00CA8EEC
GetMenuItemID.USER32(?,00000000), ref: 00CA8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00CA8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00CA8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CA8FA1

Strings

0, xrefs: 00CA8E9F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 333ec90029046f7128bbf6c88123d4794c713303e41453fe6c02dfdd4017593d
Instruction ID: 68bbc0b8dedad7e12538f47700ab01f451cb612ba018eb80804f8faed442975b
Opcode Fuzzy Hash: 333ec90029046f7128bbf6c88123d4794c713303e41453fe6c02dfdd4017593d
Instruction Fuzzy Hash: A481B0715083029FDB20CF64DC84AABBBE9FF8A358F04091DF99597291DB70DA08DB61

Function 00C9CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C9CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C9CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C9CD48

Part of subcall function 00C9CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C9CCAA
Part of subcall function 00C9CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C9CCBD
Part of subcall function 00C9CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C9CCCF
Part of subcall function 00C9CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C9CD05
Part of subcall function 00C9CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C9CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C9CCF3

Strings

RegDeleteKeyExW, xrefs: 00C9CCC9
advapi32.dll, xrefs: 00C9CCB8

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 6722d6172f1897dbd40edaefc16621697a5eaef7f66158883e1b421975253819
Instruction ID: a905bf10e1819524fcdea12ec4d076c2d4db75ed44ab4519549080ccba34fb3a
Opcode Fuzzy Hash: 6722d6172f1897dbd40edaefc16621697a5eaef7f66158883e1b421975253819
Instruction Fuzzy Hash: 33315A72A01129BBDB208B95DCCCFFFBB7CEF46754F000165E916E3240DA349A45AAA0

Function 00C7E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C7EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C7EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C7EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C7EAA7

Strings

play PlayMe wait, xrefs: 00C7EA91
alias PlayMe, xrefs: 00C7EA36
status PlayMe mode, xrefs: 00C7EA58
close PlayMe, xrefs: 00C7EA6E, 00C7EA9B
play PlayMe, xrefs: 00C7EAA2
open , xrefs: 00C7EA0C

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: ca4f23a76d418289fe5c36651e9316831f2e909b810548123d53036849237fe3
Instruction ID: a7c514e042fcbb74b104ea568616d60112e44c5bc082ac0512481c69173079a7
Opcode Fuzzy Hash: ca4f23a76d418289fe5c36651e9316831f2e909b810548123d53036849237fe3
Instruction Fuzzy Hash: 6111A331A9026979D720E7A1DC5AEFF6B7CFBD6B10F40043AB911A21D0EE701A45E5B0

Function 00C75CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C75CE2
GetWindowRect.USER32(00000000,?), ref: 00C75CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C75D59
GetDlgItem.USER32(?,00000002), ref: 00C75D69
GetWindowRect.USER32(00000000,?), ref: 00C75D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C75DCF
GetDlgItem.USER32(?,000003E9), ref: 00C75DDD
GetWindowRect.USER32(00000000,?), ref: 00C75DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C75E31
GetDlgItem.USER32(?,000003EA), ref: 00C75E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C75E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00C75E67

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 345eae9145b27f7177b5678c9ae203741df98884f4669f71539e27a0cb0fedd2
Instruction ID: 7bf9606649955f02c433e94f2a2befbd22d74fcae37cf4c208012aa9e3fe7c3b
Opcode Fuzzy Hash: 345eae9145b27f7177b5678c9ae203741df98884f4669f71539e27a0cb0fedd2
Instruction Fuzzy Hash: 4751FCB1A00609AFDB18CF68DD89BAEBBB5FB48304F148129F919E7290D7709E04CB50

Function 00C28BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00C28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C28BE8,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28FC5

DestroyWindow.USER32(?), ref: 00C28C81
KillTimer.USER32(00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C28D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00C66973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C669A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000,?), ref: 00C669B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C28BBA,00000000), ref: 00C669D4
DeleteObject.GDI32(00000000), ref: 00C669E6

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 878d2236889c28def3ee0062efcce7198f7d29a820c5d6a395cb46c4ec2c65c8
Instruction ID: e275035b53e19a08f8c6f69369cb69bdfdb41530ead4e55965608bf09897142d
Opcode Fuzzy Hash: 878d2236889c28def3ee0062efcce7198f7d29a820c5d6a395cb46c4ec2c65c8
Instruction Fuzzy Hash: 1F61DE31102660DFCB319F15EA88B2DB7F1FB41316F18451CE4529B9A1CB35AEA8DF90

Function 00C29838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952

GetSysColor.USER32(0000000F), ref: 00C29862

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 74e8f57b13ea6391be7c2063f9e78262124b49dcac3a33a3daa460d5b5abd0eb
Instruction ID: c4b058898274c53da6d7692891be58e32671e8e4c34b0520e5c188438fd015d9
Opcode Fuzzy Hash: 74e8f57b13ea6391be7c2063f9e78262124b49dcac3a33a3daa460d5b5abd0eb
Instruction Fuzzy Hash: 42418031504650AFDB249F38AC88BBD3BA5EB17334F184655FAB68B2E1D7319D42DB10

Function 00CA50D4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00CA5186
ShowWindow.USER32(?,00000000), ref: 00CA51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 00CA51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00CA51D1

Part of subcall function 00CA6FBA: DeleteObject.GDI32(00000000), ref: 00CA6FE6

GetWindowLongW.USER32(?,000000F0), ref: 00CA520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00CA524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00CA5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00CA5296

Strings

@U=u, xrefs: 00CA5186

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID: @U=u
API String ID: 3210457359-2594219639
Opcode ID: ea77a5dadc6bd99591664282d6cbbfae2666edd0fefcfe043c58b792d637fdb7
Instruction ID: 257022bb51d67e7ad6a7fda3bfc195c9f1d1f9beaf852bbcb3ac91ae1dbcf73e
Opcode Fuzzy Hash: ea77a5dadc6bd99591664282d6cbbfae2666edd0fefcfe043c58b792d637fdb7
Instruction Fuzzy Hash: 0D519030A40A0ABEEF309F65DC49BEC3B65EB07329F14C111F625962E1C775AA90EB40

Function 00C28B06 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00C66890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00C668A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C668B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00C668D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C668F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C28874,00000000,00000000,00000000,000000FF,00000000), ref: 00C66901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C6691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C28874,00000000,00000000,00000000,000000FF,00000000), ref: 00C6692D

Strings

@U=u, xrefs: 00C668F2, 00C6691E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: @U=u
API String ID: 1268354404-2594219639
Opcode ID: 645bf1a16091b128eb09ca0c0372c82b8946d83a9a5d1c6d9b72e49f9e244cef
Instruction ID: ab0e2f196258d975cdfcf8ac231eca985152ae88c91506de8539ec2a5750b0b0
Opcode Fuzzy Hash: 645bf1a16091b128eb09ca0c0372c82b8946d83a9a5d1c6d9b72e49f9e244cef
Instruction Fuzzy Hash: 6E519770A00209EFDB20CF25DC95FAE7BB5EB48764F10451CF922976A0DB70EA90DB50

Function 00C796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00C5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00C79717
LoadStringW.USER32(00000000,?,00C5F7F8,00000001), ref: 00C79720

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00C79742
LoadStringW.USER32(00000000,?,00C5F7F8,00000001), ref: 00C79745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00C79866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C7984A
Line %d:, xrefs: 00C797A0
Line %d (File "%s"):, xrefs: 00C7978F
^ ERROR, xrefs: 00C797FB
Error: , xrefs: 00C7981D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 2c2c2c56062f93d87da9bb568b76cbdf5976694b201222c65a0ec969324ca218
Instruction ID: 5df18d39f75666573171133f81256eeee682000752cd680f28badc681bb8546d
Opcode Fuzzy Hash: 2c2c2c56062f93d87da9bb568b76cbdf5976694b201222c65a0ec969324ca218
Instruction Fuzzy Hash: BA415371800109AADB04EBD0CD96EEE7778EF56344F504025F605720A1EB356F89EB61

Function 00C706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C707A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C707BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C707DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C70804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C7082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C70837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C7083C

Strings

SOFTWARE\Classes\, xrefs: 00C7070E
\IPC$, xrefs: 00C70784
\CLSID, xrefs: 00C70724

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: b94a83fd571a687d4e8da71ac219e29798f64014874275ca99f4ccdb46c5273e
Instruction ID: 49098b4d2aa2fddd8ca0137db67d7b47b794ac9d87ad3d316560e9afd4556b4c
Opcode Fuzzy Hash: b94a83fd571a687d4e8da71ac219e29798f64014874275ca99f4ccdb46c5273e
Instruction Fuzzy Hash: 65413872C10228EBDF15EBA4DC95DEDB778FF05354F14412AE915A31A0EB30AE45EBA0

Function 00C87A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C87AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C87B8F
SHGetDesktopFolder.SHELL32(?), ref: 00C87BA3
CoCreateInstance.OLE32(00CAFD08,00000000,00000001,00CD6E6C,?), ref: 00C87BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C87C74
CoTaskMemFree.OLE32(?,?), ref: 00C87CCC
SHBrowseForFolderW.SHELL32(?), ref: 00C87D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C87D7A
CoTaskMemFree.OLE32(00000000), ref: 00C87D81
CoTaskMemFree.OLE32(00000000), ref: 00C87DD6
CoUninitialize.OLE32 ref: 00C87DDC

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: d8b3f63e5f26ae8f2289e619b83d7358fb1579d5250c0e5e12ed92926bd70c06
Instruction ID: 829813c51877d6e04293407057d96a755dfbbd91e56fec1fa819b45cb40fd5b0
Opcode Fuzzy Hash: d8b3f63e5f26ae8f2289e619b83d7358fb1579d5250c0e5e12ed92926bd70c06
Instruction Fuzzy Hash: EBC11C75A04109AFCB14DF64C888DAEBBF9FF49308B148599F8199B361D730EE81DB94

Function 00C6FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C6FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 00C6FB08
VariantInit.OLEAUT32(?), ref: 00C6FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C6FB3A
VariantCopy.OLEAUT32(?,?), ref: 00C6FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C6FBA1
VariantClear.OLEAUT32(?), ref: 00C6FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C6FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C6FBCC
VariantClear.OLEAUT32(?), ref: 00C6FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C6FBE9

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 550fc13d046008b807ca374c59f412979889887474f0c90880871fc3192f7d67
Instruction ID: 7b0361a5a22df591040135abe1e9eac198323296b03818636a876129ef69d2b5
Opcode Fuzzy Hash: 550fc13d046008b807ca374c59f412979889887474f0c90880871fc3192f7d67
Instruction Fuzzy Hash: 04414175A002199FCB10DFA8D898AFDBBB9FF49344F008069E955A7261CB30A946DF94

Function 00C9055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C905BC
inet_addr.WSOCK32(?), ref: 00C9061C
gethostbyname.WSOCK32(?), ref: 00C90628
IcmpCreateFile.IPHLPAPI ref: 00C90636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C906C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C906E5
IcmpCloseHandle.IPHLPAPI(?), ref: 00C907B9
WSACleanup.WSOCK32 ref: 00C907BF

Strings

Ping, xrefs: 00C90676

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: aa0b0a4cefeb3c960b0b6cf92009a0441dd01a239f16a0eba24895bfdf5a1bdd
Instruction ID: 659d987caf52861a2c086655fb19326dd19638c6189db6aef74a8f9165639b7e
Opcode Fuzzy Hash: aa0b0a4cefeb3c960b0b6cf92009a0441dd01a239f16a0eba24895bfdf5a1bdd
Instruction Fuzzy Hash: D5917C35604201AFDB20DF55D888F1ABBE0AF45328F2585A9F4698B6A2C730ED85CF91

Function 00C98CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00C98CF3

Part of subcall function 00C78E54: _wcslen.LIBCMT ref: 00C78E77

_wcslen.LIBCMT ref: 00C98D4E
_wcslen.LIBCMT ref: 00C98D9C
_wcslen.LIBCMT ref: 00C98DDC
_wcslen.LIBCMT ref: 00C98E6E

Strings

cdecl, xrefs: 00C98D48, 00C98D4D
winapi, xrefs: 00C98D96, 00C98D9B
stdcall, xrefs: 00C98DD6, 00C98DDB
none, xrefs: 00C98E65, 00C98E6A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 4c4395deb71ac892af65ef6e9e1f1b88efa659c3e3243d18fd6a1095db3f4d37
Instruction ID: fcc99781b443433e0e62888ef2407a8ea24deaaa3865e157a68ed44b4b619980
Opcode Fuzzy Hash: 4c4395deb71ac892af65ef6e9e1f1b88efa659c3e3243d18fd6a1095db3f4d37
Instruction Fuzzy Hash: 2751C136A001169BCF14DF68C8549BEB3A5BF66720B204229F526E73C4EB35DE48D790

Function 00C9372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00C93774
CoUninitialize.OLE32 ref: 00C9377F
CoCreateInstance.OLE32(?,00000000,00000017,00CAFB78,?), ref: 00C937D9
IIDFromString.OLE32(?,?), ref: 00C9384C
VariantInit.OLEAUT32(?), ref: 00C938E4
VariantClear.OLEAUT32(?), ref: 00C93936

Strings

NULL Pointer assignment, xrefs: 00C9381E
Failed to create object, xrefs: 00C937E4, 00C9389A
Invalid parameter, xrefs: 00C93865

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d169ef2183efe3937361648d6a0e10ea1e8f82368f4a36cb81156661c6c4316d
Instruction ID: 73cd9988ca55e7a141b21d747548fa6ce3e152b506b77e1cf6f7bb12eae4e49e
Opcode Fuzzy Hash: d169ef2183efe3937361648d6a0e10ea1e8f82368f4a36cb81156661c6c4316d
Instruction Fuzzy Hash: 1661CE70208341AFDB10DF54C88CB6ABBE8EF49714F10091AF9959B291D770EE48DB96

Function 00C15BEA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00C15C7A

Part of subcall function 00C15D0A: GetClientRect.USER32(?,?), ref: 00C15D30
Part of subcall function 00C15D0A: GetWindowRect.USER32(?,?), ref: 00C15D71
Part of subcall function 00C15D0A: ScreenToClient.USER32(?,?), ref: 00C15D99

GetDC.USER32 ref: 00C546F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C54708
SelectObject.GDI32(00000000,00000000), ref: 00C54716
SelectObject.GDI32(00000000,00000000), ref: 00C5472B
ReleaseDC.USER32(?,00000000), ref: 00C54733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C547C4

Strings

U, xrefs: 00C54693
@U=u, xrefs: 00C54708

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 8fdf0554f8a12b4da143b9e2180e1fda7e98058257ce33448ecc21c74935aaec
Instruction ID: 4278cf76160064294e5b95779ddeda37ba2f25251e521c6cd511628ad9d2a0cf
Opcode Fuzzy Hash: 8fdf0554f8a12b4da143b9e2180e1fda7e98058257ce33448ecc21c74935aaec
Instruction Fuzzy Hash: 9A71D239400205DFCF298F64C984BEA3BB1FF4A35AF144265FD655A1A6C73089D5EF50

Function 00CA8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

Part of subcall function 00C2912D: GetCursorPos.USER32(?), ref: 00C29141
Part of subcall function 00C2912D: ScreenToClient.USER32(00000000,?), ref: 00C2915E
Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000001), ref: 00C29183
Part of subcall function 00C2912D: GetAsyncKeyState.USER32(00000002), ref: 00C2919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00CA8B6B
ImageList_EndDrag.COMCTL32 ref: 00CA8B71
ReleaseCapture.USER32 ref: 00CA8B77
SetWindowTextW.USER32(?,00000000), ref: 00CA8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CA8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00CA8CFF

Strings

@GUI_DRAGFILE, xrefs: 00CA8C9A
@U=u, xrefs: 00CA8C25
@GUI_DROPID, xrefs: 00CA8C51

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$@U=u
API String ID: 1924731296-2104563098
Opcode ID: 7f99083952cb92ce6476524ea588846268fbb53013b89fffd0ffecb952ff716a
Instruction ID: 7662064cce9d030325b3e2c67d781c811c42c19f4843cc37770c99a24ec77cf8
Opcode Fuzzy Hash: 7f99083952cb92ce6476524ea588846268fbb53013b89fffd0ffecb952ff716a
Instruction Fuzzy Hash: 97519A70204304AFD714DF14DC96BAE77E4FB8A718F000629F992972E2CB709A54DB62

Function 00C83388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C833CF

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C833F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C83504
Incorrect parameters to object property !, xrefs: 00C834AB
Line %d (File "%s"):, xrefs: 00C83443, 00C8345C
Error: , xrefs: 00C834D1
^ ERROR , xrefs: 00C8349E
"%s" (%d) : ==> %s:, xrefs: 00C83522

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: cc2d0216a9fdd4e40f56f3bb186a984005a32289d12b5bcb28a32a0045e484d8
Instruction ID: 59c7ac9a7e28bf1e840823d4acd5e7437b9d81d964af3d4be3486d3fb9bf636f
Opcode Fuzzy Hash: cc2d0216a9fdd4e40f56f3bb186a984005a32289d12b5bcb28a32a0045e484d8
Instruction Fuzzy Hash: 8351AC71900249AADF14EBA0CD92EEEB778EF05744F144066F509721A2EB312F98FB60

Function 00C7B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C7B5FC
_wcslen.LIBCMT ref: 00C7B608
_wcslen.LIBCMT ref: 00C7B64D
_wcslen.LIBCMT ref: 00C7B68C
_wcslen.LIBCMT ref: 00C7B6C7

Strings

KEYS, xrefs: 00C7B647, 00C7B64C
APPEND, xrefs: 00C7B6C1, 00C7B6C6
EXISTS, xrefs: 00C7B686, 00C7B68B
REMOVE, xrefs: 00C7B602, 00C7B607

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 64b1185641e179dfbdf143d03354c5dac93fa7ff5e90d2e9875b2b35278b73aa
Instruction ID: a95f5fa7ef181c713d1075588e4d0887c0d2fa84e0e593dfe9a41148ee55a2d4
Opcode Fuzzy Hash: 64b1185641e179dfbdf143d03354c5dac93fa7ff5e90d2e9875b2b35278b73aa
Instruction Fuzzy Hash: 9841D832A001269ACB146F7D88907BE77B5AF61764B258129F639D7284E735CE81C790

Function 00C85393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C853A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C85416
GetLastError.KERNEL32 ref: 00C85420
SetErrorMode.KERNEL32(00000000,READY), ref: 00C854A7

Strings

INVALID, xrefs: 00C85459
READY, xrefs: 00C85460, 00C85468
NOTREADY, xrefs: 00C8544B
READONLY, xrefs: 00C85452
UNKNOWN, xrefs: 00C85444

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 1c26a69b5c6433bfa66afe46abbbb63e362678460a011b17f42220aa5dbd954f
Instruction ID: 687e9efe11da535c230dd8b0acb7b2b9b87bbe2cf5d763936f6473c05653c412
Opcode Fuzzy Hash: 1c26a69b5c6433bfa66afe46abbbb63e362678460a011b17f42220aa5dbd954f
Instruction Fuzzy Hash: D231A375A006049FDB10EF68C484BAE7BF4EF85309F14806AE515CB392DBB1DE86DB90

Function 00CA3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00CA3C79
SetMenu.USER32(?,00000000), ref: 00CA3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CA3D10
IsMenu.USER32(?), ref: 00CA3D24
CreatePopupMenu.USER32 ref: 00CA3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00CA3D5B
DrawMenuBar.USER32 ref: 00CA3D63

Strings

F, xrefs: 00CA3D4E
0, xrefs: 00CA3C54

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: c89dec56ebc5cbd39ee45d1a5747405ddb136479c3b0d52b754f7a5482ed0a31
Instruction ID: d754f2b1a928512efc728393e9351a7100c0340ce9e21bd9e756bdc07ba05c66
Opcode Fuzzy Hash: c89dec56ebc5cbd39ee45d1a5747405ddb136479c3b0d52b754f7a5482ed0a31
Instruction Fuzzy Hash: FE418A75A0120AEFDB14CF64D898BEE7BB5FF4A358F140029F916A7360D730AA10DB90

Function 00CA2D03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00CA2D1B
GetDC.USER32(00000000), ref: 00CA2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CA2D2E
ReleaseDC.USER32(00000000,00000000), ref: 00CA2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00CA2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00CA2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00CA5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00CA2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00CA2DE1

Strings

@U=u, xrefs: 00CA2D87, 00CA2DE1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: a4a6a0c544bd4e8334224b536dac4192eed612231f7b1eb83db6214986056e62
Instruction ID: 0fb0b192d7fdc5515736e2de706bde06d2892b36f6b7261c6b4282221677862d
Opcode Fuzzy Hash: a4a6a0c544bd4e8334224b536dac4192eed612231f7b1eb83db6214986056e62
Instruction Fuzzy Hash: 6B314C72201224BFEB118F54CC8AFEB3BA9EF0A759F044055FE089B291D6759D51CBA4

Function 00C7209F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C720AB
GetClassNameW.USER32(00000000,?,00000100), ref: 00C720C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C7214D

Strings

largeicons, xrefs: 00C720E1
details, xrefs: 00C720FB
list, xrefs: 00C7212F
@U=u, xrefs: 00C7214D
SHELLDLL_DefView, xrefs: 00C720CC
smallicons, xrefs: 00C72115

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-1428604138
Opcode ID: 5b6da6b951882f54b0f608cac06db99b046900c0e33308f9923cf85252afffc3
Instruction ID: f70d2c4c38da9a05c22cb591a716ef7f677d4ab40e34257519503ab6d94eb39a
Opcode Fuzzy Hash: 5b6da6b951882f54b0f608cac06db99b046900c0e33308f9923cf85252afffc3
Instruction Fuzzy Hash: E8112976688706BBF6056621DC0BEAE379CEB05324F608027FB09A51D1FE616D016614

