Edit tour

Windows Analysis Report
FJRUb5lb9m.exe

Overview

General Information

Sample name:	FJRUb5lb9m.exe renamed because original name is a hash value
Original sample name:	dd0cbee3fccd6992b6441f30f51b452caaa7cfc79edd13204fa4099a19421525.exe
Analysis ID:	1588680
MD5:	896cef1e1ce8fb012437f05a81195d27
SHA1:	b825b626e64342dd5c3162ccd3df9c8c7c593f7b
SHA256:	dd0cbee3fccd6992b6441f30f51b452caaa7cfc79edd13204fa4099a19421525
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

FJRUb5lb9m.exe (PID: 1964 cmdline: "C:\Users\user\Desktop\FJRUb5lb9m.exe" MD5: 896CEF1E1CE8FB012437F05A81195D27)

svchost.exe (PID: 1380 cmdline: "C:\Users\user\Desktop\FJRUb5lb9m.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1542995143.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1543024692.0000000000520000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\FJRUb5lb9m.exe", CommandLine: "C:\Users\user\Desktop\FJRUb5lb9m.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FJRUb5lb9m.exe", ParentImage: C:\Users\user\Desktop\FJRUb5lb9m.exe, ParentProcessId: 1964, ParentProcessName: FJRUb5lb9m.exe, ProcessCommandLine: "C:\Users\user\Desktop\FJRUb5lb9m.exe", ProcessId: 1380, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\FJRUb5lb9m.exe", CommandLine: "C:\Users\user\Desktop\FJRUb5lb9m.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\FJRUb5lb9m.exe", ParentImage: C:\Users\user\Desktop\FJRUb5lb9m.exe, ParentProcessId: 1964, ParentProcessName: FJRUb5lb9m.exe, ProcessCommandLine: "C:\Users\user\Desktop\FJRUb5lb9m.exe", ProcessId: 1380, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: FJRUb5lb9m.exe	ReversingLabs: Detection: 65%
Source: FJRUb5lb9m.exe	Virustotal: Detection: 51%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1542995143.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1543024692.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: FJRUb5lb9m.exe

Joe Sandbox ML: detected

Source: FJRUb5lb9m.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: FJRUb5lb9m.exe, 00000000.00000003.1361828125.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, FJRUb5lb9m.exe, 00000000.00000003.1361540015.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1499116420.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491513974.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543331375.0000000000B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543331375.0000000000A00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FJRUb5lb9m.exe, 00000000.00000003.1361828125.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, FJRUb5lb9m.exe, 00000000.00000003.1361540015.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1499116420.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491513974.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543331375.0000000000B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543331375.0000000000A00000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0106445A
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0106C75C
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106C6D1 FindFirstFileW,FindClose,	0_2_0106C6D1
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0106EF95
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0106F0F2
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0106F3F3
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_010637EF
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01063B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_01063B12
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0106BCBC

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_010722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_010722EE

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01074164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01074164

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01074164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01074164

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01073F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_01073F66

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0106001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0106001C

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0108CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0108CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1542995143.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1543024692.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: This is a third-party compiled AutoIt script.	0_2_01003B3A
Source: FJRUb5lb9m.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: FJRUb5lb9m.exe, 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9f8b9475-6
Source: FJRUb5lb9m.exe, 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_1b46211b-e
Source: FJRUb5lb9m.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_fe05dd1d-3
Source: FJRUb5lb9m.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_33e2669d-b

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CCE3 NtClose,	2_2_0042CCE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72B60 NtClose,LdrInitializeThunk,	2_2_00A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_00A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A735C0 NtCreateMutant,LdrInitializeThunk,	2_2_00A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A74340 NtSetContextThread,	2_2_00A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A74650 NtSuspendThread,	2_2_00A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72AB0 NtWaitForSingleObject,	2_2_00A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72AF0 NtWriteFile,	2_2_00A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72AD0 NtReadFile,	2_2_00A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72BA0 NtEnumerateValueKey,	2_2_00A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72B80 NtQueryInformationFile,	2_2_00A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72BE0 NtQueryValueKey,	2_2_00A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72BF0 NtAllocateVirtualMemory,	2_2_00A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72CA0 NtQueryInformationToken,	2_2_00A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72CF0 NtOpenProcess,	2_2_00A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72CC0 NtQueryVirtualMemory,	2_2_00A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72C00 NtQueryInformationProcess,	2_2_00A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72C60 NtCreateKey,	2_2_00A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72C70 NtFreeVirtualMemory,	2_2_00A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72DB0 NtEnumerateKey,	2_2_00A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72DD0 NtDelayExecution,	2_2_00A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72D30 NtUnmapViewOfSection,	2_2_00A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72D00 NtSetInformationFile,	2_2_00A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72D10 NtMapViewOfSection,	2_2_00A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72EA0 NtAdjustPrivilegesToken,	2_2_00A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72E80 NtReadVirtualMemory,	2_2_00A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72EE0 NtQueueApcThread,	2_2_00A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72E30 NtWriteVirtualMemory,	2_2_00A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72FA0 NtQuerySection,	2_2_00A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72FB0 NtResumeThread,	2_2_00A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72F90 NtProtectVirtualMemory,	2_2_00A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72FE0 NtCreateFile,	2_2_00A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72F30 NtCreateSection,	2_2_00A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72F60 NtCreateProcessEx,	2_2_00A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73090 NtSetValueKey,	2_2_00A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73010 NtOpenDirectoryObject,	2_2_00A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A739B0 NtGetContextThread,	2_2_00A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73D10 NtOpenProcessToken,	2_2_00A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A73D70 NtOpenThread,	2_2_00A73D70

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0106A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0106A1EF

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01058310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_01058310

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_010651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_010651BD