Function 00CA3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00CA3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00CA3AA0
GetWindowLongW.USER32(?,000000F0), ref: 00CA3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CA3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00CA3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00CA3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00CA3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00CA3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00CA3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00CA3C13

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: bb75d45a8a6bdf956c3db4fc7d36b1b578d5cd740d30422ce77cf7a7d2afb65c
Instruction ID: b24e242a5af7e021f4ed7bd53f76d647d5fc8e63795c0a2f53e22243eb3e5ed9
Opcode Fuzzy Hash: bb75d45a8a6bdf956c3db4fc7d36b1b578d5cd740d30422ce77cf7a7d2afb65c
Instruction Fuzzy Hash: 1E617D75900249AFDB10DFA4CC91FEE77B8EB0A718F140199FA15A7291C770AE41DB60

Function 00C7B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C7B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B165
GetWindowThreadProcessId.USER32(00000000), ref: 00C7B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C7A1E1,?,00000001), ref: 00C7B21D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a18eff551d593416754ad63eec5ab872c8bd661b45735e5905f3b072bafe3d73
Instruction ID: 00ed2143544123f13f93befdc49ca51ffb7a425a282f27cdf7b671a591a92c96
Opcode Fuzzy Hash: a18eff551d593416754ad63eec5ab872c8bd661b45735e5905f3b072bafe3d73
Instruction Fuzzy Hash: 4F318D75500248BFDB10DF64DCC8BAE7BAABB52365F108415FA29DB191D7B8AF408F60

Function 00C42C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C42C94

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C42CA0
_free.LIBCMT ref: 00C42CAB
_free.LIBCMT ref: 00C42CB6
_free.LIBCMT ref: 00C42CC1
_free.LIBCMT ref: 00C42CCC
_free.LIBCMT ref: 00C42CD7
_free.LIBCMT ref: 00C42CE2
_free.LIBCMT ref: 00C42CED
_free.LIBCMT ref: 00C42CFB

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 207fdcf16463c1253bbb35480facc6dd79e20e2929c5767799fc778d761c133a
Instruction ID: 087b1d99bcd284e0be25c70e43f2be8ebe240f51b084850040c20506c9e4ff83
Opcode Fuzzy Hash: 207fdcf16463c1253bbb35480facc6dd79e20e2929c5767799fc778d761c133a
Instruction Fuzzy Hash: A511B376100108BFDB02EF95D883CDD3BA9FF15350F9144A5FA489F222DA31EE50AB90

Function 00C11410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C11459
OleUninitialize.OLE32(?,00000000), ref: 00C114F8
UnregisterHotKey.USER32(?), ref: 00C116DD
DestroyWindow.USER32(?), ref: 00C524B9
FreeLibrary.KERNEL32(?), ref: 00C5251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C5254B

Strings

close all, xrefs: 00C11454

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: ca2e33d0adfc61ae937d54cb9804189bb9eb6ae2d60c9b7f805ec5d9e23fb56b
Instruction ID: 7da344b8c766a0c4f43d7b9cc40758fc99ecfffd87bdd6359f57f2b3721dff44
Opcode Fuzzy Hash: ca2e33d0adfc61ae937d54cb9804189bb9eb6ae2d60c9b7f805ec5d9e23fb56b
Instruction Fuzzy Hash: 74D1BC35701222CFCB19EF15C495B69F7A0BF06700F1842ADE94A6B252DB30ED96EF54

Function 00C8359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00C835E4

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

LoadStringW.USER32(00CE2390,?,00000FFF,?), ref: 00C8360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C83724
Line %d (File "%s"):, xrefs: 00C8366B
^ ERROR, xrefs: 00C836C9
Error: , xrefs: 00C836EF
"%s" (%d) : ==> %s:, xrefs: 00C83742

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: b6075c30af473d36fc60474c8193c1b4d156517c77097cf03c9b20dee3c6a107
Instruction ID: 3d56f9a7c357d13eed1afdb36196e3a84f283064c5912e081cfbc445921151d9
Opcode Fuzzy Hash: b6075c30af473d36fc60474c8193c1b4d156517c77097cf03c9b20dee3c6a107
Instruction Fuzzy Hash: 2F517C71900249AADF14EBA0CD92EEEBB38EF05714F444125F615721A1EB306BD9FBA4

Function 00CA3886 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00CA3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00CA393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00CA3954
_wcslen.LIBCMT ref: 00CA3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 00CA39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00CA39F4

Strings

SysListView32, xrefs: 00CA38F7
@U=u, xrefs: 00CA3925, 00CA393A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: @U=u$SysListView32
API String ID: 2147712094-1908207174
Opcode ID: e57a9233ab9ec466a4d47bf5eff094f7c74b375b426052c03bca376b1f26a274
Instruction ID: e2a71e6da2c224cc6d508aff93024528f8a43ac479ea660e99032ff33db5bc8a
Opcode Fuzzy Hash: e57a9233ab9ec466a4d47bf5eff094f7c74b375b426052c03bca376b1f26a274
Instruction Fuzzy Hash: F241C571A00259ABDF21DFA4CC45BEE77A9EF09358F100126F954E7281D7759E80CB90

Function 00CA2DFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00CA2E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00CA2E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00CA2E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00CA2EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00CA2EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00CA2EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00CA2F0B

Strings

@U=u, xrefs: 00CA2E1C, 00CA2EB6, 00CA2EE0

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 22d297d87d376fba98b81619aee8c252aca06bc0b584464b4fbc64b17598e45f
Instruction ID: d9b30bedb621b1d4647a81da5e4fef2459cadffdda321c4c26ca688651948ae6
Opcode Fuzzy Hash: 22d297d87d376fba98b81619aee8c252aca06bc0b584464b4fbc64b17598e45f
Instruction Fuzzy Hash: 2C31E2306041A2AFDB21CF5CDCC4FA937E1EB4A729F190164F9118F2A2CB71AD90DB41

Function 00C8C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C8C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C8C2CA
GetLastError.KERNEL32 ref: 00C8C322
SetEvent.KERNEL32(?), ref: 00C8C336
InternetCloseHandle.WININET(00000000), ref: 00C8C341

Strings

, xrefs: 00C8C2BB

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ed741bc27f4c6564e2f885e80937a9beba1589095ce8c7123f0a41f1e70876a9
Instruction ID: acd80eeffbfb9ef2759b601fa84571b321e498aad94bbb7fe3f998e9e4e2d19e
Opcode Fuzzy Hash: ed741bc27f4c6564e2f885e80937a9beba1589095ce8c7123f0a41f1e70876a9
Instruction Fuzzy Hash: B1316BB1600608AFD721AFA598C8BAB7BFCEB4A748B10851EF456D3250DB34DE059B74

Function 00C7989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C53AAF,?,?,Bad directive syntax error,00CACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C798BC
LoadStringW.USER32(00000000,?,00C53AAF,?), ref: 00C798C3

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C79987

Strings

Error: , xrefs: 00C79955
Line %d:, xrefs: 00C79912
Line %d (File "%s"):, xrefs: 00C7992D
%s (%d) : ==> %s.: %s %s, xrefs: 00C798F1
., xrefs: 00C7996D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: c47b05dae26b2c9af6842d4e9ab23098c721bb1bfbccb2b747df1e59e9c14d69
Instruction ID: 38c1c07f5a12a2dd4208094548cd5fcc4386e03a94e9abae452c7ffe74779806
Opcode Fuzzy Hash: c47b05dae26b2c9af6842d4e9ab23098c721bb1bfbccb2b747df1e59e9c14d69
Instruction Fuzzy Hash: 1B219F3194021EABDF11EF90CC56EEE7775FF19304F04446AF619620A2EB71A658FB50

Function 00C48D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd5e4556ebef24e971687e57ba6ca0e9ef2e18baf40945c86cee1270c33ca44c
Instruction ID: a2585ef04eb951dbbb6d72982fd4570435d36f54d3ab1c7e3340591c5d9ff7fc
Opcode Fuzzy Hash: bd5e4556ebef24e971687e57ba6ca0e9ef2e18baf40945c86cee1270c33ca44c
Instruction Fuzzy Hash: 4AC1E074D04259AFDB11DFA9D881BAEBBB0BF0D310F144099F824AB392C7758A46CB61

Function 00C4CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00C4CEB7
_free.LIBCMT ref: 00C4CF22
_free.LIBCMT ref: 00C4CF48
_free.LIBCMT ref: 00C4CF71
_free.LIBCMT ref: 00C4CFA9
_free.LIBCMT ref: 00C4CFDA
_free.LIBCMT ref: 00C4D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00C4D09C
_free.LIBCMT ref: 00C4D0B5

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 40546c23015a0b73ef800e3d004633bfa05c04d30090b38abfcb9ffafc5e3448
Instruction ID: 6a6df60b8a69b5f323c692be2769586903405e2a0275a056f6ee6eb79ff79ddf
Opcode Fuzzy Hash: 40546c23015a0b73ef800e3d004633bfa05c04d30090b38abfcb9ffafc5e3448
Instruction Fuzzy Hash: 33616A71905300AFEB21AFF49CC1B6E7BA5FF01310F14416DF9519B292DB3A9E4597A0

Function 00C8C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C8C182
GetLastError.KERNEL32 ref: 00C8C195
SetEvent.KERNEL32(?), ref: 00C8C1A9

Part of subcall function 00C8C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8C272
Part of subcall function 00C8C253: GetLastError.KERNEL32 ref: 00C8C322
Part of subcall function 00C8C253: SetEvent.KERNEL32(?), ref: 00C8C336
Part of subcall function 00C8C253: InternetCloseHandle.WININET(00000000), ref: 00C8C341

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3075cc331fd717c5f73d0793418f82b0ab5674fd047f3fa50a958fb1f24ede9a
Instruction ID: d2c51bd56db1d81dc038c0dcc04fb8dfbadb800f5c09b8ba247af8cbb985e374
Opcode Fuzzy Hash: 3075cc331fd717c5f73d0793418f82b0ab5674fd047f3fa50a958fb1f24ede9a
Instruction Fuzzy Hash: 7E317E71100605AFDB21AFA5DC84B6BBBE8FF19308B00451DF96683660DB35E9149B74

Function 00C725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C725BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C725DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C725DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C725E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C72601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C72605
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C7260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C72623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C72627

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d9f5be0954dad50d09e4815232f2ce8dc6ddc934d306b0f6d93290f8082dcd72
Instruction ID: 9139499922229377cd2ceaaa17a91a7d8182d9235869dd06d5015e47a0b4f733
Opcode Fuzzy Hash: d9f5be0954dad50d09e4815232f2ce8dc6ddc934d306b0f6d93290f8082dcd72
Instruction Fuzzy Hash: 5F01D431390610BBFB2067A99CCAF5D3F59DB4EB56F104001F318AF0D1C9E22445AA69

Function 00C71803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C71449,?,?,00000000), ref: 00C7180C
HeapAlloc.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C71813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C71449,?,?,00000000), ref: 00C71828
GetCurrentProcess.KERNEL32(?,00000000,?,00C71449,?,?,00000000), ref: 00C71830
DuplicateHandle.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C71833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C71449,?,?,00000000), ref: 00C71843
GetCurrentProcess.KERNEL32(00C71449,00000000,?,00C71449,?,?,00000000), ref: 00C7184B
DuplicateHandle.KERNEL32(00000000,?,00C71449,?,?,00000000), ref: 00C7184E
CreateThread.KERNEL32(00000000,00000000,00C71874,00000000,00000000,00000000), ref: 00C71868

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: d9616213427ba3d3f3e94f1926e167d2d22922ead79c6cf9bd4540af8905f7d0
Instruction ID: 9c52a490a50581d6f7a7321474b1ce357163cd5ed9608ceb0a3eeba52a503d36
Opcode Fuzzy Hash: d9616213427ba3d3f3e94f1926e167d2d22922ead79c6cf9bd4540af8905f7d0
Instruction Fuzzy Hash: 3401AC75340304BFE610ABA5DC89F9F3BACEB8AB15F014411FA05DB1A1DA7098108B20

Function 00C9A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C7D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00C7D501
Part of subcall function 00C7D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00C7D50F
Part of subcall function 00C7D4DC: CloseHandle.KERNEL32(00000000), ref: 00C7D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9A16D
GetLastError.KERNEL32 ref: 00C9A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C9A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C9A268
GetLastError.KERNEL32(00000000), ref: 00C9A273
CloseHandle.KERNEL32(00000000), ref: 00C9A2C4

Strings

SeDebugPrivilege, xrefs: 00C9A18F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: f8f2938022047fa2a6a2646f69726adb5b514847fad3b68b462ebe9ce90672de
Instruction ID: 7ba9ae32f35acd34ba64c67d0cef97c7864c86ce52419e57f839fcadf9f35ac0
Opcode Fuzzy Hash: f8f2938022047fa2a6a2646f69726adb5b514847fad3b68b462ebe9ce90672de
Instruction Fuzzy Hash: CB618F30208641AFDB10DF19C498F59BBE1AF45318F14849CE46A8B7A3C772ED85DBD2

Function 00C7BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C7BCFD
IsMenu.USER32(00000000), ref: 00C7BD1D
CreatePopupMenu.USER32 ref: 00C7BD53
GetMenuItemCount.USER32(00F65530), ref: 00C7BDA4
InsertMenuItemW.USER32(00F65530,?,00000001,00000030), ref: 00C7BDCC

Strings

2, xrefs: 00C7BD37
0, xrefs: 00C7BCA8

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: c6026f92ba96bde6e91278721007c04eec4d1a5ed3951e037e1bbd04fea28e60
Instruction ID: 2c7828588ef46e1aefbac78fb2c6b9850165b144f641617b221f6cb88bf0886f
Opcode Fuzzy Hash: c6026f92ba96bde6e91278721007c04eec4d1a5ed3951e037e1bbd04fea28e60
Instruction Fuzzy Hash: 8C519E70A002059FDB21CFA9D8C4BAEBBF8AF65314F14C119F429D7299E770AE40CB51

Function 00CA81DB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C6F3AB,00000000,?,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00CA824C
EnableWindow.USER32(00000000,00000000), ref: 00CA8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00CA82D1
ShowWindow.USER32(00000000,00000004), ref: 00CA82E5
EnableWindow.USER32(00000000,00000001), ref: 00CA830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00CA832F

Strings

@U=u, xrefs: 00CA832F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 7b252f1eeb07d65b67bec318d550a688ff15b4a398115e517b86dbdeb110d888
Instruction ID: 52c879f6b0fd249c131c663b3bcf52fc590871c7d5ab008eb7f8b04e863e9b0e
Opcode Fuzzy Hash: 7b252f1eeb07d65b67bec318d550a688ff15b4a398115e517b86dbdeb110d888
Instruction Fuzzy Hash: F141B430601645EFDF15CF14D8D9BE87BE0BB0B718F184269EA584F272CB31A959CB50

Function 00C74C7D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C74C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C74CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C74CEA
_wcslen.LIBCMT ref: 00C74D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C74D10
_wcsstr.LIBVCRUNTIME ref: 00C74D1A

Strings

@U=u, xrefs: 00C74CB2, 00C74CEA

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID: @U=u
API String ID: 72514467-2594219639
Opcode ID: dd3c6ab985dc33f420e8b118688ffa38737c00eaab6e44a746b5df990f0c5bd4
Instruction ID: 22404f61c250ac3c2063e47f742473ae5b922a5d56b8bb9b0b30f27d4f3deb1c
Opcode Fuzzy Hash: dd3c6ab985dc33f420e8b118688ffa38737c00eaab6e44a746b5df990f0c5bd4
Instruction Fuzzy Hash: FB21C531204214BBEB2A9B69EC49B7F7BACDF56750F108079F809CA191EB61DD0196A0

Function 00C7C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C7C913

Strings

warning, xrefs: 00C7C8FC
info, xrefs: 00C7C8B4
stop, xrefs: 00C7C8E4
question, xrefs: 00C7C8CC
blank, xrefs: 00C7C895

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 766abd51e050cbefa7670ee58b310f6e92352d146631cb2f736e7bfdc54cfe0a
Instruction ID: ba686512ad9d0f5baab782692d26b31cdc72da8b929b5da70947680a4188122f
Opcode Fuzzy Hash: 766abd51e050cbefa7670ee58b310f6e92352d146631cb2f736e7bfdc54cfe0a
Instruction Fuzzy Hash: C7110D3268930BBAE7055B559CC3DEE679CDF15354F11403FF618A62C2D7706E006365

Function 00C67439 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00C67452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C67469
GetWindowDC.USER32(?), ref: 00C67475
GetPixel.GDI32(00000000,?,?), ref: 00C67484
ReleaseDC.USER32(?,00000000), ref: 00C67496
GetSysColor.USER32(00000005), ref: 00C674B0

Strings

@U=u, xrefs: 00C67469

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID: @U=u
API String ID: 272304278-2594219639
Opcode ID: eafee67606e2c2619e46f29636934ebbe62e6cf44b356fda308da569ef87e539
Instruction ID: c19e8b44d815096e33fba5e8ce59a9d3c11b92a4f5f9d0ac0619a008162c6d64
Opcode Fuzzy Hash: eafee67606e2c2619e46f29636934ebbe62e6cf44b356fda308da569ef87e539
Instruction Fuzzy Hash: 9E018B31400215EFDB209FA4DD88BAE7BB5FB05319F140560F926A31A0CF311E51EF50

Function 00C6D3A2 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00C6D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C6D3BF
FreeLibrary.KERNEL32(00000000), ref: 00C6D3E5
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00C6D3FC

Strings

X64, xrefs: 00C6D2A8
kernel32.dll, xrefs: 00C6D3A8
GetSystemWow64DirectoryW, xrefs: 00C6D3B9

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: GetSystemWow64DirectoryW$X64$kernel32.dll
API String ID: 582185067-2904798639
Opcode ID: dc5ff6cdd5c5ba8af3b7d2d841240a46ea8a6369c5a23025057ffce6a6c4cdd2
Instruction ID: 8cc0e7e36621f18d04acdcbcdf50ee928a6c84f846017b24fa1d8b8fb625bc55
Opcode Fuzzy Hash: dc5ff6cdd5c5ba8af3b7d2d841240a46ea8a6369c5a23025057ffce6a6c4cdd2
Instruction Fuzzy Hash: 58F02770F462359BC77157519CE8B6D7334AF01B05F448065F603F7260DB30CE048AA1

Function 00C7ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C7ED2A
_wcslen.LIBCMT ref: 00C7ED3B
_wcslen.LIBCMT ref: 00C7ED79
_wcslen.LIBCMT ref: 00C7EDAF
_wcslen.LIBCMT ref: 00C7EDDF
_wcslen.LIBCMT ref: 00C7EDEF
_wcslen.LIBCMT ref: 00C7EE2B
_wcslen.LIBCMT ref: 00C7EE5A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 5decba3f534bc3102807fb4e01f40023d6f4c014888e9e653b73b314904bbc46
Instruction ID: cd9475c3a134fbe95ea042d1655e2d1492bdcebd75af878cfd68192b1d222e48
Opcode Fuzzy Hash: 5decba3f534bc3102807fb4e01f40023d6f4c014888e9e653b73b314904bbc46
Instruction Fuzzy Hash: 4A419366C2021875CB11EBF4C88AACFB7ACAF49710F508962F518E3121FB35E655C3A6

Function 00C2F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C2F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C6F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00C6682C,00000004,00000000,00000000), ref: 00C6F454

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f513e7348c62dc5316ceba69ebbb2a19c1301ce6e6046ef91f3830d152474229
Instruction ID: c837cfa8e49f02a3792685daf80fa939e39b40f2da5ab7f1859378aeb65d8905
Opcode Fuzzy Hash: f513e7348c62dc5316ceba69ebbb2a19c1301ce6e6046ef91f3830d152474229
Instruction Fuzzy Hash: C6412C31608698BAC738AB2EB8C873E7BB1AB56314F14443CE09757D61CA719AC3D710

Function 00C75622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C75637
_memcmp.LIBVCRUNTIME ref: 00C75659
_memcmp.LIBVCRUNTIME ref: 00C75671
_memcmp.LIBVCRUNTIME ref: 00C75684
_memcmp.LIBVCRUNTIME ref: 00C7569E
_memcmp.LIBVCRUNTIME ref: 00C756B1
_memcmp.LIBVCRUNTIME ref: 00C756C9
_memcmp.LIBVCRUNTIME ref: 00C756E4

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7eee89c95325a95b595f949d64401df41a4bf99667ea7631d80a5f0de7e0e15f
Instruction ID: 90a9bfa523fe7cb66ba7d0a37d232a69eef724b474a6ad45410f0a9cacac4feb
Opcode Fuzzy Hash: 7eee89c95325a95b595f949d64401df41a4bf99667ea7631d80a5f0de7e0e15f
Instruction Fuzzy Hash: 8F210BA1750A0A7BD21855228D82FFB335CAF21398F488034FD1C9A781FBB1EF1195E5

Function 00C94FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00C9502E, 00C95383
Not an Object type, xrefs: 00C95007

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5fa41bb748c2fb34b86ac6198f88121b0db4eb6ccc96a613b8f167a8a89f5945
Instruction ID: a381865ba70646c0a07ffb658e34be84c216466532cf3f7af73067c68a104e51
Opcode Fuzzy Hash: 5fa41bb748c2fb34b86ac6198f88121b0db4eb6ccc96a613b8f167a8a89f5945
Instruction Fuzzy Hash: 05D1D471A0060A9FDF11CFA8C889FAEB7B5FF48344F148169E925AB291E770DE45CB50

Function 00C51522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00C515CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C51651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00C517FB,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C516E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C516FB

Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00C517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00C51777
__freea.LIBCMT ref: 00C517A2
__freea.LIBCMT ref: 00C517AE

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: dcf1bf6a3eb61a1a99653380de49a234ade551a56d5b55b11ae339aaf4b017d3
Instruction ID: 1e9a8bf1f542ec26c4663785e48b04e8f2e52d87f997a7382f88a717da6ef88d
Opcode Fuzzy Hash: dcf1bf6a3eb61a1a99653380de49a234ade551a56d5b55b11ae339aaf4b017d3
Instruction Fuzzy Hash: 5191B379E002069ADB208E64C889BEE7BA5EB49351F5C0659EC11E7141EB35DE88C768

Function 00C94523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C94648
VariantInit.OLEAUT32(?), ref: 00C94749
VariantClear.OLEAUT32(?), ref: 00C94753
VariantClear.OLEAUT32(?), ref: 00C947B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00C945D8, 00C94706, 00C947BE
Incorrect Object type in FOR..IN loop, xrefs: 00C9472C

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 28ebdf8d075b5d8b3499a9b86ec6d9c62b471100ec3cdf63d426f039479a8732
Instruction ID: ae68826186965a194104b15d499114c54d13d503ffbf55311975ad511aaee550
Opcode Fuzzy Hash: 28ebdf8d075b5d8b3499a9b86ec6d9c62b471100ec3cdf63d426f039479a8732
Instruction Fuzzy Hash: 7C919471A00219ABDF28CFA5D888FAE7BB8EF46715F108559F515AB280D7709942CFA0

Function 00C81187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00C8125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C81284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00C812A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C812D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C8135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C813C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00C81430

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 4a098ae7501c695ec6987e1fe09188a8406020598ef7f6278cc005452b20c8e5
Instruction ID: af883c478f994ef19ecd04ddc84113973f39256346aaa48cb53b8ec51c9b5325
Opcode Fuzzy Hash: 4a098ae7501c695ec6987e1fe09188a8406020598ef7f6278cc005452b20c8e5
Instruction Fuzzy Hash: 6C910271A00218AFDB00EF94C884BBEB7F9FF45319F194029E910EB291D774E942DB98

Function 00C2948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3722211da4197d8335889d59bead01fbb2abe060499f1455d66e32890fbe8c0a
Instruction ID: daa4a189429b1f118013b290f58e9ad8faf771d79cde92db8ba1cd58097f4ce8
Opcode Fuzzy Hash: 3722211da4197d8335889d59bead01fbb2abe060499f1455d66e32890fbe8c0a
Instruction Fuzzy Hash: 15916871E00219EFCB10CFA9DC84AEEBBB8FF49320F148559E915B7251D378AA41DB60

Function 00C93947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C9396B
CharUpperBuffW.USER32(?,?), ref: 00C93A7A
_wcslen.LIBCMT ref: 00C93A8A
VariantClear.OLEAUT32(?), ref: 00C93C1F

Part of subcall function 00C80CDF: VariantInit.OLEAUT32(00000000), ref: 00C80D1F
Part of subcall function 00C80CDF: VariantCopy.OLEAUT32(?,?), ref: 00C80D28
Part of subcall function 00C80CDF: VariantClear.OLEAUT32(?), ref: 00C80D34

Strings

Incorrect Parameter format, xrefs: 00C939A6, 00C93BA1
AUTOIT.ERROR, xrefs: 00C93A80, 00C93A85

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 121ab54371c2a9ed0f710bd058cf3c65b4e98cc704b5c2cdae64fcc0832f40dc
Instruction ID: 9aa5a9f4648dfdcd15fc2ebcbc841e4b83edc6ac306afdef0c455f435ffec567
Opcode Fuzzy Hash: 121ab54371c2a9ed0f710bd058cf3c65b4e98cc704b5c2cdae64fcc0832f40dc
Instruction Fuzzy Hash: 919198746083419FCB00EF64C48496AB7E4FF89314F14892EF89A9B351DB30EE46DB92

Function 00C94BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C7000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?,?,00C7035E), ref: 00C7002B
Part of subcall function 00C7000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70046
Part of subcall function 00C7000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70054
Part of subcall function 00C7000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?), ref: 00C70064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C94C51
_wcslen.LIBCMT ref: 00C94D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C94DCF
CoTaskMemFree.OLE32(?), ref: 00C94DDA

Strings

NULL Pointer assignment, xrefs: 00C94E23, 00C94E52

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 672db2963c193229af4316c6d75588531374d2c0ff64d5f39899a2eb1783ef43
Instruction ID: dbbae78feccd10028025debe4100a0f9e63dfa0d66dda1984dd6178cdd19795a
Opcode Fuzzy Hash: 672db2963c193229af4316c6d75588531374d2c0ff64d5f39899a2eb1783ef43
Instruction Fuzzy Hash: 15911671D00219EFDF14DFA4C895EEEB7B8BF09314F10816AE919A7291EB309A45DF60

Function 00CA20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00CA2183
GetMenuItemCount.USER32(00000000), ref: 00CA21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00CA21DD
_wcslen.LIBCMT ref: 00CA2213
GetMenuItemID.USER32(?,?), ref: 00CA224D
GetSubMenu.USER32(?,?), ref: 00CA225B

Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00CA22E3

Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: cb1d277ade8d1e44f9eb339a7e2c020f72d164cfc9623797ceb8e5f69ac53851
Instruction ID: e7a1a425effe4f2738ca43d521bcb1f700fa1329d0cc4cbd116fe97e2a50c56f
Opcode Fuzzy Hash: cb1d277ade8d1e44f9eb339a7e2c020f72d164cfc9623797ceb8e5f69ac53851
Instruction Fuzzy Hash: DB71B335E00216AFCB10DFA8C881BAEB7F5EF4A324F108458E916EB351D734EE419B90

Function 00C7AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C7AEF9
GetKeyboardState.USER32(?), ref: 00C7AF0E
SetKeyboardState.USER32(?), ref: 00C7AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C7AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C7AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C7AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C7B020

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4688906ac090826a93ac113c9ed6df3857baef8a7de03b18c524953368b93084
Instruction ID: 086114510bd47e1c4864d8aaa98ab49b208d0606d8a3fb019c38b90a88c483c1
Opcode Fuzzy Hash: 4688906ac090826a93ac113c9ed6df3857baef8a7de03b18c524953368b93084
Instruction Fuzzy Hash: C851C1E06087D53DFB3682748845BBEBEA95B46304F08C589E1ED958C3C398AED4D751

Function 00C7ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C7AD19
GetKeyboardState.USER32(?), ref: 00C7AD2E
SetKeyboardState.USER32(?), ref: 00C7AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C7ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C7ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C7AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C7AE38

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e22d98b5cd12958a560b682b8196e8c42791b30e2d7002ee6ca49d5f856728cc
Instruction ID: f6a44ab7ec1f8439095392ef2265719d83ea5371a11eca2a843f522b27594c7f
Opcode Fuzzy Hash: e22d98b5cd12958a560b682b8196e8c42791b30e2d7002ee6ca49d5f856728cc
Instruction Fuzzy Hash: 4951D6A15047D53DFB3683348C95BBE7EA96B86300F08C489E1ED468C3D294EE94E752

Function 00C4542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00C53CD6,?,?,?,?,?,?,?,?,00C45BA3,?,?,00C53CD6,?,?), ref: 00C45470
__fassign.LIBCMT ref: 00C454EB
__fassign.LIBCMT ref: 00C45506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00C53CD6,00000005,00000000,00000000), ref: 00C4552C
WriteFile.KERNEL32(?,00C53CD6,00000000,00C45BA3,00000000,?,?,?,?,?,?,?,?,?,00C45BA3,?), ref: 00C4554B
WriteFile.KERNEL32(?,?,00000001,00C45BA3,00000000,?,?,?,?,?,?,?,?,?,00C45BA3,?), ref: 00C45584

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: de5afda4caaca981d0fc51550d453be4d37a525d4a6bfdda3aaa85da87dc339f
Instruction ID: 87f799220b33e1268d50cd7cb76d57d4f8ffcccb486c60c6ff9d3fb40e050203
Opcode Fuzzy Hash: de5afda4caaca981d0fc51550d453be4d37a525d4a6bfdda3aaa85da87dc339f
Instruction Fuzzy Hash: 7651C3B1A00649AFDB11CFA8D885BEEBBF9FF09310F14411AF955E7292D7309A41CB60

Function 00CA6B76 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00CA6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00CA6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00CA6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C8AB79,00000000,00000000), ref: 00CA6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00CA6CC7

Strings

@U=u, xrefs: 00CA6C73

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID: @U=u
API String ID: 3688381893-2594219639
Opcode ID: 7431b0559d88aa7e572abf47625feb42d022e5df2e7057b2c69450c69596d8cb
Instruction ID: fabb9fb7dc11cd06010b933f15b71ec453d4f0f69fe82026282f96f5ecfe4a7c
Opcode Fuzzy Hash: 7431b0559d88aa7e572abf47625feb42d022e5df2e7057b2c69450c69596d8cb
Instruction Fuzzy Hash: 7441D435A04105AFD724DF38CC94FA97BA5EB0B36CF190228F8A5A72E1C771EE40DA50

Function 00C32D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C32D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00C32D53
_ValidateLocalCookies.LIBCMT ref: 00C32DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00C32E0C
_ValidateLocalCookies.LIBCMT ref: 00C32E61

Strings

csm, xrefs: 00C32DF6

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0073106204bd138aa915a011456cb3cd79456d5cf3284cbb5c61a25f54efde63
Instruction ID: f904f1f1777378d395fc78f1ea3065b82b53f8907ae2d776f204633d5ad1dcd6
Opcode Fuzzy Hash: 0073106204bd138aa915a011456cb3cd79456d5cf3284cbb5c61a25f54efde63
Instruction Fuzzy Hash: 3241D534E20209EBCF10DF68CC85A9EBBB5BF44325F148156E925AB392D731EA05CBD1

Function 00C910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9304E: inet_addr.WSOCK32(?), ref: 00C9307A
Part of subcall function 00C9304E: _wcslen.LIBCMT ref: 00C9309B

socket.WSOCK32(00000002,00000001,00000006), ref: 00C91112
WSAGetLastError.WSOCK32 ref: 00C91121
WSAGetLastError.WSOCK32 ref: 00C911C9
closesocket.WSOCK32(00000000), ref: 00C911F9

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 357c2c931211a55ffdde612fc36e237729619dfdb1d9daa842df05f72029b3ba
Instruction ID: ce6fb58a3d4dde851fa4a73c497ec31783931eef653d6ac91d98dbcb9da2d875
Opcode Fuzzy Hash: 357c2c931211a55ffdde612fc36e237729619dfdb1d9daa842df05f72029b3ba
Instruction Fuzzy Hash: 3741E731600205AFDB109F54C889BADB7E9FF46368F188059FD259B291C774EE81CBE1

Function 00C7CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C7CF22,?), ref: 00C7DDFD

Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C7CF22,?), ref: 00C7DE16

lstrcmpiW.KERNEL32(?,?), ref: 00C7CF45
MoveFileW.KERNEL32(?,?), ref: 00C7CF7F
_wcslen.LIBCMT ref: 00C7D005
_wcslen.LIBCMT ref: 00C7D01B
SHFileOperationW.SHELL32(?), ref: 00C7D061

Strings

\*.*, xrefs: 00C7CFF3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: f911568f0b69b129dc2a117e0aab97d15a8991a116a6ac7048a8994e3af6e7d3
Instruction ID: ac7324059765c478c2d6bd2e929d7b73c0f0483c8f91b32f9264cb5b95657d9a
Opcode Fuzzy Hash: f911568f0b69b129dc2a117e0aab97d15a8991a116a6ac7048a8994e3af6e7d3
Instruction Fuzzy Hash: 294154719052195FDF12EFA4C9C1BDEB7BCAF19380F0040EAE509EB142EA34A788DB50

Function 00C77726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C7778F
SysAllocString.OLEAUT32(00000000), ref: 00C77792
SysAllocString.OLEAUT32(?), ref: 00C777B0
SysFreeString.OLEAUT32(?), ref: 00C777B9
StringFromGUID2.OLE32(?,?,00000028), ref: 00C777DE
SysAllocString.OLEAUT32(?), ref: 00C777EC

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: bfc4322a8ebbcb7575dae764156ce434e7b17100886e1abab58f6b6424c87443
Instruction ID: 2f8b681f4cac58f69f02ff3b5b7b6c046a025bd39096de34bb8e1ca78d44147d
Opcode Fuzzy Hash: bfc4322a8ebbcb7575dae764156ce434e7b17100886e1abab58f6b6424c87443
Instruction Fuzzy Hash: E021AE7660421DAFDB15DFA8DC88EBF77ACEB093647008125BA18DB190D670DD42C764

Function 00C777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C77868
SysAllocString.OLEAUT32(00000000), ref: 00C7786B
SysAllocString.OLEAUT32 ref: 00C7788C
SysFreeString.OLEAUT32 ref: 00C77895
StringFromGUID2.OLE32(?,?,00000028), ref: 00C778AF
SysAllocString.OLEAUT32(?), ref: 00C778BD

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 44ead556080e18fab4a52924fc6e10cf15836b451021092386cacf70ae5b23e2
Instruction ID: 31c8666d4d915d2022d49ae9bb2f21b20e8fcd57da2fa3d9e49674c98e5c2e44
Opcode Fuzzy Hash: 44ead556080e18fab4a52924fc6e10cf15836b451021092386cacf70ae5b23e2
Instruction Fuzzy Hash: 79216031608218AFDB109FB8DC8CEBA77ECEB09764710C225F919DB2A1DA74DD41CB65

Function 00CA5706 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00CA5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 00CA579D
_wcslen.LIBCMT ref: 00CA57AF
_wcslen.LIBCMT ref: 00CA57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA5816

Strings

@U=u, xrefs: 00CA5745, 00CA579D, 00CA5816

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: aaebbe025575b96a743e53faa375b62ecf994364ae2d0d0f917f49ea1f9a8c66
Instruction ID: ccdc12899dd236c23d61d852eb723e54197d7a75e03ee72afa841572a262523e
Opcode Fuzzy Hash: aaebbe025575b96a743e53faa375b62ecf994364ae2d0d0f917f49ea1f9a8c66
Instruction Fuzzy Hash: 8B217175914619DADB209FA1CC85AEE77BCFF06728F108216F929EB1C0D7709A85CF50

Function 00C804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C804F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C8052E

Strings

nul, xrefs: 00C80567

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5ff784aae3ec35c7b596d3cf0f1a61676a931bbcdecedc13d70fd88b172e187c
Instruction ID: 301d0c93f27dcfb515e0ac3741a19c7fdd7bedd640b5066f357c0f599820fb5b
Opcode Fuzzy Hash: 5ff784aae3ec35c7b596d3cf0f1a61676a931bbcdecedc13d70fd88b172e187c
Instruction Fuzzy Hash: E0217C71600305AFDB20AF29D844B9A77A4AF45728F304A29E8B1D72E0D7709A48CF28

Function 00C805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C805C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C80601

Strings

nul, xrefs: 00C80639

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: f940ea153e14d63a6cdbed656b53ceaca50c7a4fca16b47b449b80d11740c85b
Instruction ID: 7ed307e476e188b329eae23dac8ed575e7ae2da17bc22abcffd59783f08d3018
Opcode Fuzzy Hash: f940ea153e14d63a6cdbed656b53ceaca50c7a4fca16b47b449b80d11740c85b
Instruction Fuzzy Hash: 2E217F755003059FDB60AF698C44B9A77E4AF96729F300B19FCB1E72E0E7709964CB28

Function 00CA40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
Part of subcall function 00C1600E: GetStockObject.GDI32(00000011), ref: 00C16060
Part of subcall function 00C1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00CA4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00CA411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00CA412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00CA4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00CA4145

Strings

Msctls_Progress32, xrefs: 00CA40E3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 6ad7bb5f6e882fa5db2e689409164c9dfcaad99c42a02da9d58b02e4d00c91f1
Instruction ID: ba8b3d0913f3e47db2225d08c9b001e1bb1d527a8f9c040e4155fbdbefc9d641
Opcode Fuzzy Hash: 6ad7bb5f6e882fa5db2e689409164c9dfcaad99c42a02da9d58b02e4d00c91f1
Instruction Fuzzy Hash: 2F1186B115011A7EEF119F64CC85EEB7F5DEF09798F014111FB18A6150C672DC61DBA4

Function 00C4D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00C4D7A3: _free.LIBCMT ref: 00C4D7CC

_free.LIBCMT ref: 00C4D82D

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C4D838
_free.LIBCMT ref: 00C4D843
_free.LIBCMT ref: 00C4D897
_free.LIBCMT ref: 00C4D8A2
_free.LIBCMT ref: 00C4D8AD
_free.LIBCMT ref: 00C4D8B8

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: c5d0dc2b14f6a00394a91677fa80e57b9e5fcfa1156ee0aaeca74245a117bbc9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 59115B71940B04ABEA21BFB1CC47FCB7BDCBF10700F800825B69AE6292DA75B505A660

Function 00C7DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C7DA74
LoadStringW.USER32(00000000), ref: 00C7DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C7DA91
LoadStringW.USER32(00000000), ref: 00C7DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C7DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C7DAB9

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: bb1a78ba709b76baa6a73d4b5b437dd537c3f340a985b011039ca16d84eadf34
Instruction ID: ea472d6e6f16dd1ee9c5ca5e881259c88919a6e4a409d05420a88f35a30d4fda
Opcode Fuzzy Hash: bb1a78ba709b76baa6a73d4b5b437dd537c3f340a985b011039ca16d84eadf34
Instruction Fuzzy Hash: C1014FF25002087BE710DBA09DC9FEA726CEB09705F404496B70AE3041EA749E848B74

Function 00C8096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F5B4E8,00F5B4E8), ref: 00C8097B
EnterCriticalSection.KERNEL32(00F5B4C8,00000000), ref: 00C8098D
TerminateThread.KERNEL32(0047002D,000001F6), ref: 00C8099B
WaitForSingleObject.KERNEL32(0047002D,000003E8), ref: 00C809A9
CloseHandle.KERNEL32(0047002D), ref: 00C809B8
InterlockedExchange.KERNEL32(00F5B4E8,000001F6), ref: 00C809C8
LeaveCriticalSection.KERNEL32(00F5B4C8), ref: 00C809CF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 4da88825e253aab746a1c339b4746d3066cc485b6f352a0703810abe80a005e5
Instruction ID: 2dc40fe32902d32fc681ecf536aa1ebef526f413371b957bfcaf551ff57c2427
Opcode Fuzzy Hash: 4da88825e253aab746a1c339b4746d3066cc485b6f352a0703810abe80a005e5
Instruction Fuzzy Hash: A0F03C32542A02BBD7415FA4EECCBDABB39FF0270AF502125F202928A1CB749575CF94

Function 00C91C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 00C91DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C91DE1
WSAGetLastError.WSOCK32 ref: 00C91DF2
htons.WSOCK32(?), ref: 00C91EDB
inet_ntoa.WSOCK32(?), ref: 00C91E8C

Part of subcall function 00C739E8: _strlen.LIBCMT ref: 00C739F2

Part of subcall function 00C93224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C8EC0C), ref: 00C93240

_strlen.LIBCMT ref: 00C91F35

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: e6d67dfe6ea362891ec82787bcad0cfc24932afc01cb527b9c49b1169254d8df
Instruction ID: c1880d1b6383e38a6bce40b2d17b69b16cfdae4079a4551d0e2533be3612491b
Opcode Fuzzy Hash: e6d67dfe6ea362891ec82787bcad0cfc24932afc01cb527b9c49b1169254d8df
Instruction Fuzzy Hash: 4DB11531204341AFC724DF64C89AF6A77E5AF85318F58854CF8664B2E2DB31EE42DB91

Function 00C401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00C400BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C400D6
__allrem.LIBCMT ref: 00C400ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C4010B
__allrem.LIBCMT ref: 00C40122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C40140

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 4aaa9a8cb4931cb10da43ef37dbc1045fbbbb4af3b7bf2fd7cc240c55ce71b94
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 3F81F572A407069BE724AE69CC42B6F73E8BF55324F24493EFA21D7281E770DE419B50

Function 00C461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C382D9,00C382D9,?,?,?,00C4644F,00000001,00000001,8BE85006), ref: 00C46258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00C4644F,00000001,00000001,8BE85006,?,?,?), ref: 00C462DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00C463D8
__freea.LIBCMT ref: 00C463E5

Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

__freea.LIBCMT ref: 00C463EE
__freea.LIBCMT ref: 00C46413

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 87545e721216235400a577f7e1301a8ac4174be23776b6df5a020829e1057a9c
Instruction ID: b6a06c6f1ad50a1a51d698deab0a6b956828ddbd96378919e3391a7390e448c6
Opcode Fuzzy Hash: 87545e721216235400a577f7e1301a8ac4174be23776b6df5a020829e1057a9c
Instruction Fuzzy Hash: 55513172A00246ABEB258F60CC81FAF7BA9FF86710F144229FD15D7194EB34DD80D6A1

Function 00C9BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9BD25
RegCloseKey.ADVAPI32(00000000), ref: 00C9BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C9BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C9BDF3
RegCloseKey.ADVAPI32(?), ref: 00C9BDFF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 2d48e2cd1c3860e937e64828977a5acbd66690908cc7ba8add2cea66e007feca
Instruction ID: 8e9162ebd7cdb521720f0711c43c29f0a23ed51e3f777543fb9ea2a563b647f6
Opcode Fuzzy Hash: 2d48e2cd1c3860e937e64828977a5acbd66690908cc7ba8add2cea66e007feca
Instruction Fuzzy Hash: 2181D031208241EFCB14DF24C999E6ABBE5FF85308F14855CF4594B2A2CB31EE45DB92