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0100E6A0	0_2_0100E6A0
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0102D975	0_2_0102D975
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0100FCE0	0_2_0100FCE0
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010221C5	0_2_010221C5
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010803DA	0_2_010803DA
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010362D2	0_2_010362D2
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010225FA	0_2_010225FA
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0103242E	0_2_0103242E
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0103878F	0_2_0103878F
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0105E616	0_2_0105E616
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010166E1	0_2_010166E1
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01018808	0_2_01018808
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01036844	0_2_01036844
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01080857	0_2_01080857
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01068889	0_2_01068889
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0102CB21	0_2_0102CB21
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01036DB6	0_2_01036DB6
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01016F9E	0_2_01016F9E
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01023187	0_2_01023187
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0102F1D9	0_2_0102F1D9
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01013030	0_2_01013030
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01001287	0_2_01001287
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01015520	0_2_01015520
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01021484	0_2_01021484
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01015760	0_2_01015760
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01027696	0_2_01027696
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01021978	0_2_01021978
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01039AB5	0_2_01039AB5
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01021D90	0_2_01021D90
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0102BDA6	0_2_0102BDA6
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01087DDB	0_2_01087DDB
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0100DF00	0_2_0100DF00
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01013FE0	0_2_01013FE0
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_015B2518	0_2_015B2518
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401BC6	2_2_00401BC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E843	2_2_0040E843
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E839	2_2_0040E839
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028AE	2_2_004028AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028B0	2_2_004028B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F2F3	2_2_0042F2F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402C28	2_2_00402C28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402C30	2_2_00402C30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004104F3	2_2_004104F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004035C0	2_2_004035C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416ECE	2_2_00416ECE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416ED3	2_2_00416ED3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E6F3	2_2_0040E6F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410713	2_2_00410713
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF41A2	2_2_00AF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B001AA	2_2_00B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF81CC	2_2_00AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30100	2_2_00A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADA118	2_2_00ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC8158	2_2_00AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC02C0	2_2_00AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E3F0	2_2_00A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B003E6	2_2_00B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA352	2_2_00AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEE4F6	2_2_00AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE4420	2_2_00AE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF2446	2_2_00AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B00591	2_2_00B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40535	2_2_00A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5C6E0	2_2_00A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3C7C0	2_2_00A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A64750	2_2_00A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A268B8	2_2_00A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E8F0	2_2_00A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4A840	2_2_00A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A42840	2_2_00A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0A9A6	2_2_00B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A56962	2_2_00A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF6BD7	2_2_00AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFAB40	2_2_00AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0CB5	2_2_00AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30CF2	2_2_00A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40C00	2_2_00A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A58DBF	2_2_00A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3ADE0	2_2_00A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4AD00	2_2_00A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADCD1F	2_2_00ADCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A52E90	2_2_00A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFCE93	2_2_00AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFEEDB	2_2_00AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFEE26	2_2_00AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40E59	2_2_00A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABEFA0	2_2_00ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4CFE0	2_2_00A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A32FC8	2_2_00A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A82F28	2_2_00A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A60F30	2_2_00A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE2F30	2_2_00AE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB4F40	2_2_00AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF70E9	2_2_00AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFF0E0	2_2_00AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEF0CC	2_2_00AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A470C0	2_2_00A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4B1B0	2_2_00A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A7516C	2_2_00A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2F172	2_2_00A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0B16B	2_2_00B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A452A0	2_2_00A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE12ED	2_2_00AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5B2C0	2_2_00A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A8739A	2_2_00A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF132D	2_2_00AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2D34C	2_2_00A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFF43F	2_2_00AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A31460	2_2_00A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADD5B0	2_2_00ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B095C3	2_2_00B095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF7571	2_2_00AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF16CC	2_2_00AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A85630	2_2_00A85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFF7B0	2_2_00AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A438E0	2_2_00A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAD800	2_2_00AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD5910	2_2_00AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A49950	2_2_00A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5B950	2_2_00A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADDAAC	2_2_00ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A85AA0	2_2_00A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE1AA3	2_2_00AE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEDAC6	2_2_00AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB3A6C	2_2_00AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFFA49	2_2_00AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF7A46	2_2_00AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5FB80	2_2_00A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB5BF0	2_2_00AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A7DBF9	2_2_00A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFFB76	2_2_00AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFFCF2	2_2_00AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB9C32	2_2_00AB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5FDC0	2_2_00A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF7D73	2_2_00AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A43D40	2_2_00A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF1D5A	2_2_00AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A49EB0	2_2_00A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFFFB1	2_2_00AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A41F92	2_2_00A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A03FD2	2_2_00A03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A03FD5	2_2_00A03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFFF09	2_2_00AFFF09

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00A2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00A87E54 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00A75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 00ABF290 appears 105 times
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: String function: 01028900 appears 42 times
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: String function: 01007DE1 appears 36 times
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: String function: 01020AE3 appears 70 times

Source: FJRUb5lb9m.exe, 00000000.00000003.1364579283.0000000003E63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FJRUb5lb9m.exe
Source: FJRUb5lb9m.exe, 00000000.00000003.1362477742.000000000400D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FJRUb5lb9m.exe

Source: FJRUb5lb9m.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/2@0/0

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0106A06A GetLastError,FormatMessageW,

0_2_0106A06A

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010581CB AdjustTokenPrivileges,CloseHandle,		0_2_010581CB
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_010587E1

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0106B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0106B333

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0107EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0107EE0D

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0106C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0106C397

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01004E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_01004E89

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

File created: C:\Users\user\AppData\Local\Temp\aut3BFA.tmp

Jump to behavior

Source: FJRUb5lb9m.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FJRUb5lb9m.exe	ReversingLabs: Detection: 65%
Source: FJRUb5lb9m.exe	Virustotal: Detection: 51%