Function 00C6F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C6F7B9
SysAllocString.OLEAUT32(00000001), ref: 00C6F860
VariantCopy.OLEAUT32(00C6FA64,00000000), ref: 00C6F889
VariantClear.OLEAUT32(00C6FA64), ref: 00C6F8AD
VariantCopy.OLEAUT32(00C6FA64,00000000), ref: 00C6F8B1
VariantClear.OLEAUT32(?), ref: 00C6F8BB

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ed04451a9d48c5abc7086d8c7c098db32b43d4b2d173d4dd661dea6748040938
Instruction ID: 49f5afa76cdfa036bfbe3a1507b3bd40fea39def0ff8917f78671f13755a3da0
Opcode Fuzzy Hash: ed04451a9d48c5abc7086d8c7c098db32b43d4b2d173d4dd661dea6748040938
Instruction Fuzzy Hash: A551D835500310BADF30AF66E8D5769B3A5EF46310F24546EE906DF291DB708C42DB56

Function 00C8910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C894E5
_wcslen.LIBCMT ref: 00C89506
_wcslen.LIBCMT ref: 00C8952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00C89585

Strings

X, xrefs: 00C89412

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 7aa70b509ab9f31c90fb7105f7ebf39d013964e4ecb5a20fe2684d2bd7539092
Instruction ID: 5932d36935d422364efdd8f72eb566603453afed043c3fa6b7ad214a4132ffe8
Opcode Fuzzy Hash: 7aa70b509ab9f31c90fb7105f7ebf39d013964e4ecb5a20fe2684d2bd7539092
Instruction Fuzzy Hash: CCE1B3315043009FD714EF24C881AAEB7E4FF85318F08896DF8999B2A2DB30ED45DB96

Function 00C2920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

BeginPaint.USER32(?,?,?), ref: 00C29241
GetWindowRect.USER32(?,?), ref: 00C292A5
ScreenToClient.USER32(?,?), ref: 00C292C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C292D3
EndPaint.USER32(?,?,?,?,?), ref: 00C29321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00C671EA

Part of subcall function 00C29339: BeginPath.GDI32(00000000), ref: 00C29357

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 0d8f3ed64c7c804688e62e1ecfb4ac45deff12f4ef654225506753400823a1a9
Instruction ID: 01c2724ca7703e05504bcc9e97a97e5b9f90bbdb30ed0202793cc30a4a9f332a
Opcode Fuzzy Hash: 0d8f3ed64c7c804688e62e1ecfb4ac45deff12f4ef654225506753400823a1a9
Instruction Fuzzy Hash: 1341AB71104310AFD720DF25ECC4FBE7BB8EB46724F040629F9A48B2A2C7309945DB61

Function 00C807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C8080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00C80847
EnterCriticalSection.KERNEL32(?), ref: 00C80863
LeaveCriticalSection.KERNEL32(?), ref: 00C808DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C808F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C80921

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 19c0823a3e0a169607c8766578d0aedf8a103a8e19f76faaaddd2f97a871c702
Instruction ID: 1419f58d7f9f3679ca31c99abf1284717b00d98ebdf3b89827a088d10fb2c6e0
Opcode Fuzzy Hash: 19c0823a3e0a169607c8766578d0aedf8a103a8e19f76faaaddd2f97a871c702
Instruction Fuzzy Hash: 5E414971A00205EBDF15AF54DC85BAA77B8FF05314F1440A9ED00AA297DB30DE65DBA4

Function 00C8581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00C13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C13A97,?,?,00C12E7F,?,?,?,00000000), ref: 00C13AC2

_wcslen.LIBCMT ref: 00C8587B
CoInitialize.OLE32(00000000), ref: 00C85995
CoCreateInstance.OLE32(00CAFCF8,00000000,00000001,00CAFB68,?), ref: 00C859AE
CoUninitialize.OLE32 ref: 00C859CC

Strings

.lnk, xrefs: 00C85876, 00C858C1, 00C85985

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: aae30f6b250f2771df05e140a6241ac20956ca8a6545731f47344ce728957869
Instruction ID: f81c3b16c5cab0a4a08d6f8ca8910ae4907bdc8282679ecbbecca69c8cdf438d
Opcode Fuzzy Hash: aae30f6b250f2771df05e140a6241ac20956ca8a6545731f47344ce728957869
Instruction Fuzzy Hash: 26D174706047019FC704EF24C480A6ABBF2EF8A318F14495DF8999B361D771ED46DB92

Function 00C7175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C70FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C70FCA
Part of subcall function 00C70FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C70FD6
Part of subcall function 00C70FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C70FE5
Part of subcall function 00C70FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C70FEC
Part of subcall function 00C70FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C71002

GetLengthSid.ADVAPI32(?,00000000,00C71335), ref: 00C717AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C717BA
HeapAlloc.KERNEL32(00000000), ref: 00C717C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C717DA
GetProcessHeap.KERNEL32(00000000,00000000,00C71335), ref: 00C717EE
HeapFree.KERNEL32(00000000), ref: 00C717F5

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3551a6d869463f3ca03929be5cc3c5b556457d6ef96166a7a87e0176d41a6c34
Instruction ID: e37089d4a2e2c42f9d9eabcde80b4b65caad4b31ab93cf2d1cddc64a73d041a7
Opcode Fuzzy Hash: 3551a6d869463f3ca03929be5cc3c5b556457d6ef96166a7a87e0176d41a6c34
Instruction Fuzzy Hash: 99118E71600205FFDB189FA8CC89BAE7BADEB46359F188018F95597210D735AA44CB60

Function 00C714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C714FF
OpenProcessToken.ADVAPI32(00000000), ref: 00C71506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C71515
CloseHandle.KERNEL32(00000004), ref: 00C71520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C7154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00C71563

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: bd265ad736208532a25f2548808aa4844a3a51f0832e34b93e8c60e9593404c7
Instruction ID: a7ab0a41f4f3a70a2f747693a9ce26931c2e5bf570dfca32e727aa6b74eb3b66
Opcode Fuzzy Hash: bd265ad736208532a25f2548808aa4844a3a51f0832e34b93e8c60e9593404c7
Instruction Fuzzy Hash: 8111377250120DABDF118FA8DD89FDE7BA9EF49748F088025FE19A2160C375CE64DB60

Function 00C33382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C33379,00C32FE5), ref: 00C33390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C3339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C333B7
SetLastError.KERNEL32(00000000,?,00C33379,00C32FE5), ref: 00C33409

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f08d8c1f541e69ac6ed5fb4ca4a19fd40ae0279b0a41dafe8ee0a810896d7506
Instruction ID: 5282f95c41a0cf2035faebaefc449905457dff64e2e2a0e26eebdfc92b05e5d0
Opcode Fuzzy Hash: f08d8c1f541e69ac6ed5fb4ca4a19fd40ae0279b0a41dafe8ee0a810896d7506
Instruction Fuzzy Hash: 8C01FC3362E352BEEA1537757CC675F6F54EB15379F20822AF520851F0EF115E02A544

Function 00C42D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00C45686,00C53CD6,?,00000000,?,00C45B6A,?,?,?,?,?,00C3E6D1,?,00CD8A48), ref: 00C42D78
_free.LIBCMT ref: 00C42DAB
_free.LIBCMT ref: 00C42DD3
SetLastError.KERNEL32(00000000,?,?,?,?,00C3E6D1,?,00CD8A48,00000010,00C14F4A,?,?,00000000,00C53CD6), ref: 00C42DE0
SetLastError.KERNEL32(00000000,?,?,?,?,00C3E6D1,?,00CD8A48,00000010,00C14F4A,?,?,00000000,00C53CD6), ref: 00C42DEC
_abort.LIBCMT ref: 00C42DF2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 11ca9495eb42d2af9cb0f7b21ccaab53f841fe25359bf369631a0f29eb3ac81a
Instruction ID: 9f92fb9d528a807a2e90e8bdb39cab40fec5c93ea01c579eaebf034efe114276
Opcode Fuzzy Hash: 11ca9495eb42d2af9cb0f7b21ccaab53f841fe25359bf369631a0f29eb3ac81a
Instruction Fuzzy Hash: 3EF0C832D05A0127C6226735BC4BF5E2669BFC27A5F740419F834931E2EF748901E160

Function 00CA8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00C29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296A2
Part of subcall function 00C29639: BeginPath.GDI32(?), ref: 00C296B9
Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00CA8A4E
LineTo.GDI32(?,00000003,00000000), ref: 00CA8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00CA8A70
LineTo.GDI32(?,00000000,00000003), ref: 00CA8A80
EndPath.GDI32(?), ref: 00CA8A90
StrokePath.GDI32(?), ref: 00CA8AA0

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 6c9679d85c7bf381e8683c0afedda8d4f08b9584b6c62aced81440dace4b715c
Instruction ID: e0aeff70943373c35185885a3210e2507db008138e5294d4371857c6b0011cd4
Opcode Fuzzy Hash: 6c9679d85c7bf381e8683c0afedda8d4f08b9584b6c62aced81440dace4b715c
Instruction Fuzzy Hash: 8A11C97600015DFFDB129F94DC88FAE7F6DEB09354F048012BA199A1A1C7719E55DBA0

Function 00C751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C75218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C75229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C75230
ReleaseDC.USER32(00000000,00000000), ref: 00C75238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C7524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C75261

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 717d7dfd5ce29b56335944d76196c09ac0d9967ca1600f5ca12b47b1ede77886
Instruction ID: e4171eb19cfa9eaa1d8c990fbefe0965faaae8e9aee13a4ffd9d4492f6b943c1
Opcode Fuzzy Hash: 717d7dfd5ce29b56335944d76196c09ac0d9967ca1600f5ca12b47b1ede77886
Instruction Fuzzy Hash: 5E014F75A00718BBEB109BA59C89B5EBFB8EB49751F044065FA04A7281D6709D01CBA0

Function 00C11BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C11BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C11BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C11C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C11C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C11C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C11C22

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9c15082eb30354213bfee99d28cc4a66c50fe0e994b0b705d7193683cdf9161c
Instruction ID: a7fc62f9d2dc1e5aea39aadbbc8d434e70a7c89904136cb1b4317f693ad8562c
Opcode Fuzzy Hash: 9c15082eb30354213bfee99d28cc4a66c50fe0e994b0b705d7193683cdf9161c
Instruction Fuzzy Hash: 4F0167B0902B5ABDE3008F6A8C85B56FFE8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 00C7EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C7EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C7EB46
GetWindowThreadProcessId.USER32(?,?), ref: 00C7EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7EB75

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 6d69720ed31fa258d2ac85c50687409cf44d8b2f450bd7b3a3fecd70b3d7a905
Instruction ID: 718fa6ef987be03163bcba1bf5523845c0ee8e921c6a998176010cffea87ad1c
Opcode Fuzzy Hash: 6d69720ed31fa258d2ac85c50687409cf44d8b2f450bd7b3a3fecd70b3d7a905
Instruction Fuzzy Hash: E0F05472241158BBE7215B629C4DFEF3E7CEFCBB15F004159F611D2091DBA05A01C6B5

Function 00C71874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C7187F
UnloadUserProfile.USERENV(?,?), ref: 00C7188B
CloseHandle.KERNEL32(?), ref: 00C71894
CloseHandle.KERNEL32(?), ref: 00C7189C
GetProcessHeap.KERNEL32(00000000,?), ref: 00C718A5
HeapFree.KERNEL32(00000000), ref: 00C718AC

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: adf68bbd5a7d9e55fdf4a205740ca9824df66b3c664218c7c2b0bd85868cc687
Instruction ID: 62bde819576f4fee5bef881085fd59299cc01cbe0ab32f26c32817fd50090999
Opcode Fuzzy Hash: adf68bbd5a7d9e55fdf4a205740ca9824df66b3c664218c7c2b0bd85868cc687
Instruction Fuzzy Hash: 85E0C236204101BBDA015BA1ED4CB8EBB69FB4AB26B108220F22582070CB329421DF50

Function 00C7C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C7C6EE
_wcslen.LIBCMT ref: 00C7C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C7C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C7C7CA

Strings

0, xrefs: 00C7C6AF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: c7efd66239e5da9ac8981dd8c5bdf44b04cf610b743b401427c10fba35a1ef5b
Instruction ID: 8f7e2fbbbc95839fb9609261427835f5d0f13e08b286aa437e51fe39382d3b9b
Opcode Fuzzy Hash: c7efd66239e5da9ac8981dd8c5bdf44b04cf610b743b401427c10fba35a1ef5b
Instruction Fuzzy Hash: 1751E0716043029BD7189F29C8C5B6B77E8AF49310F048A2DF9A9D31E0DB70DA44DB52

Function 00C9AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00C9AEA3

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

GetProcessId.KERNEL32(00000000), ref: 00C9AF38
CloseHandle.KERNEL32(00000000), ref: 00C9AF67

Strings

<, xrefs: 00C9AE6B
@, xrefs: 00C9AE72

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b8a57d541717a94dab71a73b899287f0302dd926bc63982c0c3fdfef3beb6227
Instruction ID: ce82d40013ed6299231c3e67edfd3d5aef691ff28be89dfea2edf210534ab247
Opcode Fuzzy Hash: b8a57d541717a94dab71a73b899287f0302dd926bc63982c0c3fdfef3beb6227
Instruction Fuzzy Hash: F9713871A00219DFCF14DF94C488A9EBBF1EF09314F048499E816AB762CB75EE85DB91

Function 00CA6278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F6DE78,?), ref: 00CA62E2
ScreenToClient.USER32(?,?), ref: 00CA6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00CA6382

Strings

@U=u, xrefs: 00CA63DD

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: a97181196f1b3e8a26497a8d511912e8aadd9b1969062061d88956b25cfcd7a1
Instruction ID: 7c5481b3c9d010ec1862a5c2c3e03ba74026578e7a048f2aab3d6e9a6eac37b5
Opcode Fuzzy Hash: a97181196f1b3e8a26497a8d511912e8aadd9b1969062061d88956b25cfcd7a1
Instruction Fuzzy Hash: 8951417490124AEFCF10DF54D880AAE7BB5FF56368F148259F9259B2A0D730EE51CB50

Function 00C72716 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721D0,?,?,00000034,00000800,?,00000034), ref: 00C7B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C72760

Part of subcall function 00C7B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C7B3F8

Part of subcall function 00C7B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C7B355
Part of subcall function 00C7B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C72194,00000034,?,?,00001004,00000000,00000000), ref: 00C7B365
Part of subcall function 00C7B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C72194,00000034,?,?,00001004,00000000,00000000), ref: 00C7B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C727CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C7281A

Strings

@U=u, xrefs: 00C72760, 00C727CD, 00C7281A
@, xrefs: 00C72832

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: e4fec153c75e038a8380873b3ae54fe67aeaaffa9ee466d122e5e3eb61e1f8a6
Instruction ID: b2d28a0531a3230f6ece25e137f0c2d5d4ed08069f3e59f59f9495ceeba29fe2
Opcode Fuzzy Hash: e4fec153c75e038a8380873b3ae54fe67aeaaffa9ee466d122e5e3eb61e1f8a6
Instruction Fuzzy Hash: 70411D72900218AFDB10DBA4CD85BDEBBB8AF05700F108095FA59B7191DB716F85DBA1

Function 00C7719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C77206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C7723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C7724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C772CF

Strings

DllGetClassObject, xrefs: 00C77242

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: da6130c0734fe0a5f8ac12bd44f513c1870dad31bbde2ac1b06d8e225452f560
Instruction ID: 506bcb1d31aa68f733fe41f21b06f41c1d7810e488537d68825b2059f5e48b3e
Opcode Fuzzy Hash: da6130c0734fe0a5f8ac12bd44f513c1870dad31bbde2ac1b06d8e225452f560
Instruction Fuzzy Hash: E6418DB1A04208EFDB15CF54C885B9A7BA9EF45314F15C1A9BD19DF20AD7B0DA40DBA0

Function 00CA52C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00CA5352
GetWindowLongW.USER32(?,000000F0), ref: 00CA5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00CA53A8

Strings

@U=u, xrefs: 00CA5352

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID: @U=u
API String ID: 3340791633-2594219639
Opcode ID: 7d05e8e90c5006e27f1cf6129591d755fbaa0a51a349ca00936746477d49090a
Instruction ID: f0fad2c10934fefcdd0aae7eebcbaf5fbcc273d8a1ac05b352171d69e40819e6
Opcode Fuzzy Hash: 7d05e8e90c5006e27f1cf6129591d755fbaa0a51a349ca00936746477d49090a
Instruction Fuzzy Hash: AD31E234A57A0AFFEF309A15CC45BEC3761AB87398F588101FA21961F1C7B09A80EB41

Function 00C9C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C9C9F1
_wcslen.LIBCMT ref: 00C9CA68
_wcslen.LIBCMT ref: 00C9CA9E
_wcslen.LIBCMT ref: 00C9CAF9
_wcslen.LIBCMT ref: 00C9CB2F
_wcslen.LIBCMT ref: 00C9CB7F

Strings

HKEY_LOCAL_MACHINE, xrefs: 00C9CA62, 00C9CA67
HKLM, xrefs: 00C9CA98, 00C9CA9D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: 7b09b1a14ef1f87d1afe49b8a6d0ca7e50297c18525c4cca5a5b90549a316ea9
Instruction ID: 301059b5e33cdba4b397f82598f20292b98beb8a1cef83d1d240fc5ab582244d
Opcode Fuzzy Hash: 7b09b1a14ef1f87d1afe49b8a6d0ca7e50297c18525c4cca5a5b90549a316ea9
Instruction Fuzzy Hash: 2231D572A001A94BCF20DE2CD9D41BE33919BA1750F55412AE865AB385FE71CF81F3A0

Function 00CA2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00CA2F8D
LoadLibraryW.KERNEL32(?), ref: 00CA2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00CA2FA9
DestroyWindow.USER32(?), ref: 00CA2FB1

Strings

SysAnimate32, xrefs: 00CA2F68

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 40f48bdcd1ab299f82e19f6da973b4ab93f115a41ce50ebba2adc8959178754d
Instruction ID: 3ab828185e22be473cb1bbfb5e094ee1c93a50b0473ede383bc50503a77c7d07
Opcode Fuzzy Hash: 40f48bdcd1ab299f82e19f6da973b4ab93f115a41ce50ebba2adc8959178754d
Instruction Fuzzy Hash: 8F218E71204226AFEB104FA8DC80FBB77B9EB5A36CF104619F960D6190D771DD91A760

Function 00CA5660 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00CA56BB
_wcslen.LIBCMT ref: 00CA56CD
_wcslen.LIBCMT ref: 00CA56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA5816

Strings

@U=u, xrefs: 00CA56BB, 00CA5816

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend_wcslen
String ID: @U=u
API String ID: 455545452-2594219639
Opcode ID: 6ec7bb21334df91f0bc97f58413d40fbccd8353a0899db1e8c5f336ecb244c3d
Instruction ID: 42b1f66983af257edb860582573f3a0c33b2f94e3f8b17e1614197cc6b18c95c
Opcode Fuzzy Hash: 6ec7bb21334df91f0bc97f58413d40fbccd8353a0899db1e8c5f336ecb244c3d
Instruction Fuzzy Hash: 0F11D67161060696DF20DFA1CC85BEE777CFF16768F108026F915D6181EB70DA84CB64

Function 00C1600E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
GetStockObject.GDI32(00000011), ref: 00C16060
SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A

Strings

@U=u, xrefs: 00C1606A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID: @U=u
API String ID: 3970641297-2594219639
Opcode ID: 535bddd5a0b0fd4c84b27ddfb899b0cc6f5b9194249d331a68f4e02c35e21ea0
Instruction ID: db94eb2746635087707f027d907d1bb99daabacde9cdfb2a2ea40a8686e45d83
Opcode Fuzzy Hash: 535bddd5a0b0fd4c84b27ddfb899b0cc6f5b9194249d331a68f4e02c35e21ea0
Instruction Fuzzy Hash: 55115E72501548BFEF128F949C84BEEBF69EF0E358F040115FA1452110DB329DA0EB94

Function 00C34D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C34D1E,00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002), ref: 00C34D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C34DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00C34D1E,00C428E9,?,00C34CBE,00C428E9,00CD88B8,0000000C,00C34E15,00C428E9,00000002,00000000), ref: 00C34DC3

Strings

mscoree.dll, xrefs: 00C34D86
CorExitProcess, xrefs: 00C34D98

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: eee71ac125b8f790ec1914ce12af77729173d693399b5009432948e640a862f3
Instruction ID: da7b8ece9206d2ab7934444a2674886cb9fc8cfe7d8412fd422a871b817668d8
Opcode Fuzzy Hash: eee71ac125b8f790ec1914ce12af77729173d693399b5009432948e640a862f3
Instruction Fuzzy Hash: A7F04F35A50218BBDB159F94DC89BEEBFF5EF44755F1001A5F906A3260CF70AE40DA90

Function 00C14E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C14EDD,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14EAE
FreeLibrary.KERNEL32(00000000,?,?,00C14EDD,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00C14EA8
kernel32.dll, xrefs: 00C14E94

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: e49798c01fbd1eca6d3d0f9366d2710822753251406b5e696bc540c34346b2cb
Instruction ID: 1fea217f33125edcca3ae138d9685952d82a76406bb3c220bbb8ec9c907af52f
Opcode Fuzzy Hash: e49798c01fbd1eca6d3d0f9366d2710822753251406b5e696bc540c34346b2cb
Instruction Fuzzy Hash: BBE0CD36B015225BD23117257C58BAFA554AF83F667050125FE04D3240DB60CE4154B1

Function 00C14E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C53CDE,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14E74
FreeLibrary.KERNEL32(00000000,?,?,00C53CDE,?,00CE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00C14E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00C14E6E
kernel32.dll, xrefs: 00C14E5B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d40dd69525ea1dd5c2c29287f2e3630acde5de0f3be1bd3152c34e99027996fb
Instruction ID: 2bb1281f7142238e7de737be0f34ce43d41b2c800ef7d54c26feeba7189872b1
Opcode Fuzzy Hash: d40dd69525ea1dd5c2c29287f2e3630acde5de0f3be1bd3152c34e99027996fb
Instruction Fuzzy Hash: 41D0C2366026235746221B247C08FCFAA18AF83B193050221FA00A3110CF21CE5291E0

Function 00C82947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82C05
DeleteFileW.KERNEL32(?), ref: 00C82C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C82C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C82CC0

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: a0db0c9eee999aba0b0d0a6a9c3e514a576a68af070875eed3c2547d06289fc0
Instruction ID: ab5c2f6627292c67927536d310c69987a53dc7a462d74883cf571680836fc9e5
Opcode Fuzzy Hash: a0db0c9eee999aba0b0d0a6a9c3e514a576a68af070875eed3c2547d06289fc0
Instruction Fuzzy Hash: 72B17D71A00119ABDF25EFA4CC89EEEB7BCEF49314F0040A6F509E6141EA319A449F64

Function 00C9A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00C9A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C9A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C9A468
CloseHandle.KERNEL32(?), ref: 00C9A63D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: f6e2df26c3e90f484c4381e2025157d06cabd47ef33ea4e88449fc42dc916bdd
Instruction ID: f47ebaee279ce20c6e5a25763d6909c04b5f2a91f02a81d2a2e233eaf0217ec6
Opcode Fuzzy Hash: f6e2df26c3e90f484c4381e2025157d06cabd47ef33ea4e88449fc42dc916bdd
Instruction Fuzzy Hash: 33A1A1716043019FDB20DF28D886F2AB7E5AF84714F14881DF96A9B392DB70ED41DB92

Function 00C4BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00CB3700), ref: 00C4BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,00CE121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00C4BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00CE1270,000000FF,?,0000003F,00000000,?), ref: 00C4BC36
_free.LIBCMT ref: 00C4BB7F

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C4BD4B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 563bd492f2a43a7eda40daadd938c4fd51c985672f7fce28ef80ee0400acab54
Instruction ID: 62f17794217241d2198ddf3f4fb248e1095d8094e5dc2fb487a67fe8caf62ea8
Opcode Fuzzy Hash: 563bd492f2a43a7eda40daadd938c4fd51c985672f7fce28ef80ee0400acab54
Instruction Fuzzy Hash: 6851C672D00219AFCB14EF669CC1AAEB7BCFF41320F14426AE564D71A1EB30DE419B90

Function 00C7E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C7CF22,?), ref: 00C7DDFD

Part of subcall function 00C7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C7CF22,?), ref: 00C7DE16

Part of subcall function 00C7E199: GetFileAttributesW.KERNEL32(?,00C7CF95), ref: 00C7E19A

lstrcmpiW.KERNEL32(?,?), ref: 00C7E473
MoveFileW.KERNEL32(?,?), ref: 00C7E4AC
_wcslen.LIBCMT ref: 00C7E5EB
_wcslen.LIBCMT ref: 00C7E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C7E650

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 201f13a954fad27c1547fa19e06f19b4cf56a90d329e035f152cda862c8e4ea7
Instruction ID: e854ee60e6ac36861f1b441a2c59904627254910c7fe17ea5423966e2dc87c4d
Opcode Fuzzy Hash: 201f13a954fad27c1547fa19e06f19b4cf56a90d329e035f152cda862c8e4ea7
Instruction Fuzzy Hash: 025182B35083455BC724EB90D891ADF73ECAF89340F00891EF699D3191EF74A688D766

Function 00C9B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C9B6AE,?,?), ref: 00C9C9B5
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9C9F1
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA68
Part of subcall function 00C9C998: _wcslen.LIBCMT ref: 00C9CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C9BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C9BB63
RegCloseKey.ADVAPI32(?,?), ref: 00C9BBA6
RegCloseKey.ADVAPI32(00000000), ref: 00C9BBB3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 1edc7a8930ca236d3046f05dc5defb0b997134835f7dd97e1862e48aeceb0fe5
Instruction ID: 6f6cdf2643cb2387a79f28f1b1ad3daad3093624fd1e2a53b42dd6ed816a6731
Opcode Fuzzy Hash: 1edc7a8930ca236d3046f05dc5defb0b997134835f7dd97e1862e48aeceb0fe5
Instruction Fuzzy Hash: D561B131208241AFD714DF14C5D4E6ABBE5FF85308F14855CF49A8B2A2DB31ED46DB92

Function 00C78BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C78BCD
VariantClear.OLEAUT32 ref: 00C78C3E
VariantClear.OLEAUT32 ref: 00C78C9D
VariantClear.OLEAUT32(?), ref: 00C78D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C78D3B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: c1359f2ca0c33f08e9ccb3bd78714b14a9995078b4b05103e81af0d347c53b2c
Instruction ID: b1abe23b8b4e8dc1ce952cf6fda6d2b313010f12c2762d41a1b27f49aa827e7d
Opcode Fuzzy Hash: c1359f2ca0c33f08e9ccb3bd78714b14a9995078b4b05103e81af0d347c53b2c
Instruction Fuzzy Hash: B7515AB5A0021AEFCB14CF68C894AAAB7F8FF9D314B158559E919DB350E730E911CF90

Function 00C88AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C88BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C88BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C88C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C88C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C88C5F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 3f20270491fb60778eb861b198c313a2da2c99092798038cb28265cb8f8d0aa9
Instruction ID: bdc7fbc2dcff219b295016b474f2fc72baf5780d21315524468f0625539b4a98
Opcode Fuzzy Hash: 3f20270491fb60778eb861b198c313a2da2c99092798038cb28265cb8f8d0aa9
Instruction Fuzzy Hash: F8514D35A002159FCB05DF64C881EADBBF5FF4A314F088458E849AB362DB31ED55EB90

Function 00C98EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C98F40
GetProcAddress.KERNEL32(00000000,?), ref: 00C98FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C98FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00C99032
FreeLibrary.KERNEL32(00000000), ref: 00C99052

Part of subcall function 00C2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C81043,?,75B8E610), ref: 00C2F6E6
Part of subcall function 00C2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C6FA64,00000000,00000000,?,?,00C81043,?,75B8E610,?,00C6FA64), ref: 00C2F70D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 81b1ca6c8c6a22252653000ffdcf1b044b63b18d7103bcd54be9710145e62ae4
Instruction ID: a8ad85606f93104bda9b585467fe16505e695a43e2987c5681154cc39386a70b
Opcode Fuzzy Hash: 81b1ca6c8c6a22252653000ffdcf1b044b63b18d7103bcd54be9710145e62ae4
Instruction Fuzzy Hash: B0513A35600205DFCB15DF58C4989ADBBF1FF4A314B0480A8E91A9B362DB31EE86DF90

Function 00C42051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C420C3
_free.LIBCMT ref: 00C420E3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 02486860fd1d424121392623f8d10b6a46551600fc63ca2e71f70b904b95004f
Instruction ID: b19240197a56ccea0a72bce3529d795c55f8f2b5eb6317d320186160d17c6c96
Opcode Fuzzy Hash: 02486860fd1d424121392623f8d10b6a46551600fc63ca2e71f70b904b95004f
Instruction Fuzzy Hash: 6C41D232A002049FDB24DF78C882A5EB7F5FF89314F5545A9F516EB396DA31AE01DB80

Function 00C2912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C29141
ScreenToClient.USER32(00000000,?), ref: 00C2915E
GetAsyncKeyState.USER32(00000001), ref: 00C29183
GetAsyncKeyState.USER32(00000002), ref: 00C2919D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c0428757d055ad37b03007490e9f55d15503c98d9ad3a9ddaaee89f549821b6c
Instruction ID: 9dacc6e59ed7bb2fa65dbb122126fdfcaeb5d2635c6a16536231ff5059e6c75d
Opcode Fuzzy Hash: c0428757d055ad37b03007490e9f55d15503c98d9ad3a9ddaaee89f549821b6c
Instruction Fuzzy Hash: 3E415F7190861AABDF159F69D884BEEB774FB06328F204716E439A32D0C7345A50DB91

Function 00C83874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C838CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C83922
TranslateMessage.USER32(?), ref: 00C8394B
DispatchMessageW.USER32(?), ref: 00C83955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C83966

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: e887c418916292665a58f17da1e37e9e88640ae6f44945564ab405148d25e1c1
Instruction ID: 396f0db20c75396455cb4709baed9ceba361d67a789717ec0c0139a84f5021bb
Opcode Fuzzy Hash: e887c418916292665a58f17da1e37e9e88640ae6f44945564ab405148d25e1c1
Instruction Fuzzy Hash: D231C4709043C19EEB35EB35D888BBA37A8AB05718F08156DE876870E0E7B49B85DB15

Function 00C8CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 00C8CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C8C21E,00000000), ref: 00C8CFF2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 30e0325c9f372004f8e56219e06ed1b4edf6e3a95419fe9ada06c9512410ad63
Instruction ID: d5f1868f06fd41a5020069fce40b4d6cf5a62c3e7e459896911ebe742689cc31
Opcode Fuzzy Hash: 30e0325c9f372004f8e56219e06ed1b4edf6e3a95419fe9ada06c9512410ad63
Instruction Fuzzy Hash: 2A314A71604205AFEB20EFE5D8C4AAFBBF9EB15359B10442EF616D3150DB30AE41DB64

Function 00C71901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C71915
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C719C1
Sleep.KERNEL32(00000000,?,?,?), ref: 00C719C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C719DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C719E2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8e04a7f14d2d1f2696da8696939f6f345169df97f071ec9970f9d2ef6472a2bf
Instruction ID: d33da82fc581b4ecf88efacc7979625b46d0d479b705b20d83128c60197a5489
Opcode Fuzzy Hash: 8e04a7f14d2d1f2696da8696939f6f345169df97f071ec9970f9d2ef6472a2bf
Instruction Fuzzy Hash: 4C31AD71A00219EFCB10CFACC999BDE3BB5EB45315F148229FE25A72D1C7709A55CB90

Function 00C90930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C90951
GetForegroundWindow.USER32 ref: 00C90968
GetDC.USER32(00000000), ref: 00C909A4
GetPixel.GDI32(00000000,?,00000003), ref: 00C909B0
ReleaseDC.USER32(00000000,00000003), ref: 00C909E8

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: c889d8587108f8c8bf25e82b7d7483836d405551573d10763aac045e565591c5
Instruction ID: 32764b1aac556f408b76e7b936cd15e67fc6c2f11114647279d8e99f7a77e991
Opcode Fuzzy Hash: c889d8587108f8c8bf25e82b7d7483836d405551573d10763aac045e565591c5
Instruction Fuzzy Hash: 3F219335600204AFD704EF65C988BAEBBF9EF45704F148468F85AE7352DB30AD45DB50

Function 00C4CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00C4CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00C4CDE9

Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C4CE0F
_free.LIBCMT ref: 00C4CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00C4CE31

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1e6ff1423602e380e88ed5c00ce5724682d78a10909c2c8163d4757b70054281
Instruction ID: ea07bd886d0eb9c83850cf7348a92847241fb4684646f49fc5c6d31d89eccc87
Opcode Fuzzy Hash: 1e6ff1423602e380e88ed5c00ce5724682d78a10909c2c8163d4757b70054281
Instruction Fuzzy Hash: 280184726032157F276116B76CC8E7F696DFFC7BA53150129F915C7221EF618E0291B0

Function 00C29639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
SelectObject.GDI32(?,00000000), ref: 00C296A2
BeginPath.GDI32(?), ref: 00C296B9
SelectObject.GDI32(?,00000000), ref: 00C296E2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: f0f4e052ee40dca24412d6271d2ef15ca748077e77ae760ca1d974bcc11c6989
Instruction ID: 5f6ac1c31ca30080bd953acf03588565ba5599bb8a7b5e2c625e2bcd9aed6b95
Opcode Fuzzy Hash: f0f4e052ee40dca24412d6271d2ef15ca748077e77ae760ca1d974bcc11c6989
Instruction Fuzzy Hash: 3A218030802355EBDB119F25FC88BAD3BB8FB01315F140216F820AB1B2D37499A1CF90

Function 00C75711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C75726
_memcmp.LIBVCRUNTIME ref: 00C75744
_memcmp.LIBVCRUNTIME ref: 00C75757
_memcmp.LIBVCRUNTIME ref: 00C7576F
_memcmp.LIBVCRUNTIME ref: 00C75787

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b37fcbc03c6e163636846b32fa46487886925fcfa423922f9029b60c270bfd1c
Instruction ID: 5f1365d5740565f059f276c94699a8967c8861ecb13e1517458d30e1feccc306
Opcode Fuzzy Hash: b37fcbc03c6e163636846b32fa46487886925fcfa423922f9029b60c270bfd1c
Instruction Fuzzy Hash: BC01B5A166160ABFE21C55529D82FBB735C9B213A8F048034FD1C9A241F7B1EE5196B0

Function 00C42DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00C3F2DE,00C43863,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6), ref: 00C42DFD
_free.LIBCMT ref: 00C42E32
_free.LIBCMT ref: 00C42E59
SetLastError.KERNEL32(00000000,00C11129), ref: 00C42E66
SetLastError.KERNEL32(00000000,00C11129), ref: 00C42E6F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4d60c5dfc7d32a5ba2b86e18b5c46891311a7a16efd9d9af3dd0be37fd8ddee2
Instruction ID: adda5209417a560a065c70c62d2a5d01e01a3adf73e292cc56b86b5f37624545
Opcode Fuzzy Hash: 4d60c5dfc7d32a5ba2b86e18b5c46891311a7a16efd9d9af3dd0be37fd8ddee2
Instruction Fuzzy Hash: FA01F43260660167CA1267366C87F6F2669BBD23A6BE40029F431E32A3EF74CD01A120

Function 00C7000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?,?,00C7035E), ref: 00C7002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?), ref: 00C70064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C6FF41,80070057,?,?), ref: 00C70070

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ee660adf0c313c44579a228422833e6a8b96572f4007c1e6c2da50107195b175
Instruction ID: 14162b03d2dc074b54f4ff1eb9af76beef692ffff95eb12ac3eb8bce7b676739
Opcode Fuzzy Hash: ee660adf0c313c44579a228422833e6a8b96572f4007c1e6c2da50107195b175
Instruction Fuzzy Hash: 0F018F72600204FFDB104F69DC48BAE7BEDEB44766F248124F909D3210D779DE409BA0

Function 00C7E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C7E997
QueryPerformanceFrequency.KERNEL32(?), ref: 00C7E9A5
Sleep.KERNEL32(00000000), ref: 00C7E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 00C7E9B7
Sleep.KERNEL32 ref: 00C7E9F3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 829d73f68c671ae9f6c23f989a63d9913a920420df60f085f44ec2929094de10
Instruction ID: 4e18c7f28a7ef5cdf624d1fe8092a59fed739ee978d7bf2840c80478ca3c481b
Opcode Fuzzy Hash: 829d73f68c671ae9f6c23f989a63d9913a920420df60f085f44ec2929094de10
Instruction Fuzzy Hash: D6011732D01629DBCF00ABE5D899BEDBB78BF0E701F004596EA16B2251CB349655CBA1

Function 00C710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C71114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C7112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C70B9B,?,?,?), ref: 00C71136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C7114D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 44d01111d23d7106b58d3e67612ab5314162627c8dec4f164e52cf41d2c5e68c
Instruction ID: ff8d790bba3247bf815beb54ce1f44f01da9292ad32f034bfd7dcd0b6041220c
Opcode Fuzzy Hash: 44d01111d23d7106b58d3e67612ab5314162627c8dec4f164e52cf41d2c5e68c
Instruction Fuzzy Hash: 54011975200205BFDB114FA9DC89B6E3B6EEF8A3A4B644419FA45D7360DA31DD109A60

Function 00C70FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C70FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C70FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C70FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C70FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C71002

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c5c51e00411270c52d295d2499a871057943dbe585881e6fe411e4c1b0c740ca
Instruction ID: 0413710c090de4d678ba7d218d2809fc4356613b905069b55a6431b558c9d188
Opcode Fuzzy Hash: c5c51e00411270c52d295d2499a871057943dbe585881e6fe411e4c1b0c740ca
Instruction Fuzzy Hash: F6F04935200301AFDB214FA89C89F9A3BADEF8A766F144414FA49C7251DE70DC508A60

Function 00C71014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C7102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C71036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71062

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: cf7a583c2cbfc6dad122758e9660c36bdc6152b19820f59e80ea34dccf2a7663
Instruction ID: f3cc19f1bd147346447bacb805fd39bfc7da7f92b008879763cb19203e3440df
Opcode Fuzzy Hash: cf7a583c2cbfc6dad122758e9660c36bdc6152b19820f59e80ea34dccf2a7663
Instruction Fuzzy Hash: B7F06D35200301FBDB215FA8EC89F9A3BADEF8A765F144414FE49C7250DE70D9508A60

Function 00C8030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80324
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80331
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C8033E
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C8034B
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80358
CloseHandle.KERNEL32(?,?,?,?,00C8017D,?,00C832FC,?,00000001,00C52592,?), ref: 00C80365

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 15bc48ef4fc0762d5dbef3ef42710a45e58db3678c8162e4c127d493377dd3e4
Instruction ID: 2a60ff37e9850cc93963563cb14e4113a762db26c58cf2a8275f37eb79bb5b52
Opcode Fuzzy Hash: 15bc48ef4fc0762d5dbef3ef42710a45e58db3678c8162e4c127d493377dd3e4
Instruction Fuzzy Hash: 30019072801B159FCB30AF66D880416F7F5BF602193258A3ED1A652931C771AA58DF84

Function 00C4D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C4D752

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C4D764
_free.LIBCMT ref: 00C4D776
_free.LIBCMT ref: 00C4D788
_free.LIBCMT ref: 00C4D79A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: defb73ef8943c9e2dfaf6213f52cf4238d4ed9aa37333cc01ba136eee1ebf9a0
Instruction ID: 8059b41ae8f84a4d39d99ac8b9141c427788b722ee677d237092993823095de5
Opcode Fuzzy Hash: defb73ef8943c9e2dfaf6213f52cf4238d4ed9aa37333cc01ba136eee1ebf9a0
Instruction Fuzzy Hash: CDF09032541205AB8621FB69F9C2E1A7BDDBB04320BE40C06F05AE7546CB30FC80DA60

Function 00C75C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C75C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C75C6F
MessageBeep.USER32(00000000), ref: 00C75C87
KillTimer.USER32(?,0000040A), ref: 00C75CA3
EndDialog.USER32(?,00000001), ref: 00C75CBD

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 00d179fba3f3835c3bc3a8e705b708139bbe7e48329188c35ddf770ca150daba
Instruction ID: 79400189d0d61fe3c6fe03756fa5865c5029b728fa854ac18697ca79ea441419
Opcode Fuzzy Hash: 00d179fba3f3835c3bc3a8e705b708139bbe7e48329188c35ddf770ca150daba
Instruction Fuzzy Hash: F401A430500B04ABEB219B11DD8EFEA77B8BF05B09F044559B597A20E1DBF0AA84CB90

Function 00C422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00C422BE

Part of subcall function 00C429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000), ref: 00C429DE
Part of subcall function 00C429C8: GetLastError.KERNEL32(00000000,?,00C4D7D1,00000000,00000000,00000000,00000000,?,00C4D7F8,00000000,00000007,00000000,?,00C4DBF5,00000000,00000000), ref: 00C429F0

_free.LIBCMT ref: 00C422D0
_free.LIBCMT ref: 00C422E3
_free.LIBCMT ref: 00C422F4
_free.LIBCMT ref: 00C42305

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0a0586d1d3f7f103e70acfd57ec8bbbae2bc40712f664e8eb7d0c05fd380f512
Instruction ID: 66c842e4adb97cf9d2489d04107457dd67596ea345800028d12b437593d7d792
Opcode Fuzzy Hash: 0a0586d1d3f7f103e70acfd57ec8bbbae2bc40712f664e8eb7d0c05fd380f512
Instruction Fuzzy Hash: ECF05E708011A19B9A22AF95BC83B0C3B68F728770794050BF810DE2B1C7715962FFE4

Function 00C295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00C295D4
StrokeAndFillPath.GDI32(?,?,00C671F7,00000000,?,?,?), ref: 00C295F0
SelectObject.GDI32(?,00000000), ref: 00C29603
DeleteObject.GDI32 ref: 00C29616
StrokePath.GDI32(?), ref: 00C29631

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e6d2a022b37d685a43a42dafe7ba8c0cf91592e152d7d9d54f808c2efe3252e3
Instruction ID: 66c4a864678db802bce69f763be00c7b36f9d01d7e6a2709e031545fcc17929b
Opcode Fuzzy Hash: e6d2a022b37d685a43a42dafe7ba8c0cf91592e152d7d9d54f808c2efe3252e3
Instruction Fuzzy Hash: 60F03C30005244EBDB125F65ED9C7AC3BA1EB02326F088224F9255A4F2CB348AA1DF20

Function 00C40F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00C410F9
__freea.LIBCMT ref: 00C41117