Source: unknown	Process created: C:\Users\user\Desktop\FJRUb5lb9m.exe "C:\Users\user\Desktop\FJRUb5lb9m.exe"
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FJRUb5lb9m.exe"
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FJRUb5lb9m.exe"	Jump to behavior

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: FJRUb5lb9m.exe

Static file information: File size 1213440 > 1048576

Source: FJRUb5lb9m.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: FJRUb5lb9m.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: FJRUb5lb9m.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: FJRUb5lb9m.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: FJRUb5lb9m.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: FJRUb5lb9m.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: FJRUb5lb9m.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: FJRUb5lb9m.exe, 00000000.00000003.1361828125.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, FJRUb5lb9m.exe, 00000000.00000003.1361540015.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1499116420.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491513974.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543331375.0000000000B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543331375.0000000000A00000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FJRUb5lb9m.exe, 00000000.00000003.1361828125.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, FJRUb5lb9m.exe, 00000000.00000003.1361540015.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1499116420.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491513974.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543331375.0000000000B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1543331375.0000000000A00000.00000040.00001000.00020000.00000000.sdmp

Source: FJRUb5lb9m.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: FJRUb5lb9m.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: FJRUb5lb9m.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: FJRUb5lb9m.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: FJRUb5lb9m.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01004B37 LoadLibraryA,GetProcAddress,

0_2_01004B37

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01028945 push ecx; ret	0_2_01028958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041504A push edx; retf	2_2_0041504D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040B05D push 7EE3812Dh; retf	2_2_0040B062
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041502C push esp; ret	2_2_0041503C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403830 push eax; ret	2_2_00403832
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D99E push eax; retf	2_2_0040D9A1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DB46 pushad ; iretd	2_2_0040DB6B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041F352 push 0000000Bh; ret	2_2_0041F354
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041FBD2 push FFFFFFB9h; ret	2_2_0041FBDD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DC21 push eax; retf	2_2_0040DC22
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041ACC2 pushad ; iretd	2_2_0041ACCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00422CD7 push es; ret	2_2_00422CEA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004147C3 push eax; ret	2_2_00414852
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A0225F pushad ; ret	2_2_00A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A027FA pushad ; ret	2_2_00A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A0283D push eax; iretd	2_2_00A02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A309AD push ecx; mov dword ptr [esp], ecx	2_2_00A309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A01366 push eax; iretd	2_2_00A01369

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_010048D7
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01085376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01085376

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01023187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_01023187

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

API/Special instruction interceptor: Address: 15B213C

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: FJRUb5lb9m.exe, 00000000.00000003.1354270985.00000000015FA000.00000004.00000020.00020000.00000000.sdmp, FJRUb5lb9m.exe, 00000000.00000002.1367189933.0000000001666000.00000004.00000020.00020000.00000000.sdmp, FJRUb5lb9m.exe, 00000000.00000003.1354377801.0000000001666000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: PROCMON.EXES

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00A7096E rdtsc

2_2_00A7096E

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-103164

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\svchost.exe TID: 3664

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0106445A
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0106C75C
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106C6D1 FindFirstFileW,FindClose,	0_2_0106C6D1
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0106EF95
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0106F0F2
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0106F3F3
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_010637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_010637EF
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01063B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_01063B12
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0106BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0106BCBC

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_010049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_010049A0

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

API call chain: ExitProcess graph end node

graph_0-101822

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00A7096E rdtsc

2_2_00A7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417E63 LdrLoadDll,

2_2_00417E63

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01073F09 BlockInput,

0_2_01073F09

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01003B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01003B3A

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01035A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_01035A7C

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01004B37 LoadLibraryA,GetProcAddress,