Part of subcall function 00C41537: _free.LIBCMT ref: 00C4154F

Strings

a/p, xrefs: 00C411DE
am/pm, xrefs: 00C4117A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: ffd513e567bdef884e48b25a0bd0795b0b8efa3f593113199d7ad124c9021967
Instruction ID: 4215e8cc08471393e90bb90a8fec2391b4cc92512362a0e15fc1e021f168f297
Opcode Fuzzy Hash: ffd513e567bdef884e48b25a0bd0795b0b8efa3f593113199d7ad124c9021967
Instruction Fuzzy Hash: 83D10331A10246CADB289F69C855BFEBBB0FF05710F2C4119EDA1AB661D3759EC0CB91

Function 00C97B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00C30242: EnterCriticalSection.KERNEL32(00CE070C,00CE1884,?,?,00C2198B,00CE2518,?,?,?,00C112F9,00000000), ref: 00C3024D
Part of subcall function 00C30242: LeaveCriticalSection.KERNEL32(00CE070C,?,00C2198B,00CE2518,?,?,?,00C112F9,00000000), ref: 00C3028A

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C300A3: __onexit.LIBCMT ref: 00C300A9

__Init_thread_footer.LIBCMT ref: 00C97BFB

Part of subcall function 00C301F8: EnterCriticalSection.KERNEL32(00CE070C,?,?,00C28747,00CE2514), ref: 00C30202
Part of subcall function 00C301F8: LeaveCriticalSection.KERNEL32(00CE070C,?,00C28747,00CE2514), ref: 00C30235

Strings

Variable must be of type 'Object'., xrefs: 00C97C3A
5, xrefs: 00C97C78
G, xrefs: 00C97C7F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 53058d17ff394417ea04726046ebe0af7aad0ee05f4654c3e0eec2ae6d29664d
Instruction ID: 47940d927af1ffd3b063b5325eebaee9b2d956505bdac81f2749d2712eb2beef
Opcode Fuzzy Hash: 53058d17ff394417ea04726046ebe0af7aad0ee05f4654c3e0eec2ae6d29664d
Instruction Fuzzy Hash: BA91BA71A15209EFCF04EF94C8999ADB7B1FF49304F108159F816AB292DB31AE81EB50

Function 00C4172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3FjrbCZgDN.exe,00000104), ref: 00C41769
_free.LIBCMT ref: 00C41834
_free.LIBCMT ref: 00C4183E

Strings

C:\Users\user\Desktop\3FjrbCZgDN.exe, xrefs: 00C41760, 00C41767, 00C41796, 00C417CE

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\3FjrbCZgDN.exe
API String ID: 2506810119-863556292
Opcode ID: 60b0ae86e996e5c41a4bef042ade8e5841648a69fc9cdf8007a25c28d73a684b
Instruction ID: 822b92ce9563a0c3a8b11bb7eace1235aa42da7108b81c156af849da92989621
Opcode Fuzzy Hash: 60b0ae86e996e5c41a4bef042ade8e5841648a69fc9cdf8007a25c28d73a684b
Instruction Fuzzy Hash: 1A318D71A00258ABDB21DF9ADC81E9EBBFCFB85310B194166FD549B251D6708A80DBA0

Function 00C7C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C7C306
DeleteMenu.USER32(?,00000007,00000000), ref: 00C7C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CE1990,00F65530), ref: 00C7C395

Strings

0, xrefs: 00C7C2DF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: d6786e713ae31df4c45ab18f47acefae11e0496939eadcde5b214afc9197d7d0
Instruction ID: 283ec29dc1ff6d14d4f91d1f56df2398ed108f48e0decdf29a9ffedb7902109d
Opcode Fuzzy Hash: d6786e713ae31df4c45ab18f47acefae11e0496939eadcde5b214afc9197d7d0
Instruction Fuzzy Hash: E9419F712043029FD720DF25D8C4B9ABBE8AF85324F14CA1DF9A9972E1D730E904DB62

Function 00CA4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00CACC08,00000000,?,?,?,?), ref: 00CA44AA
GetWindowLongW.USER32 ref: 00CA44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00CA44D7

Strings

SysTreeView32, xrefs: 00CA447C

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2cbc6f3cb31ee3d1ac85d592d30721fb79e40830d1655eeed6da7c5ea3b57530
Instruction ID: 13f27307429f8300f17e72fd810abf7ca87c7068a955f46f006db778f1ea0a93
Opcode Fuzzy Hash: 2cbc6f3cb31ee3d1ac85d592d30721fb79e40830d1655eeed6da7c5ea3b57530
Instruction Fuzzy Hash: B8319E31210606AFDB248F78DC85BEA77A9EB4A338F204725F975931E0D7B0ED509B50

Function 00C9304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C9335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C93077,?,?), ref: 00C93378

inet_addr.WSOCK32(?), ref: 00C9307A
_wcslen.LIBCMT ref: 00C9309B
htons.WSOCK32(00000000), ref: 00C93106

Strings

255.255.255.255, xrefs: 00C93095, 00C9309A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 6700053ab4bd15b74e2493be6521c353358a1ffcf813e85e28bc72f9b46bd0ce
Instruction ID: 7c72c338673c71e96cb1f925612ae64421c5fc31e1430f612b9f0be7181cb01f
Opcode Fuzzy Hash: 6700053ab4bd15b74e2493be6521c353358a1ffcf813e85e28bc72f9b46bd0ce
Instruction Fuzzy Hash: 5B31B2352002819FCF20CF69C589AAA77E0EF55318F248059E9258B3A2D731EF45C760

Function 00CA4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00CA4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00CA4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CA471A

Strings

msctls_updown32, xrefs: 00CA4684

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6a0efa6eb90c4af59000b72789fab19e8329d80d0f338ac247f84b64903a538a
Instruction ID: e1aea0e555df983eae506241229a44350f5d1eb0e008af96056286ec76757be4
Opcode Fuzzy Hash: 6a0efa6eb90c4af59000b72789fab19e8329d80d0f338ac247f84b64903a538a
Instruction Fuzzy Hash: 38214FB5600245AFDB14DF68DCC1EAB37ADEB8B3A8B040059FA109B261DB70ED51DB60

Function 00C795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C7961D

Strings

#notrayicon, xrefs: 00C795B7
#requireadmin, xrefs: 00C795D9
#OnAutoItStartRegister, xrefs: 00C795F3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: db0a2ec3f9b9772fe75117b569290826b6fd686dab94e0a0c97d03a167e2a7b7
Instruction ID: c2ea28e91db22af7f4fcb748357ffb6975dda1308749e840ba750ca560612e14
Opcode Fuzzy Hash: db0a2ec3f9b9772fe75117b569290826b6fd686dab94e0a0c97d03a167e2a7b7
Instruction Fuzzy Hash: F0215B7210422166C371AB259C02FF773E8DF52314F10C13AF95D97181EB71AE86E2D5

Function 00CA37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00CA3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00CA3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00CA3876

Strings

Listbox, xrefs: 00CA380F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c60cbb18111247e77ab5b07601fcda51528f1cf76cca9d2d47d17eea019c18ca
Instruction ID: 17899ca5fa4353bf6f55f89fa64d045bd2458aa3816011b3a6176a9ddf4df162
Opcode Fuzzy Hash: c60cbb18111247e77ab5b07601fcda51528f1cf76cca9d2d47d17eea019c18ca
Instruction Fuzzy Hash: AC21C272600119BBEF218F54CC85FBB376EEF8A758F118125F9109B190CA75DD51C7A0

Function 00C7223F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C72258

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C7228A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C722CA

Strings

@U=u, xrefs: 00C72258, 00C7228A, 00C722CA

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID: @U=u
API String ID: 763830540-2594219639
Opcode ID: 7771bc709a0045e40b0770d8383feeaa33f7b90da2377c3f326c50f5bf8fe007
Instruction ID: fc4cca25c0b73cc1a3719a2269b97828cce656c7847abe1d6aa3ee30a5d4bbe2
Opcode Fuzzy Hash: 7771bc709a0045e40b0770d8383feeaa33f7b90da2377c3f326c50f5bf8fe007
Instruction Fuzzy Hash: E4210B31700204BBDB20AB648D89FEE7BADEF59724F048025FA19E7191DB70CE45A7A1

Function 00C849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C84A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C84A5C
SetErrorMode.KERNEL32(00000000,?,?,00CACC08), ref: 00C84AD0

Strings

%lu, xrefs: 00C84A6F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 29d89d47d3cd080e038d853636290b10e3d0eb43b76d76e72d5b9f7d8af1dcd5
Instruction ID: a557e7babadff5fc9092584acdd8de989e9fba5c85535b5ff865d84a37e55b50
Opcode Fuzzy Hash: 29d89d47d3cd080e038d853636290b10e3d0eb43b76d76e72d5b9f7d8af1dcd5
Instruction Fuzzy Hash: 36315E75A00109AFDB14DF54C885EAE7BF8EF09308F1480A9E909DB252DB71EE46DB61

Function 00C71B2C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C71B4F
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C71B61
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00C71B99

Strings

@U=u, xrefs: 00C71B99

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 437e1374958231c0d96dd0c519f902d37e306087fbee19dcc487559bc2d47a90
Instruction ID: 4d878d5124ea9dc533536e208c135f63243b1e383accdae36db564ad36d3379e
Opcode Fuzzy Hash: 437e1374958231c0d96dd0c519f902d37e306087fbee19dcc487559bc2d47a90
Instruction Fuzzy Hash: 8021C072600118BFDB11DFACD841EAEB7FAEF44340F14446AE509E3290EA71BE419B94

Function 00C90CD5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000402,00000000,00000000), ref: 00C90D24
SendMessageW.USER32(0000000C,00000000,?), ref: 00C90D65
SendMessageW.USER32(0000000C,00000000,?), ref: 00C90D8D

Strings

@U=u, xrefs: 00C90D24, 00C90D65, 00C90D8D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: cd46d2fae8eccd357f86dcaa7d2e65b86e5a13e406fdf97620a145d022e9d180
Instruction ID: 28d40788bb4a66266d8738f32183491a3292dd9cc5273cb3a7182e9000990709
Opcode Fuzzy Hash: cd46d2fae8eccd357f86dcaa7d2e65b86e5a13e406fdf97620a145d022e9d180
Instruction Fuzzy Hash: E2216A36300901AFDB10EB68D985E6AB7F6FF0A310B108555F9199B671DB30FC51EB90

Function 00CA41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00CA424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00CA4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00CA4271

Strings

msctls_trackbar32, xrefs: 00CA4226

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5aa600152367356e2ede077d37cb59a075bda46441984a127acf3d50623a6aee
Instruction ID: c3c91cd1fa7115da5232395447d35d21ac2e62a0257276e15e325f07cca1561f
Opcode Fuzzy Hash: 5aa600152367356e2ede077d37cb59a075bda46441984a127acf3d50623a6aee
Instruction Fuzzy Hash: E8110631240249BEEF205F69CC46FAB3BACEFC6B58F010224FA55E6090D6B1DC519B50

Function 00C72F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

Part of subcall function 00C72DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C72DC5
Part of subcall function 00C72DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C72DD6
Part of subcall function 00C72DA7: GetCurrentThreadId.KERNEL32 ref: 00C72DDD
Part of subcall function 00C72DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C72DE4

GetFocus.USER32 ref: 00C72F78

Part of subcall function 00C72DEE: GetParent.USER32(00000000), ref: 00C72DF9

GetClassNameW.USER32(?,?,00000100), ref: 00C72FC3
EnumChildWindows.USER32(?,00C7303B), ref: 00C72FEB

Strings

%s%d, xrefs: 00C72FFF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 0902b07d11f373bd931e906b3052739578e2f31c172ed499bb9b0c5c44c16b84
Instruction ID: 3fd97b0e481e9e01e0beb031794a31dcd94ebfad357d2da23b2bd66543bd663e
Opcode Fuzzy Hash: 0902b07d11f373bd931e906b3052739578e2f31c172ed499bb9b0c5c44c16b84
Instruction Fuzzy Hash: 2F11B471600205ABCF14BF708CC5FEE376AAF95314F048079F90D9B252DE309A45EB60

Function 00CA3429 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00CA34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00CA34BA

Strings

@U=u, xrefs: 00CA34BA
edit, xrefs: 00CA348F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: e47d04e3918b005ae051d507b7efdc1deaaa1cdf94d284e1920c7af8d709f1bd
Instruction ID: c50fed5f147387fc2056b16069eb1b28842620f12ef905ecc9545e3858478337
Opcode Fuzzy Hash: e47d04e3918b005ae051d507b7efdc1deaaa1cdf94d284e1920c7af8d709f1bd
Instruction Fuzzy Hash: 97118F7150024AAFEB128E64DC94BEB3B6AEB0A37CF504724F971971D0C771DE91AB50

Function 00C71CDE Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C71D4C

Strings

ComboBox, xrefs: 00C71CEB
@U=u, xrefs: 00C71D4C
ListBox, xrefs: 00C71D16

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: 32aab1310725374a38893ac2a51881dc7bad3ac564de45d11f0f50f5cfaf1263
Instruction ID: 50d27e8d44c8b81814c1a55521eba9fe7c696c62a58d80b77bdc21ee898bf44d
Opcode Fuzzy Hash: 32aab1310725374a38893ac2a51881dc7bad3ac564de45d11f0f50f5cfaf1263
Instruction Fuzzy Hash: 4501FC71601214ABCB15EBA8CC61DFE7368FF57390F04461AFC76573C1EA305908AB60

Function 00C71BD8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C71C46

Strings

ComboBox, xrefs: 00C71BE5
@U=u, xrefs: 00C71C46
ListBox, xrefs: 00C71C10

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: f8a54472cb5b0bd3a878de82ce57134dbdabd24ec0408b06b04c6519a6e9a5b6
Instruction ID: 8aa64d59a9a8a1e1154335539a1629164c4bff6e34df86e22760766c544c922e
Opcode Fuzzy Hash: f8a54472cb5b0bd3a878de82ce57134dbdabd24ec0408b06b04c6519a6e9a5b6
Instruction Fuzzy Hash: B701A77578110467DB05EBD4C962AFF77A8DB13380F24401ABD5A672C1EA209F18A6B1

Function 00C71C5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

Part of subcall function 00C73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00C73CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C71CC8

Strings

ComboBox, xrefs: 00C71C69
@U=u, xrefs: 00C71CC8
ListBox, xrefs: 00C71C94

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: @U=u$ComboBox$ListBox
API String ID: 624084870-2258501812
Opcode ID: ce0df8ff80249716c3e0be024fb98c52a2067853cface005755131cf860f28fc
Instruction ID: a909011f9f9af8cd0132434bbef4ec07eea8e599ce1ceca54bfc0044e2308511
Opcode Fuzzy Hash: ce0df8ff80249716c3e0be024fb98c52a2067853cface005755131cf860f28fc
Instruction Fuzzy Hash: 4401DB7174011467DB05EBD8CA12AFF77A89B13380F144016BD46732C1EA309F18E6B1

Function 00CA5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CA58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00CA58EE
DrawMenuBar.USER32(?), ref: 00CA58FD

Strings

0, xrefs: 00CA588F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 151e4a8c09bb2bc4f602ac36c04faaa6011d49a4aa874e9eea02d0e898f98874
Instruction ID: 4f8fa94b027908ede11150ec3e534b7a28ecf11b31853a91f80b7293cfa3e2d8
Opcode Fuzzy Hash: 151e4a8c09bb2bc4f602ac36c04faaa6011d49a4aa874e9eea02d0e898f98874
Instruction Fuzzy Hash: E5015B31500219EEDB219F61EC44BAFBBB4FF46364F10C0A9F849DA151DB308A85EF21

Function 00CA7803 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00CE18B0,00CAA364,000000FC,?,00000000,00000000,?,?,?,00C676CF,?,?,?,?,?), ref: 00CA7805
GetFocus.USER32 ref: 00CA780D

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952

SendMessageW.USER32(00F6DE78,000000B0,000001BC,000001C0), ref: 00CA787A

Strings

@U=u, xrefs: 00CA787A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: fb3d35554202506600527455868fa8a5f0c59159178bae66159f0397ec112270
Instruction ID: 003e1314ff7ee85375fa365f46dae0b3309d68b761bf8eb2c03a6fc9606a63d9
Opcode Fuzzy Hash: fb3d35554202506600527455868fa8a5f0c59159178bae66159f0397ec112270
Instruction Fuzzy Hash: 7C015E316011108BC725DB28EC9CBAA33E5BF8B368F180269E4259B2E1CB356D12CB40

Function 00C7007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede8fb18de77df23ab8ae2999d189d11258ceb8fc21b094576a4f3cd382b740b
Instruction ID: bf810367d669ce40de15895ab143b7f237fefd1aca62a5aecf7d7ccc6cb716c3
Opcode Fuzzy Hash: ede8fb18de77df23ab8ae2999d189d11258ceb8fc21b094576a4f3cd382b740b
Instruction Fuzzy Hash: A6C14D75A00206EFDB14CFA4C898BAEB7B5FF48714F208598E519EB261D731DE81CB90

Function 00C9342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C93459
CoUninitialize.OLE32 ref: 00C93463
VariantInit.OLEAUT32(?), ref: 00C9346E
VariantClear.OLEAUT32(?), ref: 00C9371B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fd00186ae6f5b332fd10b4b6bed834434e2dafcb3149d1447b091c728b1ef67c
Instruction ID: 0a880b63225cc5ee6db78206bd95c1f970449a4d0b578d38ecb71c05fdcef19f
Opcode Fuzzy Hash: fd00186ae6f5b332fd10b4b6bed834434e2dafcb3149d1447b091c728b1ef67c
Instruction Fuzzy Hash: 40A15A752043009FCB10DF28C489A6AB7E5FF89714F048959F98A9B362DB30EE41DB92

Function 00C70436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C705F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C70608
CLSIDFromProgID.OLE32(?,?,00000000,00CACC40,000000FF,?,00000000,00000800,00000000,?,00CAFC08,?), ref: 00C7062D
_memcmp.LIBVCRUNTIME ref: 00C7064E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e64b1e4f90e53f55f6a35d9779c49738373131b1acf5592c6102a0aeb1ee6225
Instruction ID: d2c11210e41d68fbecff97b9810cac46a5c31fa2006d8340d8b963adebdbb28d
Opcode Fuzzy Hash: e64b1e4f90e53f55f6a35d9779c49738373131b1acf5592c6102a0aeb1ee6225
Instruction Fuzzy Hash: D3810971A00109EFCB04DF94C998EEEB7B9FF89315F208558F516AB250DB71AE46CB60

Function 00C51391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00C514C0

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 202f1adb915a4de4db2c3fb91fbe65e724c528b3bbc589a3c1b8cc006017cd7b
Instruction ID: 5aba925abd29f8beb4077d3c7ccf33ebe6c27fb98ab8e71e92c3c91ed112a8aa
Opcode Fuzzy Hash: 202f1adb915a4de4db2c3fb91fbe65e724c528b3bbc589a3c1b8cc006017cd7b
Instruction Fuzzy Hash: BC413C39A00110ABDB216BBA9C4DBBF3AA4FF41371F1C0625FC29D6192E77489C56276

Function 00C91AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C91AFD
WSAGetLastError.WSOCK32 ref: 00C91B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C91B8A
WSAGetLastError.WSOCK32 ref: 00C91B94

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: c054e288ad98910b18d739ad44aff3cf7201089b1f26e8c4f1f60a03a8841f86
Instruction ID: 200a00f94d3c221fcf719407d7fbe7620feca400b7ee2ad86a27c9b7f1505161
Opcode Fuzzy Hash: c054e288ad98910b18d739ad44aff3cf7201089b1f26e8c4f1f60a03a8841f86
Instruction Fuzzy Hash: D641F5746002016FDB20AF24C88AF6977E1AB45708F54C448F9258F7D3D772ED82DB90

Function 00C4B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c174c1ca4a87bc5859a5b10163de4c08073e2412e0b7d22c9d0a195126af4e80
Instruction ID: 5c3bed0bbec07413a6630b1b4caa5487d81512a8c1155c84c4619ed77afa16c5
Opcode Fuzzy Hash: c174c1ca4a87bc5859a5b10163de4c08073e2412e0b7d22c9d0a195126af4e80
Instruction Fuzzy Hash: 32412475A00304AFD7259F38CC46BAABBE9FB88720F10852EF515DB282D371DE419790

Function 00C856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C85783
GetLastError.KERNEL32(?,00000000), ref: 00C857A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C857CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C857FA

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b745f6ecd1ce92455132ba17ead7a92a9a90db42cdbb7110dc79fb12ff503a22
Instruction ID: b62ff9f39496fa147d669e71d7d45dc89315c49291536f1921365bbb27e3fcce
Opcode Fuzzy Hash: b745f6ecd1ce92455132ba17ead7a92a9a90db42cdbb7110dc79fb12ff503a22
Instruction Fuzzy Hash: 48414F35600610DFCB11EF15C484A5DBBF2EF4A324B18C488E85A9B362CB70FD41EB91

Function 00C4D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C36D71,00000000,00000000,00C382D9,?,00C382D9,?,00000001,00C36D71,8BE85006,00000001,00C382D9,00C382D9), ref: 00C4D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00C4D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00C4D9AB
__freea.LIBCMT ref: 00C4D9B4

Part of subcall function 00C43820: RtlAllocateHeap.NTDLL(00000000,?,00CE1444,?,00C2FDF5,?,?,00C1A976,00000010,00CE1440,00C113FC,?,00C113C6,?,00C11129), ref: 00C43852

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d19955e6e9c138387eb7ebee117a1e13bb3ccaa1d55b1c41225a1b726c10049e
Instruction ID: c93c7a0e11b1334ce12a8181bebb36c02fad338d2685c12c2fb0f968acf626d0
Opcode Fuzzy Hash: d19955e6e9c138387eb7ebee117a1e13bb3ccaa1d55b1c41225a1b726c10049e
Instruction Fuzzy Hash: A231DE72A1020AABDF24AF65DC85EEE7BA5FB51310F050168FC15D7290EB35DE50DB90

Function 00C7AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00C7ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C7AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C7AC74
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00C7ACC6

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a7ab3594870e0c8c4a3c93b17813048f5bc5257581671959f7fa0a1e9b66a305
Instruction ID: b3f9143d2b2186561e2d54f2534493dc4c123f564b605f5d3111d0dba9b645a9
Opcode Fuzzy Hash: a7ab3594870e0c8c4a3c93b17813048f5bc5257581671959f7fa0a1e9b66a305
Instruction Fuzzy Hash: 52310970A007187FEF36CB658C05BFE7BA5ABC5320F04C31AE4A9921D1C3768A859752

Function 00CA7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00CA769A
GetWindowRect.USER32(?,?), ref: 00CA7710
PtInRect.USER32(?,?,00CA8B89), ref: 00CA7720
MessageBeep.USER32(00000000), ref: 00CA778C

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 95e01629bd60ac802e9d681ae4d4d8956edf324f3211574d54fd8d5b44802ee2
Instruction ID: 916cd8716ca0d9715b43372b60c2964471753130a24048519294b66dadcd353c
Opcode Fuzzy Hash: 95e01629bd60ac802e9d681ae4d4d8956edf324f3211574d54fd8d5b44802ee2
Instruction Fuzzy Hash: 97417F34605256DFCB02CF58CD98FAD77F5BB4A318F1942A8E824DB261D730AA41CB90

Function 00CA16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00CA16EB

Part of subcall function 00C73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C73A57
Part of subcall function 00C73A3D: GetCurrentThreadId.KERNEL32 ref: 00C73A5E
Part of subcall function 00C73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C725B3), ref: 00C73A65

GetCaretPos.USER32(?), ref: 00CA16FF
ClientToScreen.USER32(00000000,?), ref: 00CA174C
GetForegroundWindow.USER32 ref: 00CA1752

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 01fc46f9a05f9b88213afbfd0f2c3a1950afcc48f7149e83ea338264a8dae047
Instruction ID: d6c779cf39b1c52c281bbab8948a8c185a6c71c0e6ebfc01379a1fa6b6522880
Opcode Fuzzy Hash: 01fc46f9a05f9b88213afbfd0f2c3a1950afcc48f7149e83ea338264a8dae047
Instruction Fuzzy Hash: 7031FD75D00249AFD704EFA9C8C19EEBBF9EF49308B5480AAE415E7211DB319E45DBA0

Function 00C7D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C7D501
Process32FirstW.KERNEL32(00000000,?), ref: 00C7D50F
Process32NextW.KERNEL32(00000000,?), ref: 00C7D52F
CloseHandle.KERNEL32(00000000), ref: 00C7D5DC

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 75865a9b0c68350e24ca1f246092ec9030a509e39f0a1ccd9390944fe9bc5634
Instruction ID: 52d1ebe0b54dfb3044c0dd0acd2311c227f65100d6b94fa61d51e5d6488be01f
Opcode Fuzzy Hash: 75865a9b0c68350e24ca1f246092ec9030a509e39f0a1ccd9390944fe9bc5634
Instruction Fuzzy Hash: EB31C2711083009FD300EF54C891BAFBBF8EF9A354F10492DF596831A1EB719A85DB92

Function 00CA8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

GetCursorPos.USER32(?), ref: 00CA9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C67711,?,?,?,?,?), ref: 00CA9016
GetCursorPos.USER32(?), ref: 00CA905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C67711,?,?,?), ref: 00CA9094

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 803c39e579731314999c0377900d58c7e5d3ed6999ed5b7c45563e24d8f2795b
Instruction ID: d16e7304fe97b12b47aca78934da05bad66936fba52a5ceb43d12aeab56d99d0
Opcode Fuzzy Hash: 803c39e579731314999c0377900d58c7e5d3ed6999ed5b7c45563e24d8f2795b
Instruction Fuzzy Hash: 6921A135600018EFCB258F94DC99FFE7BB9EF4A3A4F144055F9154B261C7319AA0EB60

Function 00C7D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00CACB68), ref: 00C7D2FB
GetLastError.KERNEL32 ref: 00C7D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C7D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00CACB68), ref: 00C7D376

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0c15dcf6533da39e3085e257879be1df072d4a0061adcd4e539a1a1024036dd7
Instruction ID: ac77682855c7eb104361a0e7742cdb78c686970b160e0ac272bc32bdb89ae22d
Opcode Fuzzy Hash: 0c15dcf6533da39e3085e257879be1df072d4a0061adcd4e539a1a1024036dd7
Instruction Fuzzy Hash: CD219F705092019F8700DF28C8819AE7BF4EF56328F108A1DF4AAC32A1DB31DA46DB93

Function 00C71571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C7102A
Part of subcall function 00C71014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C71036
Part of subcall function 00C71014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71045
Part of subcall function 00C71014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C7104C
Part of subcall function 00C71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C71062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C715BE
_memcmp.LIBVCRUNTIME ref: 00C715E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C71617
HeapFree.KERNEL32(00000000), ref: 00C7161E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: d6d2ca9dd2a555ebc30b5fb553a8d4a6b1ab718da199b27bf0e4f90ff8e7f497
Instruction ID: 07b21b558c197a208dc36e6c5471785f229b340281421504dca6ba1966a62f09
Opcode Fuzzy Hash: d6d2ca9dd2a555ebc30b5fb553a8d4a6b1ab718da199b27bf0e4f90ff8e7f497
Instruction Fuzzy Hash: CD219D31E00108EFDF14DFA8C985BEEB7B8EF44354F188459E859AB241E730AA05DBA0

Function 00CA2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00CA280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CA2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00CA2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00CA2840

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c36dbd336b330ccc36628caa3a345d40673368e2fee7dadcf4b01f70dc2ad517
Instruction ID: 6671f2331eb03a1e6f7fdbeb2e848616b406083dcd89925dd82a6f7bb67b51f9
Opcode Fuzzy Hash: c36dbd336b330ccc36628caa3a345d40673368e2fee7dadcf4b01f70dc2ad517
Instruction Fuzzy Hash: FA21D631604522AFD714DB28C884FAA7795EF47328F148158F426CB6D2CB75FD82DB90

Function 00C778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C78D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?), ref: 00C78D8C
Part of subcall function 00C78D7D: lstrcpyW.KERNEL32(00000000,?,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C78DB2
Part of subcall function 00C78D7D: lstrcmpiW.KERNEL32(00000000,?,00C7790A,?,000000FF,?,00C78754,00000000,?,0000001C,?,?), ref: 00C78DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77923
lstrcpyW.KERNEL32(00000000,?,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C78754,00000000,?,0000001C,?,?,00000000), ref: 00C77984

Strings

cdecl, xrefs: 00C7797B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: e828dcbb8ba755f64aab7f8a1c32c99aa2f13b559b4f170eae88cc9d3524cf0d
Instruction ID: 8b87fec604eb9bd397d83c8baa95700937b369a87ceedab6194062f441cd6345
Opcode Fuzzy Hash: e828dcbb8ba755f64aab7f8a1c32c99aa2f13b559b4f170eae88cc9d3524cf0d
Instruction Fuzzy Hash: 9611293A201306ABCF156F34D844E7B77A5FF95354B00812EFA0AC7264EF319901D791

Function 00CA7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00CA7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00CA7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00CA7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C8B7AD,00000000), ref: 00CA7D6B

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 0ce250b49e09785377fd73658393102a587b5e8fbcc489d68604da372d36cb62
Instruction ID: 8fc06cfc7570fb31406786ef29b5bf6fdac610739d85875fee2a74bb705575ca
Opcode Fuzzy Hash: 0ce250b49e09785377fd73658393102a587b5e8fbcc489d68604da372d36cb62
Instruction Fuzzy Hash: 8A117232A05666AFCB109F28DC44BAA3BA5BF46378B154724FC35DB2F0D7309A61DB50

Function 00C71A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C71A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C71A8A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a196a008e0c3c052f4c139452cae163117fb30130b9eeae20d9096db1db0de60
Instruction ID: f6e7898f527be73c3e4cf92757fc2ee7a15e1534ebfb2cb59f9cad27c998c0cb
Opcode Fuzzy Hash: a196a008e0c3c052f4c139452cae163117fb30130b9eeae20d9096db1db0de60
Instruction Fuzzy Hash: 80113C3AD01219FFEB10DBA9CD85FADBB78EB04750F244091EA04B7290D6716F50EB94

Function 00C7E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C7E1FD
MessageBoxW.USER32(?,?,?,?), ref: 00C7E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C7E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C7E24D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: df03e39e71391a12fcb1e50cd7e29230fb3d258fadb246641a7ea3808403ca58
Instruction ID: cbc07bc6691a5328735b001323400aac0395463f26ccec592543d149efa3a5f8
Opcode Fuzzy Hash: df03e39e71391a12fcb1e50cd7e29230fb3d258fadb246641a7ea3808403ca58
Instruction Fuzzy Hash: B411DB76A04258BBC7019FA89C49BDF7FAD9B45324F148255F929D7291D670CE0487A0

Function 00C3D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00C3CFF9,00000000,00000004,00000000), ref: 00C3D218
GetLastError.KERNEL32 ref: 00C3D224
__dosmaperr.LIBCMT ref: 00C3D22B
ResumeThread.KERNEL32(00000000), ref: 00C3D249

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: d23917b1d61295f8aaf363ef021270cbffb0bb7a592a21814d5d14185329e032
Instruction ID: b959118ee4db5718603a897211dc6d413b03ab367672c10380d8451c6f93117f
Opcode Fuzzy Hash: d23917b1d61295f8aaf363ef021270cbffb0bb7a592a21814d5d14185329e032
Instruction Fuzzy Hash: C601F976825104BBCB115BA6EC45BAF7A6DDF82731F100219F936921D0CF72CD01D7A0

Function 00C33B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00C33B56

Part of subcall function 00C33AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00C33AD2
Part of subcall function 00C33AA3: ___AdjustPointer.LIBCMT ref: 00C33AED

_UnwindNestedFrames.LIBCMT ref: 00C33B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00C33B7C
CallCatchBlock.LIBVCRUNTIME ref: 00C33BA4

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 22a1d1d0223eb439dab6f8f5905e4b12e6dcb7cab1c021a52640b76a3cb47196
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 89010C32110189BBDF125E95CC46EEB7F6EEF58758F044014FE58A6121C736E961EBA0

Function 00C43073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C113C6,00000000,00000000,?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue), ref: 00C430A5
GetLastError.KERNEL32(?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue,00CB2290,FlsSetValue,00000000,00000364,?,00C42E46), ref: 00C430B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00C4301A,00C113C6,00000000,00000000,00000000,?,00C4328B,00000006,FlsSetValue,00CB2290,FlsSetValue,00000000), ref: 00C430BF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 11ee30c961c4d6f40ae4fe3faddda55f604a67f71b85d965e0743be3c2e89c81
Instruction ID: bf285a1538bcf2f727004d714edd62d1098f8657bf511b58bcced57277cfb8ec
Opcode Fuzzy Hash: 11ee30c961c4d6f40ae4fe3faddda55f604a67f71b85d965e0743be3c2e89c81
Instruction Fuzzy Hash: 7001DB32701262ABCB314BB99C85B5B7B98BF86B65B210720F915E7190D721DA01C6E0

Function 00C77464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C7747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C77497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C774AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C774CA

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4fa009b6f48a5d67b8dd8f2c76c6893c1b170531c46c893c731fed78030e7f35
Instruction ID: 036a6287b92f0908c73d6b502b18d51ccb52de491d41d8f73ebc5d326dba3033
Opcode Fuzzy Hash: 4fa009b6f48a5d67b8dd8f2c76c6893c1b170531c46c893c731fed78030e7f35
Instruction Fuzzy Hash: 6C11ADB1209318ABE7208F24DC49FA67FFCEB04B04F10C669A62AD7191D7B0E944DF60

Function 00C7B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C7ACD3,?,00008000), ref: 00C7B126

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c12b6fc05514562dc931264e18115f1b358979a7ad4be7d0fa43f50803e29de7
Instruction ID: bdc75c45712d34054b625502ed01411a3f154cc00de1774be5b39e2970d3ca01
Opcode Fuzzy Hash: c12b6fc05514562dc931264e18115f1b358979a7ad4be7d0fa43f50803e29de7
Instruction Fuzzy Hash: 5E113971E01929E7CF00AFA5E9A97EEBB78FF0A711F508086D955B2181CB305A518B51

Function 00C72DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C72DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C72DD6
GetCurrentThreadId.KERNEL32 ref: 00C72DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C72DE4

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: c196448d35d58c6c14ec23f4d6425fb99dd31f281db65120e66bc119adbc0dab
Instruction ID: 0e8b8f84880b4bd9f690755f305473d3dca5a9d2a6762652272abfc5a098b968
Opcode Fuzzy Hash: c196448d35d58c6c14ec23f4d6425fb99dd31f281db65120e66bc119adbc0dab
Instruction Fuzzy Hash: FBE01271601224BBD7305B739C8EFEF7E6CEF57BA5F404115F609D20909AA5C941C6B0

Function 00CA8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00C29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C29693
Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296A2
Part of subcall function 00C29639: BeginPath.GDI32(?), ref: 00C296B9
Part of subcall function 00C29639: SelectObject.GDI32(?,00000000), ref: 00C296E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00CA8887
LineTo.GDI32(?,?,?), ref: 00CA8894
EndPath.GDI32(?), ref: 00CA88A4
StrokePath.GDI32(?), ref: 00CA88B2

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5653209a8b017fb74e96fcab77559de120307e8b6675914f81b216959ee7fb5d
Instruction ID: d7c644b41729359c36b0c9349b4911c4ba2393d193c2aae6d53d9489f28d242c
Opcode Fuzzy Hash: 5653209a8b017fb74e96fcab77559de120307e8b6675914f81b216959ee7fb5d
Instruction Fuzzy Hash: 1CF03A36045259BBDB125F94AC4DFCE3A69AF06714F448000FA11660E2CB795621DBA9

Function 00C298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00C298CC
SetTextColor.GDI32(?,?), ref: 00C298D6
SetBkMode.GDI32(?,00000001), ref: 00C298E9
GetStockObject.GDI32(00000005), ref: 00C298F1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 56fccaedb3c929e5adeab25d5aa35d4590da73fd56487708e1424a00fb7f07ae
Instruction ID: ff7851e82e61b56a7fe2f12251922552047c89bcc066824ead11c24397771e9b
Opcode Fuzzy Hash: 56fccaedb3c929e5adeab25d5aa35d4590da73fd56487708e1424a00fb7f07ae
Instruction Fuzzy Hash: 29E06D31244280AADB215B74BC49BEC3F60EB1333AF048719F7FA590E1C77246809B10

Function 00C7162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00C71634
OpenThreadToken.ADVAPI32(00000000,?,?,?,00C711D9), ref: 00C7163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C711D9), ref: 00C71648
OpenProcessToken.ADVAPI32(00000000,?,?,?,00C711D9), ref: 00C7164F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 911fb21e15d4ded294811b8dbac367c14bb883d71d46b526b365be2d3556e927
Instruction ID: 81706ba852b423ad8086d2562c72fbdf9bd3f738ebd3e7361770850c529bb06d
Opcode Fuzzy Hash: 911fb21e15d4ded294811b8dbac367c14bb883d71d46b526b365be2d3556e927
Instruction Fuzzy Hash: 6AE08631602211DBD7201FA49D4DB8B3B7CEF46795F188808F655CA090D6344540C750

Function 00C6D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C6D858
GetDC.USER32(00000000), ref: 00C6D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C6D882
ReleaseDC.USER32(?), ref: 00C6D8A3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 2d6df768dd555a2cd7ced0b0c90e4d3393162a605f171fd40dc3d672dd461daa
Instruction ID: a9f844dd82541a9296a236c59cb3687de1dcfd39fcfe4cd9dcea4594e6d17117
Opcode Fuzzy Hash: 2d6df768dd555a2cd7ced0b0c90e4d3393162a605f171fd40dc3d672dd461daa
Instruction Fuzzy Hash: FEE01AB0800204DFCB419FA5D88C76DBBB1FB09314F108009F816E7350CB388941AF40

Function 00C6D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C6D86C
GetDC.USER32(00000000), ref: 00C6D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C6D882
ReleaseDC.USER32(?), ref: 00C6D8A3

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 31f5494e7346bfdd36a73a096d7e0ca49b56139d33e57dded313e0d645453658
Instruction ID: 67f3087fafa87b75a1094aaa9d209e4b5ec4dada22d5278db787f1c1c100bf94
Opcode Fuzzy Hash: 31f5494e7346bfdd36a73a096d7e0ca49b56139d33e57dded313e0d645453658
Instruction Fuzzy Hash: BFE092B5800204EFCB51AFA5D88876EBBB5BB09315B148449F95AE7360CB389942AF50

Function 00C84D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C17620: _wcslen.LIBCMT ref: 00C17625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C84ED4

Strings

*, xrefs: 00C84E10
LPT, xrefs: 00C84DFB

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 25bce3bbb6c088e22bd5aed82531ea4b2e679481b7838c3655e72ea241185c92
Instruction ID: d15950b8a9921f2cddabe309642715cb9c620e5761f6923d62b009d5c9b75bd9
Opcode Fuzzy Hash: 25bce3bbb6c088e22bd5aed82531ea4b2e679481b7838c3655e72ea241185c92
Instruction Fuzzy Hash: 08919275A002059FCB18EF98C484EAABBF1BF45308F15809DE51A9F362C731EE85DB94

Function 00C3E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00C3E30D

Strings

pow, xrefs: 00C3E2E5, 00C3E302

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7624e3b0b3cde17b2ded52e2722441a51ea598752b00c333ca4c4945f6e66121
Instruction ID: b0f57e841164c79f90398cce5892df30772df8d2678d857dac04063210cef1e6
Opcode Fuzzy Hash: 7624e3b0b3cde17b2ded52e2722441a51ea598752b00c333ca4c4945f6e66121
Instruction Fuzzy Hash: 23512A61E2C2029ADB157724C9413BE3BA4FF40740F748F58E4F5822F9EB358D95AB86

Function 00C2E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00C2E1B1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a7a475da0d880f59e299cd8078cafd8f2baeb193a080e58fec558d973a28d66e
Instruction ID: 8846222410aae35b4540b71fdc69fa2126c7dfb7fc3158677d1957d1418718b7
Opcode Fuzzy Hash: a7a475da0d880f59e299cd8078cafd8f2baeb193a080e58fec558d973a28d66e
Instruction Fuzzy Hash: F8513679500256DFDF25DF68D081AFA7BA8EF16310F244056FCA2AB2C0D7349E42DBA0

Function 00C2F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00C2F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 00C2F2BB

Strings

@, xrefs: 00C2F2AF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0af7c62d41b143cc205cf75583c6ee69b2889d870091b6f00a75a0f32b47f19e
Instruction ID: 7897c61a9405c8db4125bcdc3a31a3bbcef2f7e407e6328932ee64db824b38fb
Opcode Fuzzy Hash: 0af7c62d41b143cc205cf75583c6ee69b2889d870091b6f00a75a0f32b47f19e
Instruction Fuzzy Hash: C05134714087449BD320EF54D886BAFBBF8FB86300F81885DF199421A5EB308569DB66

Function 00C72999 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C729EB
SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C72A8D

Part of subcall function 00C72C75: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C72CE0

Strings

@U=u, xrefs: 00C729EB, 00C72A8D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 907644edc0eee3a6293dd20a6db4fa4a9eb5db5b2b8e3aa90d99aab44372fbac
Instruction ID: 2d73f6f1be6255162fcc1687b8c5562eaf2c2d2e64677676f0529d8e1e57fa3f
Opcode Fuzzy Hash: 907644edc0eee3a6293dd20a6db4fa4a9eb5db5b2b8e3aa90d99aab44372fbac
Instruction Fuzzy Hash: 3C419771A00208ABDF25EF54CC45BFE7BB9EF45724F044029F919A3291DB709E85EB92

Function 00C95745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00C957E0
_wcslen.LIBCMT ref: 00C957EC

Strings

CALLARGARRAY, xrefs: 00C957E6, 00C957EB

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: fa6838f4d38b692393991ad1c23f72c76476fdc6a1f87b66bb7e7781276e59b4
Instruction ID: 85b262f4c411a40b9df7c75021bae06a3cc006f581ae8ebbaf2fbd18043f36b7
Opcode Fuzzy Hash: fa6838f4d38b692393991ad1c23f72c76476fdc6a1f87b66bb7e7781276e59b4
Instruction Fuzzy Hash: A041AE71A002099FCF05DFA9C8899AEBBB5FF59724F108069E515A7291E7309E81DB90

Function 00C8D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C8D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C8D13A

Strings

|, xrefs: 00C8D10B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: a4fd93a83ae857885b9e07b6a0f8bbbe9ff37520b5afaf71faf30b398b940604
Instruction ID: cc9d0f41b01070fef11f665421d0db1f619f789e0e5a5455cf699e42f7ca69c3
Opcode Fuzzy Hash: a4fd93a83ae857885b9e07b6a0f8bbbe9ff37520b5afaf71faf30b398b940604
Instruction Fuzzy Hash: 8C314F71D00209ABCF15EFA5CC85EEE7FB9FF05314F000119F816A61A5DB31AA56EB54

Function 00CA356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00CA3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00CA365C