0_2_01004B37

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_015B23A8 mov eax, dword ptr fs:[00000030h]	0_2_015B23A8
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_015B2408 mov eax, dword ptr fs:[00000030h]	0_2_015B2408
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_015B0D38 mov eax, dword ptr fs:[00000030h]	0_2_015B0D38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A280A0 mov eax, dword ptr fs:[00000030h]	2_2_00A280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC80A8 mov eax, dword ptr fs:[00000030h]	2_2_00AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF60B8 mov eax, dword ptr fs:[00000030h]	2_2_00AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_00AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3208A mov eax, dword ptr fs:[00000030h]	2_2_00A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_00A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A380E9 mov eax, dword ptr fs:[00000030h]	2_2_00A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB60E0 mov eax, dword ptr fs:[00000030h]	2_2_00AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_00A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A720F0 mov ecx, dword ptr fs:[00000030h]	2_2_00A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB20DE mov eax, dword ptr fs:[00000030h]	2_2_00AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2A020 mov eax, dword ptr fs:[00000030h]	2_2_00A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2C020 mov eax, dword ptr fs:[00000030h]	2_2_00A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC6030 mov eax, dword ptr fs:[00000030h]	2_2_00AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB4000 mov ecx, dword ptr fs:[00000030h]	2_2_00AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000 mov eax, dword ptr fs:[00000030h]	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000 mov eax, dword ptr fs:[00000030h]	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000 mov eax, dword ptr fs:[00000030h]	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000 mov eax, dword ptr fs:[00000030h]	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000 mov eax, dword ptr fs:[00000030h]	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000 mov eax, dword ptr fs:[00000030h]	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000 mov eax, dword ptr fs:[00000030h]	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD2000 mov eax, dword ptr fs:[00000030h]	2_2_00AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E016 mov eax, dword ptr fs:[00000030h]	2_2_00A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E016 mov eax, dword ptr fs:[00000030h]	2_2_00A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E016 mov eax, dword ptr fs:[00000030h]	2_2_00A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E016 mov eax, dword ptr fs:[00000030h]	2_2_00A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5C073 mov eax, dword ptr fs:[00000030h]	2_2_00A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A32050 mov eax, dword ptr fs:[00000030h]	2_2_00A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB6050 mov eax, dword ptr fs:[00000030h]	2_2_00AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A70185 mov eax, dword ptr fs:[00000030h]	2_2_00A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEC188 mov eax, dword ptr fs:[00000030h]	2_2_00AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEC188 mov eax, dword ptr fs:[00000030h]	2_2_00AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD4180 mov eax, dword ptr fs:[00000030h]	2_2_00AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD4180 mov eax, dword ptr fs:[00000030h]	2_2_00AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB019F mov eax, dword ptr fs:[00000030h]	2_2_00AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB019F mov eax, dword ptr fs:[00000030h]	2_2_00AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB019F mov eax, dword ptr fs:[00000030h]	2_2_00AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB019F mov eax, dword ptr fs:[00000030h]	2_2_00AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2A197 mov eax, dword ptr fs:[00000030h]	2_2_00A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2A197 mov eax, dword ptr fs:[00000030h]	2_2_00A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2A197 mov eax, dword ptr fs:[00000030h]	2_2_00A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B061E5 mov eax, dword ptr fs:[00000030h]	2_2_00B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A601F8 mov eax, dword ptr fs:[00000030h]	2_2_00A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_00AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_00AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_00AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_00AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_00AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_00AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_00AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A60124 mov eax, dword ptr fs:[00000030h]	2_2_00A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov eax, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov eax, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov eax, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov eax, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov eax, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov eax, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_00ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADA118 mov ecx, dword ptr fs:[00000030h]	2_2_00ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADA118 mov eax, dword ptr fs:[00000030h]	2_2_00ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADA118 mov eax, dword ptr fs:[00000030h]	2_2_00ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADA118 mov eax, dword ptr fs:[00000030h]	2_2_00ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF0115 mov eax, dword ptr fs:[00000030h]	2_2_00AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04164 mov eax, dword ptr fs:[00000030h]	2_2_00B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04164 mov eax, dword ptr fs:[00000030h]	2_2_00B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC4144 mov eax, dword ptr fs:[00000030h]	2_2_00AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC4144 mov eax, dword ptr fs:[00000030h]	2_2_00AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC4144 mov ecx, dword ptr fs:[00000030h]	2_2_00AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC4144 mov eax, dword ptr fs:[00000030h]	2_2_00AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC4144 mov eax, dword ptr fs:[00000030h]	2_2_00AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2C156 mov eax, dword ptr fs:[00000030h]	2_2_00A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC8158 mov eax, dword ptr fs:[00000030h]	2_2_00AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36154 mov eax, dword ptr fs:[00000030h]	2_2_00A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36154 mov eax, dword ptr fs:[00000030h]	2_2_00A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A402A0 mov eax, dword ptr fs:[00000030h]	2_2_00A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A402A0 mov eax, dword ptr fs:[00000030h]	2_2_00A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_00AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_00AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_00AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_00AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_00AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_00AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E284 mov eax, dword ptr fs:[00000030h]	2_2_00A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E284 mov eax, dword ptr fs:[00000030h]	2_2_00A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB0283 mov eax, dword ptr fs:[00000030h]	2_2_00AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB0283 mov eax, dword ptr fs:[00000030h]	2_2_00AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB0283 mov eax, dword ptr fs:[00000030h]	2_2_00AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A402E1 mov eax, dword ptr fs:[00000030h]	2_2_00A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A402E1 mov eax, dword ptr fs:[00000030h]	2_2_00A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A402E1 mov eax, dword ptr fs:[00000030h]	2_2_00A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_00A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B062D6 mov eax, dword ptr fs:[00000030h]	2_2_00B062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2823B mov eax, dword ptr fs:[00000030h]	2_2_00A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A34260 mov eax, dword ptr fs:[00000030h]	2_2_00A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A34260 mov eax, dword ptr fs:[00000030h]	2_2_00A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A34260 mov eax, dword ptr fs:[00000030h]	2_2_00A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2826B mov eax, dword ptr fs:[00000030h]	2_2_00A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE0274 mov eax, dword ptr fs:[00000030h]	2_2_00AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB8243 mov eax, dword ptr fs:[00000030h]	2_2_00AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB8243 mov ecx, dword ptr fs:[00000030h]	2_2_00AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0625D mov eax, dword ptr fs:[00000030h]	2_2_00B0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2A250 mov eax, dword ptr fs:[00000030h]	2_2_00A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36259 mov eax, dword ptr fs:[00000030h]	2_2_00A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEA250 mov eax, dword ptr fs:[00000030h]	2_2_00AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEA250 mov eax, dword ptr fs:[00000030h]	2_2_00AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2E388 mov eax, dword ptr fs:[00000030h]	2_2_00A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2E388 mov eax, dword ptr fs:[00000030h]	2_2_00A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2E388 mov eax, dword ptr fs:[00000030h]	2_2_00A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5438F mov eax, dword ptr fs:[00000030h]	2_2_00A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5438F mov eax, dword ptr fs:[00000030h]	2_2_00A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A28397 mov eax, dword ptr fs:[00000030h]	2_2_00A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A28397 mov eax, dword ptr fs:[00000030h]	2_2_00A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A28397 mov eax, dword ptr fs:[00000030h]	2_2_00A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A403E9 mov eax, dword ptr fs:[00000030h]	2_2_00A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A403E9 mov eax, dword ptr fs:[00000030h]	2_2_00A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A403E9 mov eax, dword ptr fs:[00000030h]	2_2_00A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A403E9 mov eax, dword ptr fs:[00000030h]	2_2_00A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A403E9 mov eax, dword ptr fs:[00000030h]	2_2_00A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A403E9 mov eax, dword ptr fs:[00000030h]	2_2_00A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A403E9 mov eax, dword ptr fs:[00000030h]	2_2_00A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A403E9 mov eax, dword ptr fs:[00000030h]	2_2_00A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_00A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_00A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_00A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A663FF mov eax, dword ptr fs:[00000030h]	2_2_00A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEC3CD mov eax, dword ptr fs:[00000030h]	2_2_00AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A383C0 mov eax, dword ptr fs:[00000030h]	2_2_00A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A383C0 mov eax, dword ptr fs:[00000030h]	2_2_00A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A383C0 mov eax, dword ptr fs:[00000030h]	2_2_00A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A383C0 mov eax, dword ptr fs:[00000030h]	2_2_00A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB63C0 mov eax, dword ptr fs:[00000030h]	2_2_00AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_00ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_00ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE3DB mov ecx, dword ptr fs:[00000030h]	2_2_00ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_00ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_00AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_00AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08324 mov eax, dword ptr fs:[00000030h]	2_2_00B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08324 mov ecx, dword ptr fs:[00000030h]	2_2_00B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08324 mov eax, dword ptr fs:[00000030h]	2_2_00B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B08324 mov eax, dword ptr fs:[00000030h]	2_2_00B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A30B mov eax, dword ptr fs:[00000030h]	2_2_00A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A30B mov eax, dword ptr fs:[00000030h]	2_2_00A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A30B mov eax, dword ptr fs:[00000030h]	2_2_00A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2C310 mov ecx, dword ptr fs:[00000030h]	2_2_00A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A50310 mov ecx, dword ptr fs:[00000030h]	2_2_00A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD437C mov eax, dword ptr fs:[00000030h]	2_2_00AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB2349 mov eax, dword ptr fs:[00000030h]	2_2_00AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB035C mov eax, dword ptr fs:[00000030h]	2_2_00AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB035C mov eax, dword ptr fs:[00000030h]	2_2_00AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB035C mov eax, dword ptr fs:[00000030h]	2_2_00AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB035C mov ecx, dword ptr fs:[00000030h]	2_2_00AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB035C mov eax, dword ptr fs:[00000030h]	2_2_00AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB035C mov eax, dword ptr fs:[00000030h]	2_2_00AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA352 mov eax, dword ptr fs:[00000030h]	2_2_00AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD8350 mov ecx, dword ptr fs:[00000030h]	2_2_00AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B0634F mov eax, dword ptr fs:[00000030h]	2_2_00B0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A364AB mov eax, dword ptr fs:[00000030h]	2_2_00A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A644B0 mov ecx, dword ptr fs:[00000030h]	2_2_00A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABA4B0 mov eax, dword ptr fs:[00000030h]	2_2_00ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEA49A mov eax, dword ptr fs:[00000030h]	2_2_00AEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A304E5 mov ecx, dword ptr fs:[00000030h]	2_2_00A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2E420 mov eax, dword ptr fs:[00000030h]	2_2_00A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2E420 mov eax, dword ptr fs:[00000030h]	2_2_00A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2E420 mov eax, dword ptr fs:[00000030h]	2_2_00A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2C427 mov eax, dword ptr fs:[00000030h]	2_2_00A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB6420 mov eax, dword ptr fs:[00000030h]	2_2_00AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB6420 mov eax, dword ptr fs:[00000030h]	2_2_00AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB6420 mov eax, dword ptr fs:[00000030h]	2_2_00AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB6420 mov eax, dword ptr fs:[00000030h]	2_2_00AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB6420 mov eax, dword ptr fs:[00000030h]	2_2_00AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB6420 mov eax, dword ptr fs:[00000030h]	2_2_00AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB6420 mov eax, dword ptr fs:[00000030h]	2_2_00AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A430 mov eax, dword ptr fs:[00000030h]	2_2_00A6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A68402 mov eax, dword ptr fs:[00000030h]	2_2_00A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A68402 mov eax, dword ptr fs:[00000030h]	2_2_00A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A68402 mov eax, dword ptr fs:[00000030h]	2_2_00A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABC460 mov ecx, dword ptr fs:[00000030h]	2_2_00ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5A470 mov eax, dword ptr fs:[00000030h]	2_2_00A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5A470 mov eax, dword ptr fs:[00000030h]	2_2_00A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5A470 mov eax, dword ptr fs:[00000030h]	2_2_00A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E443 mov eax, dword ptr fs:[00000030h]	2_2_00A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E443 mov eax, dword ptr fs:[00000030h]	2_2_00A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E443 mov eax, dword ptr fs:[00000030h]	2_2_00A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E443 mov eax, dword ptr fs:[00000030h]	2_2_00A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E443 mov eax, dword ptr fs:[00000030h]	2_2_00A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E443 mov eax, dword ptr fs:[00000030h]	2_2_00A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E443 mov eax, dword ptr fs:[00000030h]	2_2_00A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E443 mov eax, dword ptr fs:[00000030h]	2_2_00A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AEA456 mov eax, dword ptr fs:[00000030h]	2_2_00AEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A2645D mov eax, dword ptr fs:[00000030h]	2_2_00A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5245A mov eax, dword ptr fs:[00000030h]	2_2_00A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_00AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_00AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_00AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A545B1 mov eax, dword ptr fs:[00000030h]	2_2_00A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A545B1 mov eax, dword ptr fs:[00000030h]	2_2_00A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A32582 mov eax, dword ptr fs:[00000030h]	2_2_00A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A32582 mov ecx, dword ptr fs:[00000030h]	2_2_00A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A64588 mov eax, dword ptr fs:[00000030h]	2_2_00A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E59C mov eax, dword ptr fs:[00000030h]	2_2_00A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_00A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A325E0 mov eax, dword ptr fs:[00000030h]	2_2_00A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_00A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_00A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_00A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_00A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A365D0 mov eax, dword ptr fs:[00000030h]	2_2_00A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_00A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_00A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40535 mov eax, dword ptr fs:[00000030h]	2_2_00A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40535 mov eax, dword ptr fs:[00000030h]	2_2_00A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40535 mov eax, dword ptr fs:[00000030h]	2_2_00A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40535 mov eax, dword ptr fs:[00000030h]	2_2_00A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40535 mov eax, dword ptr fs:[00000030h]	2_2_00A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40535 mov eax, dword ptr fs:[00000030h]	2_2_00A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E53E mov eax, dword ptr fs:[00000030h]	2_2_00A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E53E mov eax, dword ptr fs:[00000030h]	2_2_00A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E53E mov eax, dword ptr fs:[00000030h]	2_2_00A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E53E mov eax, dword ptr fs:[00000030h]	2_2_00A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E53E mov eax, dword ptr fs:[00000030h]	2_2_00A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC6500 mov eax, dword ptr fs:[00000030h]	2_2_00AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04500 mov eax, dword ptr fs:[00000030h]	2_2_00B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04500 mov eax, dword ptr fs:[00000030h]	2_2_00B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04500 mov eax, dword ptr fs:[00000030h]	2_2_00B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04500 mov eax, dword ptr fs:[00000030h]	2_2_00B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04500 mov eax, dword ptr fs:[00000030h]	2_2_00B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04500 mov eax, dword ptr fs:[00000030h]	2_2_00B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04500 mov eax, dword ptr fs:[00000030h]	2_2_00B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6656A mov eax, dword ptr fs:[00000030h]	2_2_00A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6656A mov eax, dword ptr fs:[00000030h]	2_2_00A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6656A mov eax, dword ptr fs:[00000030h]	2_2_00A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A38550 mov eax, dword ptr fs:[00000030h]	2_2_00A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A38550 mov eax, dword ptr fs:[00000030h]	2_2_00A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_00A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A666B0 mov eax, dword ptr fs:[00000030h]	2_2_00A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A34690 mov eax, dword ptr fs:[00000030h]	2_2_00A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A34690 mov eax, dword ptr fs:[00000030h]	2_2_00A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_00AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_00AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_00AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_00AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_00AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_00AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_00A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_00A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4E627 mov eax, dword ptr fs:[00000030h]	2_2_00A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A66620 mov eax, dword ptr fs:[00000030h]	2_2_00A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A68620 mov eax, dword ptr fs:[00000030h]	2_2_00A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3262C mov eax, dword ptr fs:[00000030h]	2_2_00A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE609 mov eax, dword ptr fs:[00000030h]	2_2_00AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4260B mov eax, dword ptr fs:[00000030h]	2_2_00A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4260B mov eax, dword ptr fs:[00000030h]	2_2_00A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4260B mov eax, dword ptr fs:[00000030h]	2_2_00A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4260B mov eax, dword ptr fs:[00000030h]	2_2_00A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4260B mov eax, dword ptr fs:[00000030h]	2_2_00A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4260B mov eax, dword ptr fs:[00000030h]	2_2_00A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4260B mov eax, dword ptr fs:[00000030h]	2_2_00A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72619 mov eax, dword ptr fs:[00000030h]	2_2_00A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF866E mov eax, dword ptr fs:[00000030h]	2_2_00AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF866E mov eax, dword ptr fs:[00000030h]	2_2_00AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A660 mov eax, dword ptr fs:[00000030h]	2_2_00A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A660 mov eax, dword ptr fs:[00000030h]	2_2_00A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A62674 mov eax, dword ptr fs:[00000030h]	2_2_00A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A4C640 mov eax, dword ptr fs:[00000030h]	2_2_00A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A307AF mov eax, dword ptr fs:[00000030h]	2_2_00A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE47A0 mov eax, dword ptr fs:[00000030h]	2_2_00AE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD678E mov eax, dword ptr fs:[00000030h]	2_2_00AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A527ED mov eax, dword ptr fs:[00000030h]	2_2_00A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A527ED mov eax, dword ptr fs:[00000030h]	2_2_00A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A527ED mov eax, dword ptr fs:[00000030h]	2_2_00A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABE7E1 mov eax, dword ptr fs:[00000030h]	2_2_00ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A347FB mov eax, dword ptr fs:[00000030h]	2_2_00A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A347FB mov eax, dword ptr fs:[00000030h]	2_2_00A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_00A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB07C3 mov eax, dword ptr fs:[00000030h]	2_2_00AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6C720 mov eax, dword ptr fs:[00000030h]	2_2_00A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6C720 mov eax, dword ptr fs:[00000030h]	2_2_00A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6273C mov eax, dword ptr fs:[00000030h]	2_2_00A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6273C mov ecx, dword ptr fs:[00000030h]	2_2_00A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6273C mov eax, dword ptr fs:[00000030h]	2_2_00A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAC730 mov eax, dword ptr fs:[00000030h]	2_2_00AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6C700 mov eax, dword ptr fs:[00000030h]	2_2_00A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30710 mov eax, dword ptr fs:[00000030h]	2_2_00A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A60710 mov eax, dword ptr fs:[00000030h]	2_2_00A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A38770 mov eax, dword ptr fs:[00000030h]	2_2_00A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40770 mov eax, dword ptr fs:[00000030h]	2_2_00A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6674D mov esi, dword ptr fs:[00000030h]	2_2_00A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6674D mov eax, dword ptr fs:[00000030h]	2_2_00A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6674D mov eax, dword ptr fs:[00000030h]	2_2_00A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30750 mov eax, dword ptr fs:[00000030h]	2_2_00A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABE75D mov eax, dword ptr fs:[00000030h]	2_2_00ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72750 mov eax, dword ptr fs:[00000030h]	2_2_00A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A72750 mov eax, dword ptr fs:[00000030h]	2_2_00A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB4755 mov eax, dword ptr fs:[00000030h]	2_2_00AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30887 mov eax, dword ptr fs:[00000030h]	2_2_00A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABC89D mov eax, dword ptr fs:[00000030h]	2_2_00ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_00AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_00A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_00A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_00A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B008C0 mov eax, dword ptr fs:[00000030h]	2_2_00B008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A52835 mov eax, dword ptr fs:[00000030h]	2_2_00A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A52835 mov eax, dword ptr fs:[00000030h]	2_2_00A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A52835 mov eax, dword ptr fs:[00000030h]	2_2_00A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A52835 mov ecx, dword ptr fs:[00000030h]	2_2_00A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A52835 mov eax, dword ptr fs:[00000030h]	2_2_00A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A52835 mov eax, dword ptr fs:[00000030h]	2_2_00A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6A830 mov eax, dword ptr fs:[00000030h]	2_2_00A6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD483A mov eax, dword ptr fs:[00000030h]	2_2_00AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD483A mov eax, dword ptr fs:[00000030h]	2_2_00AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABC810 mov eax, dword ptr fs:[00000030h]	2_2_00ABC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABE872 mov eax, dword ptr fs:[00000030h]	2_2_00ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABE872 mov eax, dword ptr fs:[00000030h]	2_2_00ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC6870 mov eax, dword ptr fs:[00000030h]	2_2_00AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC6870 mov eax, dword ptr fs:[00000030h]	2_2_00AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A42840 mov ecx, dword ptr fs:[00000030h]	2_2_00A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A60854 mov eax, dword ptr fs:[00000030h]	2_2_00A60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A34859 mov eax, dword ptr fs:[00000030h]	2_2_00A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A34859 mov eax, dword ptr fs:[00000030h]	2_2_00A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A429A0 mov eax, dword ptr fs:[00000030h]	2_2_00A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A309AD mov eax, dword ptr fs:[00000030h]	2_2_00A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A309AD mov eax, dword ptr fs:[00000030h]	2_2_00A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB89B3 mov esi, dword ptr fs:[00000030h]	2_2_00AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_00AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_00AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABE9E0 mov eax, dword ptr fs:[00000030h]	2_2_00ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A629F9 mov eax, dword ptr fs:[00000030h]	2_2_00A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A629F9 mov eax, dword ptr fs:[00000030h]	2_2_00A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC69C0 mov eax, dword ptr fs:[00000030h]	2_2_00AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_00A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A649D0 mov eax, dword ptr fs:[00000030h]	2_2_00A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_00AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB892A mov eax, dword ptr fs:[00000030h]	2_2_00AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AC892B mov eax, dword ptr fs:[00000030h]	2_2_00AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE908 mov eax, dword ptr fs:[00000030h]	2_2_00AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAE908 mov eax, dword ptr fs:[00000030h]	2_2_00AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABC912 mov eax, dword ptr fs:[00000030h]	2_2_00ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A28918 mov eax, dword ptr fs:[00000030h]	2_2_00A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A28918 mov eax, dword ptr fs:[00000030h]	2_2_00A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A56962 mov eax, dword ptr fs:[00000030h]	2_2_00A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A56962 mov eax, dword ptr fs:[00000030h]	2_2_00A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A56962 mov eax, dword ptr fs:[00000030h]	2_2_00A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A7096E mov eax, dword ptr fs:[00000030h]	2_2_00A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A7096E mov edx, dword ptr fs:[00000030h]	2_2_00A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A7096E mov eax, dword ptr fs:[00000030h]	2_2_00A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD4978 mov eax, dword ptr fs:[00000030h]	2_2_00AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AD4978 mov eax, dword ptr fs:[00000030h]	2_2_00AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABC97C mov eax, dword ptr fs:[00000030h]	2_2_00ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AB0946 mov eax, dword ptr fs:[00000030h]	2_2_00AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04940 mov eax, dword ptr fs:[00000030h]	2_2_00B04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_00A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_00A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A86AA4 mov eax, dword ptr fs:[00000030h]	2_2_00A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_00A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04A80 mov eax, dword ptr fs:[00000030h]	2_2_00B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A68A90 mov edx, dword ptr fs:[00000030h]	2_2_00A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_00A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_00A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A86ACC mov eax, dword ptr fs:[00000030h]	2_2_00A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A86ACC mov eax, dword ptr fs:[00000030h]	2_2_00A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A86ACC mov eax, dword ptr fs:[00000030h]	2_2_00A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30AD0 mov eax, dword ptr fs:[00000030h]	2_2_00A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_00A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_00A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6CA24 mov eax, dword ptr fs:[00000030h]	2_2_00A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5EA2E mov eax, dword ptr fs:[00000030h]	2_2_00A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A54A35 mov eax, dword ptr fs:[00000030h]	2_2_00A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A54A35 mov eax, dword ptr fs:[00000030h]	2_2_00A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6CA38 mov eax, dword ptr fs:[00000030h]	2_2_00A6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABCA11 mov eax, dword ptr fs:[00000030h]	2_2_00ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_00A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_00A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_00A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADEA60 mov eax, dword ptr fs:[00000030h]	2_2_00ADEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AACA72 mov eax, dword ptr fs:[00000030h]	2_2_00AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AACA72 mov eax, dword ptr fs:[00000030h]	2_2_00AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36A50 mov eax, dword ptr fs:[00000030h]	2_2_00A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36A50 mov eax, dword ptr fs:[00000030h]	2_2_00A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36A50 mov eax, dword ptr fs:[00000030h]	2_2_00A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36A50 mov eax, dword ptr fs:[00000030h]	2_2_00A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36A50 mov eax, dword ptr fs:[00000030h]	2_2_00A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36A50 mov eax, dword ptr fs:[00000030h]	2_2_00A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A36A50 mov eax, dword ptr fs:[00000030h]	2_2_00A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40A5B mov eax, dword ptr fs:[00000030h]	2_2_00A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40A5B mov eax, dword ptr fs:[00000030h]	2_2_00A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40BBE mov eax, dword ptr fs:[00000030h]	2_2_00A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A40BBE mov eax, dword ptr fs:[00000030h]	2_2_00A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_00AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_00AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_00A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_00A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_00A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5EBFC mov eax, dword ptr fs:[00000030h]	2_2_00A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ABCBF0 mov eax, dword ptr fs:[00000030h]	2_2_00ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A50BCB mov eax, dword ptr fs:[00000030h]	2_2_00A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A50BCB mov eax, dword ptr fs:[00000030h]	2_2_00A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A50BCB mov eax, dword ptr fs:[00000030h]	2_2_00A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30BCD mov eax, dword ptr fs:[00000030h]	2_2_00A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30BCD mov eax, dword ptr fs:[00000030h]	2_2_00A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A30BCD mov eax, dword ptr fs:[00000030h]	2_2_00A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00ADEBD0 mov eax, dword ptr fs:[00000030h]	2_2_00ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_00A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_00A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_00AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_00AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00B04B00 mov eax, dword ptr fs:[00000030h]	2_2_00B04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_00AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_00AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_00AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_00AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_00AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_00AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_00AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_00AAEB1D

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0105810A GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_0105810A

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0102A124 SetUnhandledExceptionFilter,		0_2_0102A124
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_0102A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0102A155

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 229008

Jump to behavior

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_010587B1 LogonUserW,

0_2_010587B1

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01003B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_01003B3A

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_010048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_010048D7

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01064C27 mouse_event,

0_2_01064C27

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\FJRUb5lb9m.exe"

Jump to behavior

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01057CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_01057CAF

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0105874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0105874B

Source: FJRUb5lb9m.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: FJRUb5lb9m.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_0102862B cpuid

0_2_0102862B

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01034E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01034E87

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01041E06 GetUserNameW,

0_2_01041E06

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_01033F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_01033F3A

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe

Code function: 0_2_010049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_010049A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1542995143.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1543024692.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: FJRUb5lb9m.exe	Binary or memory string: WIN_81
Source: FJRUb5lb9m.exe	Binary or memory string: WIN_XP
Source: FJRUb5lb9m.exe	Binary or memory string: WIN_XPe
Source: FJRUb5lb9m.exe	Binary or memory string: WIN_VISTA
Source: FJRUb5lb9m.exe	Binary or memory string: WIN_7
Source: FJRUb5lb9m.exe	Binary or memory string: WIN_8
Source: FJRUb5lb9m.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1542995143.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1543024692.0000000000520000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01076283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_01076283
Source: C:\Users\user\Desktop\FJRUb5lb9m.exe	Code function: 0_2_01076747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01076747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	25 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	21 Access Token Manipulation	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	212 Process Injection	21 Access Token Manipulation	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	212 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	115 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FJRUb5lb9m.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
FJRUb5lb9m.exe	51%	Virustotal		Browse
FJRUb5lb9m.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588680
Start date and time:	2025-01-11 04:05:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FJRUb5lb9m.exe renamed because original name is a hash value
Original Sample Name:	dd0cbee3fccd6992b6441f30f51b452caaa7cfc79edd13204fa4099a19421525.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 50 Number of non-executed functions: 281
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
22:06:29	API Interceptor	3x Sleep call for process: svchost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	02Eh1ah35H.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1297823757234143258.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	4N4nldx1wW.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1487427797195518826.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	5by4QM3v89.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	uEuTtkxAqq.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	23754232101540928500.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45

Process:	C:\Users\user\Desktop\FJRUb5lb9m.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.990800531329619
Encrypted:	true
SSDEEP:	3072:3j4TmGjDgIUePbMztfFEIO53Mporam3QL/cy844YmP0vkR4ogy8IHRO6DQKK7Bw2:T4TmG5UUbMEIOtskQmYom0OdKUw/v2
MD5:	30112D177834BDE1902FCB7D97AA6232
SHA1:	5DE37A27EA03262F03A1D7683F1C74B0F3AA7B26
SHA-256:	D309AE8A3B5DB190CA5704FA9A93541B2152DF97E302E59E41A8A94D48731364
SHA-512:	419AA1662D38B982E95F135C5CAB3D570392E8B10153A4CF629A7D9AAAC0C4C4BE468D236A2BE0F8140A78B7BF4BFD1B443B3C3C2B771BC181E86762250EF072
Malicious:	false
Reputation:	low
Preview:	...Y@LICTSOD..ZY.YCLICPS.DZYZYUYCLICPSODZYZYUYCLICPSODZYZYUY.LIC^L.JZ.S.t.B..b.;&7z)(62+"!i 1=!+.y8<u+6"i*>s...y761<mADItSODZYZY,XJ.t#7.r$=.g92.Y..j3(.@..i9$.S...s$=..061~,..PSODZYZY..CL.BQS...ZYUYCLIC.SMEQXQYU.GLICPSODZY:JUYC\ICP#KDZY.YUICLIAPSIDZYZYUYELICPSODZ)^YU[CLICPSMD..ZYEYC\ICPS_DZIZYUYCLYCPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODt-?!!YCL}.TSOTZYZ.QYC\ICPSODZYZYUYCLiCP3ODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCL

C:\Users\user\AppData\Local\Temp\hepatoduodenostomy

Download File

Process:	C:\Users\user\Desktop\FJRUb5lb9m.