Strings

static, xrefs: 00CA35BC

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ce1c8de22da757817790a869f926f5f687f802b73bae809b77fe50ee1362b4db
Instruction ID: 344692d684696b354ca99e8d2345916292fa7aebcb6e4676ed2de574e6fee0af
Opcode Fuzzy Hash: ce1c8de22da757817790a869f926f5f687f802b73bae809b77fe50ee1362b4db
Instruction Fuzzy Hash: 1131BE71500245AEDB10DF68DC90FFB73A9FF8A728F008619F9A597280DA30EE81D760

Function 00CA4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00CA461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00CA4634

Strings

', xrefs: 00CA458E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 318b71f12dbc4cccbb2d9cc78da374cbe211553a424a1f44c2f41c7ce726350d
Instruction ID: bc25b3435b575065800350a5b58ac8323174d15a44dcb872861c47a19683ee29
Opcode Fuzzy Hash: 318b71f12dbc4cccbb2d9cc78da374cbe211553a424a1f44c2f41c7ce726350d
Instruction Fuzzy Hash: 94311974E0120A9FDB18CFA9C994BDA7BB5FF8A304F144069E915AB351D7B0A941CF90

Function 00C7286B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C72884
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C728B6

Strings

@U=u, xrefs: 00C72884, 00C728B6

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 7c1dcd051bb107628097d50129abba1d0c0e0d06f03b165ea487899791b9f8d1
Instruction ID: db97deb76214b885274894a5aed9e09b8cbf2a745ec9dfb5ee31a51fe2dd3e8b
Opcode Fuzzy Hash: 7c1dcd051bb107628097d50129abba1d0c0e0d06f03b165ea487899791b9f8d1
Instruction Fuzzy Hash: 05212E32E00205ABCB15DF94C481DFFB7B9EF89714F048019FA19A7290EA705D42D790

Function 00C73BC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C73D03: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C73D18

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C73C23
_strlen.LIBCMT ref: 00C73C2E

Strings

@U=u, xrefs: 00C73C23

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: da9ed010997036341a85557cfc37353676f4590fe475f2ea0a35bb8baded74f8
Instruction ID: 91f8b19786ca1d2c84bd9ce542b53a3798d03283a0cdd38173257b4e2cfa92f3
Opcode Fuzzy Hash: da9ed010997036341a85557cfc37353676f4590fe475f2ea0a35bb8baded74f8
Instruction Fuzzy Hash: 96110A3270015567CB2ABA7898929FE77648F55B40F10813DFA0AAB2D2DE209F42B6D4

Function 00CA336F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7ED19: GetLocalTime.KERNEL32 ref: 00C7ED2A
Part of subcall function 00C7ED19: _wcslen.LIBCMT ref: 00C7ED3B
Part of subcall function 00C7ED19: _wcslen.LIBCMT ref: 00C7ED79
Part of subcall function 00C7ED19: _wcslen.LIBCMT ref: 00C7EDAF
Part of subcall function 00C7ED19: _wcslen.LIBCMT ref: 00C7EDDF
Part of subcall function 00C7ED19: _wcslen.LIBCMT ref: 00C7EDEF
Part of subcall function 00C7ED19: _wcslen.LIBCMT ref: 00C7EE2B

SendMessageW.USER32(?,00001002,00000000,?), ref: 00CA340A

Strings

SysDateTimePick32, xrefs: 00CA33C7
@U=u, xrefs: 00CA340A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2216836867-2530228043
Opcode ID: a5d3fba10387b92d1db3b4b7bb9cb748c7428ada589ac028ad6b5e5d90dc1504
Instruction ID: 975652bc62b76023f80432444059ce719ec9fdb3a45e60bea2fa2516788982de
Opcode Fuzzy Hash: a5d3fba10387b92d1db3b4b7bb9cb748c7428ada589ac028ad6b5e5d90dc1504
Instruction Fuzzy Hash: E821293134020A6FEF21DE54DC81FEF73AAEB45758F204519FA50AB1D0DAB1ED9197A0

Function 00C7215F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C72178

Part of subcall function 00C7B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00C7B355
Part of subcall function 00C7B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C72194,00000034,?,?,00001004,00000000,00000000), ref: 00C7B365
Part of subcall function 00C7B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C72194,00000034,?,?,00001004,00000000,00000000), ref: 00C7B37B

Part of subcall function 00C7B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721D0,?,?,00000034,00000800,?,00000034), ref: 00C7B42D

SendMessageW.USER32(?,00001073,00000000,?), ref: 00C721DF

Part of subcall function 00C7B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C7B3F8

Strings

@U=u, xrefs: 00C72178, 00C721DF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 37b467c6cf1ac0e34b9841f1549bd86cbd02c56f116e9a7c95cbdc357258f81d
Instruction ID: c1d045379cc9e3cda63de557bcfbefa3dcf85d6c567cffc9c5718791ed0c37d4
Opcode Fuzzy Hash: 37b467c6cf1ac0e34b9841f1549bd86cbd02c56f116e9a7c95cbdc357258f81d
Instruction Fuzzy Hash: 88217131901118ABEF15DFA4DC81FDDBBB8FF09354F1081A5F658A7190EA705E84DB90

Function 00CA31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00CA327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00CA3287

Strings

Combobox, xrefs: 00CA3249

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 1307537f2308dd3637b947402f3aeb53ebc3332cd3e2da6a08948cee6f747a2b
Instruction ID: 2e366f6ccf4398975f655952c487388807bce03da00a97d830b207c20ad5e1c2
Opcode Fuzzy Hash: 1307537f2308dd3637b947402f3aeb53ebc3332cd3e2da6a08948cee6f747a2b
Instruction Fuzzy Hash: E811E6713002497FEF219E94DC90FBB376AEB56368F100225F92497291D6319E519760

Function 00CA3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00C1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C1604C
Part of subcall function 00C1600E: GetStockObject.GDI32(00000011), ref: 00C16060
Part of subcall function 00C1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C1606A

GetWindowRect.USER32(00000000,?), ref: 00CA377A
GetSysColor.USER32(00000012), ref: 00CA3794

Strings

static, xrefs: 00CA3757

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a06b247b284e6f1b0a765e272317c72fdf273977ec65c5276c2a3c4de05a96bf
Instruction ID: 89cb4611c4132dc8e205507243055fd608077d135c0f721e817b64f939d9c45a
Opcode Fuzzy Hash: a06b247b284e6f1b0a765e272317c72fdf273977ec65c5276c2a3c4de05a96bf
Instruction Fuzzy Hash: 5F1129B261020AAFDB00DFA8CD45EFE7BB8EB0A358F004524F965E3250E735E9519B60

Function 00CA6181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00CA61FC
SendMessageW.USER32(?,00000194,00000000,00000000), ref: 00CA6225

Strings

@U=u, xrefs: 00CA61FC, 00CA6225

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 7388fc30ba568e761af0ae1cf74dc1c8c2a9d38c343e86b8dd475b78b42aa829
Instruction ID: 5ed483e9a18b874808c05a04a7dc13b9ab3a3512b5efc2bd0d662c8b42414e04
Opcode Fuzzy Hash: 7388fc30ba568e761af0ae1cf74dc1c8c2a9d38c343e86b8dd475b78b42aa829
Instruction Fuzzy Hash: 6C11B271140216BEEB148FA8DC55FFD3BA4EB07318F084215FA269A1D1D6B0DB10DB50

Function 00C8CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C8CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C8CDA6

Strings

<local>, xrefs: 00C8CD66

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 24ee5c9e7e8e12e4eabee8c2d5d3c9d9b71913744aa53bb601a1919c71acd750
Instruction ID: c1a63be00c400f3b9d336be049fc8de2b10ac5a555087777f12ba0bd2f772922
Opcode Fuzzy Hash: 24ee5c9e7e8e12e4eabee8c2d5d3c9d9b71913744aa53bb601a1919c71acd750
Instruction Fuzzy Hash: 9211A071205631BAD7286B668CC9FE7BEA8EB137A8F00423BF11983180D7709951D7F4

Function 00CA4F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00CA4FCC

Strings

@U=u, xrefs: 00CA4FCC, 00CA5008

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 7e950b87235db809cb5a1d537c1fbc07182d2c01f2b54480437f1938f6838b8e
Instruction ID: 8b29253aced4de6f954163fa13b188402137a497367a479b4955bfe29cd9c31a
Opcode Fuzzy Hash: 7e950b87235db809cb5a1d537c1fbc07182d2c01f2b54480437f1938f6838b8e
Instruction Fuzzy Hash: 7121D37660011AEFCB15CFA8D9809EE7BB5FB4E348B004154FD16A7310D731EA21EB90

Function 00CA30D2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00CA3147

Strings

@U=u, xrefs: 00CA3147
button, xrefs: 00CA311E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 458f001fff1ce8b2753cb7144d6ac84fcd411852206f5511f8be47f081e5065e
Instruction ID: 2e8a2becd1cbc53c01ed7a5f0d3d32a76c15ccf79a3ae968be0f5d85190c4ff5
Opcode Fuzzy Hash: 458f001fff1ce8b2753cb7144d6ac84fcd411852206f5511f8be47f081e5065e
Instruction Fuzzy Hash: 3F11A132250246ABDF118FA4DC51FEF3BAAEB0A358F140114FB64A7190D776E9A1AB50

Function 00C76C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00C19CB3: _wcslen.LIBCMT ref: 00C19CBD

CharUpperBuffW.USER32(?,?,?), ref: 00C76CB6
_wcslen.LIBCMT ref: 00C76CC2

Strings

STOP, xrefs: 00C76CBC, 00C76CC1

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d37500949dfcc9e5a37fce13763d83d1eb504fb53d94e207809af65f865e67fd
Instruction ID: 218eacbff30c41cdd68c1bafdbe6a9775a27960571a3bf634008751d190db2bd
Opcode Fuzzy Hash: d37500949dfcc9e5a37fce13763d83d1eb504fb53d94e207809af65f865e67fd
Instruction Fuzzy Hash: 8C0126326109268BCB21AFFDCC909FF33B8EF61710B104524E96697190EB31DA40D650

Function 00C723DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721D0,?,?,00000034,00000800,?,00000034), ref: 00C7B42D

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C7243B
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C7245E

Strings

@U=u, xrefs: 00C7243B, 00C7245E

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: e006e994e221e8e0dd93b9359e12a6d483de6fda08012fd50b093a5c37f14de0
Instruction ID: 0b042ff5415c6755ee80a1422883a906b44c906d73c63a5b0c5bea8a00794932
Opcode Fuzzy Hash: e006e994e221e8e0dd93b9359e12a6d483de6fda08012fd50b093a5c37f14de0
Instruction Fuzzy Hash: B7012D32900218EBEB11AF64DC86FEEBB78DF14310F108066F529A70D1DB705E84DB60

Function 00CA4366 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00CA43AF
InvalidateRect.USER32(?,00000000,00000001,?,?), ref: 00CA4408

Strings

@U=u, xrefs: 00CA43AF

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 89dae0c08647dea53c20a5aac130cbfe5954b170cd40af67f88f5c0a4ced05ca
Instruction ID: ae29d76393cf459ad399ef88daaa1048d6b96fd63b0bd47ecaa83fd8387ec32b
Opcode Fuzzy Hash: 89dae0c08647dea53c20a5aac130cbfe5954b170cd40af67f88f5c0a4ced05ca
Instruction Fuzzy Hash: 3211B234500745AFEB25CF24C491BEBBBE4BF06314F10451CE9AB57291DB706941DB50

Function 00C7250B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00C72531
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00C72564

Part of subcall function 00C7B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00C7B3F8

Part of subcall function 00C16B57: _wcslen.LIBCMT ref: 00C16B6A

Strings

@U=u, xrefs: 00C72531, 00C72564

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_wcslen
String ID: @U=u
API String ID: 1083363909-2594219639
Opcode ID: c46370f008dc6d9ee63ae8d75da98ab3f15a4d51c5ae06c43b37c59b1051a9b1
Instruction ID: 9cee29b34d8153d2e5090f7df8080e428d1de4fb61ebac0211ef86a8b0586c45
Opcode Fuzzy Hash: c46370f008dc6d9ee63ae8d75da98ab3f15a4d51c5ae06c43b37c59b1051a9b1
Instruction Fuzzy Hash: 4E012971900128AFDB50EF94DC91EED77ACEB25344F80D0A5F649A7150EE705E89EB90

Function 00CA90A1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00C29BB2

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00C6769C,?,?,?), ref: 00CA9111

Part of subcall function 00C29944: GetWindowLongW.USER32(?,000000EB), ref: 00C29952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00CA90F7

Strings

@U=u, xrefs: 00CA90F7

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 4623a06a556fd98905c1b0ff81bfcc8bc6f5225b51bc32a0bae2bc9dc44d9845
Instruction ID: c95bc97e093022524df33b8271fc10c0641eaf4b8fbf31d485b955b5b06c2519
Opcode Fuzzy Hash: 4623a06a556fd98905c1b0ff81bfcc8bc6f5225b51bc32a0bae2bc9dc44d9845
Instruction Fuzzy Hash: ED01DF31200215ABDB219F14DC8AFAA3BB6FF87379F140128FA550B2E1CB726D51EB50

Function 00C7246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C72480
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C72497

Part of subcall function 00C723DB: SendMessageW.USER32(?,0000102B,?,00000000), ref: 00C7243B

Strings

@U=u, xrefs: 00C72480, 00C72497

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d45f49645a0b65531bd0d7ea4b87a7bf8a3ca1b7e219547eb6ca37514f0b486f
Instruction ID: 79e945ce86c1fe2e0eb7ada265e05811235d9c9501a2c68d3e9c8d069eb81640
Opcode Fuzzy Hash: d45f49645a0b65531bd0d7ea4b87a7bf8a3ca1b7e219547eb6ca37514f0b486f
Instruction Fuzzy Hash: 8DF02030601121BAEB205B6ACC0FEDFBF6DDF46B60F104024B809A31A1CAB05E41D7F0

Function 00C9747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C97493
_wcslen.LIBCMT ref: 00C974B9

Strings

3, 3, 16, 1, xrefs: 00C97483

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: d34cb8de1639c6710f7b9942549407b95c662ffcccb64fe9b05552182405c359
Instruction ID: 5069212646a858b83c88bd898182126d100ba6eecf2ef0eaaa4e59c55d723dde
Opcode Fuzzy Hash: d34cb8de1639c6710f7b9942549407b95c662ffcccb64fe9b05552182405c359
Instruction Fuzzy Hash: CCE061023363201097351279DCC5B7F578DCFCD760B14192BF985C2267EA94DE91A7A0

Function 00C72BE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C72BFA
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C72C2A

Strings

@U=u, xrefs: 00C72BFA, 00C72C2A

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 21eaef6c0284e119f29cbc16e78e8be090ed29aaf39f12aadf74a59e76ca3530
Instruction ID: 1558446484c22986d86d40491907a49389864326beb249c88ad65f23c774b6c9
Opcode Fuzzy Hash: 21eaef6c0284e119f29cbc16e78e8be090ed29aaf39f12aadf74a59e76ca3530
Instruction Fuzzy Hash: B2F0A075340304BFFA126B80DC86FEA7B5CEB25765F004024F7495A0D1C9E25D00A7A0

Function 00C72D60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C7286B: SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00C72884
Part of subcall function 00C7286B: SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C728B6

SendMessageW.USER32(?,0000110B,00000005,00000000), ref: 00C72D80
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C72D90

Strings

@U=u, xrefs: 00C72D80, 00C72D90

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 0236452883914236ae782dd6ffb3fe0971466ea1eb476a55eae8e20ba616d3c5
Instruction ID: 580275443b35eac72769d9d89fd2e1b25e76682ea84ecd4d93d89346c9b36dda
Opcode Fuzzy Hash: 0236452883914236ae782dd6ffb3fe0971466ea1eb476a55eae8e20ba616d3c5
Instruction Fuzzy Hash: 85E0D8363483057FF6310A919C86FA73B6CD769B55F104026F30865191DEA3CC10A560

Function 00CA5829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133D,?,?), ref: 00CA5855
InvalidateRect.USER32(?,?,00000001), ref: 00CA5877

Strings

@U=u, xrefs: 00CA5855

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID: @U=u
API String ID: 909852535-2594219639
Opcode ID: 91b73f4e4a989ad147860a7aaf3397dec801420851d18491d2f14c511346e984
Instruction ID: 10eaefdbc047417ecae13da18f5038f84f2fbe0a1c1718be3e9794b897bb5e21
Opcode Fuzzy Hash: 91b73f4e4a989ad147860a7aaf3397dec801420851d18491d2f14c511346e984
Instruction Fuzzy Hash: FEF08972604141EED720CB75DC44FEE7BF8DB46329F0481B2F55AD9051D6308B81CB60

Function 00C70B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C70B23

Strings

Error allocating memory., xrefs: 00C70B1C
AutoIt, xrefs: 00C70B17

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 156b1fb3a23709b70e7bc24f49d179bcb5ec1fe6582157c844ca260094778d5a
Instruction ID: e27469d67d84821241c09ae12a4a3bf8c846f8d99cb1dae38af7ad51819560fe
Opcode Fuzzy Hash: 156b1fb3a23709b70e7bc24f49d179bcb5ec1fe6582157c844ca260094778d5a
Instruction Fuzzy Hash: FDE0D83124431826D21437547C43F897A848F06B25F10043BF758955C38EE1659166E9

Function 00C30D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00C2F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C30D71,?,?,?,00C1100A), ref: 00C2F7CE

IsDebuggerPresent.KERNEL32(?,?,?,00C1100A), ref: 00C30D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C1100A), ref: 00C30D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C30D7F

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 821d13663de54b74360534878147e7f6bc901071e3f1a52c99bcf2ac346fc91a
Instruction ID: 68e876f3cc7322140a3c679b13fe0d2b0fb1034ca9823740f3af8eabd3152f8c
Opcode Fuzzy Hash: 821d13663de54b74360534878147e7f6bc901071e3f1a52c99bcf2ac346fc91a
Instruction Fuzzy Hash: D7E06DB02007518BD7209FB8E45834A7BE0AB05748F104A2DE482C7651DBB4E4859B91

Function 00C83017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C8302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C83044

Strings

aut, xrefs: 00C83038

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 725bff7603fc62b5b160e24f8090e91e83cd6322f01574843907eab221fa8de6
Instruction ID: d97b3adf468154d3b809746aa539223165fa043a1f2a508fe3c75a7823b5297e
Opcode Fuzzy Hash: 725bff7603fc62b5b160e24f8090e91e83cd6322f01574843907eab221fa8de6
Instruction Fuzzy Hash: 28D05EB250032867DA20A7A4AD4EFCB7B6CDB05754F0002A2B696E3191DBB49984CAD0

Function 00C6D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C6D220

Strings

X64, xrefs: 00C6D2A8
%.3d, xrefs: 00C6D22B

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 188f9ec5fa5f3dcf9ad37beb073ee2e7d134fc0610dfe2fe7364214cfb66a9a7
Instruction ID: 5bc4e8b313ffcf39edc8827152a7bf6a901c72579920c961e4974df1ff2d42bb
Opcode Fuzzy Hash: 188f9ec5fa5f3dcf9ad37beb073ee2e7d134fc0610dfe2fe7364214cfb66a9a7
Instruction Fuzzy Hash: 88D012A1D08118EACBA096D2DCD59B9B37CAB18301F508462F90792040E734C9086761

Function 00CA2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA236C
PostMessageW.USER32(00000000), ref: 00CA2373

Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3

Strings

Shell_TrayWnd, xrefs: 00CA2365

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 2950ca9a6a52f57b264064dcfdf42b8de20fecff6972bae2d1d1c75eb7172dfd
Instruction ID: 7bd559cecf928f9f2713a1c422290344982fafef841786108d142048714658eb
Opcode Fuzzy Hash: 2950ca9a6a52f57b264064dcfdf42b8de20fecff6972bae2d1d1c75eb7172dfd
Instruction Fuzzy Hash: FFD0C9327853107AE664A771AC4FFCA76149B16B14F0149167755AB1D0C9A0A841CA54

Function 00CA2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CA232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00CA233F

Part of subcall function 00C7E97B: Sleep.KERNEL32 ref: 00C7E9F3

Strings

Shell_TrayWnd, xrefs: 00CA2325

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a7325656309037ae97e03dd69f7650d747481e20f9eae4d556ff51ef8afb3c18
Instruction ID: f636260ab1c92fd49d4b55f99f0fb9799494ff4b89203d61efdaab9f8c5b6c1d
Opcode Fuzzy Hash: a7325656309037ae97e03dd69f7650d747481e20f9eae4d556ff51ef8afb3c18
Instruction Fuzzy Hash: 64D01237794310B7E664B771EC4FFCA7A149B15B14F0149167759AB1D0C9F0A841CA54

Function 00C72313 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C7231F
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00C7232D

Strings

@U=u, xrefs: 00C7231F, 00C7232D

Memory Dump Source

Source File: 00000000.00000002.1441292286.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000000.00000002.1441172682.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CAC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441753014.0000000000CD2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441852151.0000000000CDC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1441875974.0000000000CE4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c10000_3FjrbCZgDN.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 00f6146b82a0e259a1519c41d92204b691987b0381923ce28eb770c6dd4e73c4
Instruction ID: d8f339aa3d3705b93892f40674a44b8b1d07054b824b540c4b5fe434d904f1b6
Opcode Fuzzy Hash: 00f6146b82a0e259a1519c41d92204b691987b0381923ce28eb770c6dd4e73c4
Instruction Fuzzy Hash: 63C08C311001C0BAF7300BA3BC0CF4B3E3DE7CBF05300000CB204860A58A600000C630

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3FjrbCZgDN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\maneuverability

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
3FjrbCZgDN.exe

Function 00C142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00C142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00C52BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00C12CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 00C5065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00C1344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00C12B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00C13170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 01285180 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00C12C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01284F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163
fileCOMMON

Function 00C13B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 01283DF0 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 00C13923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre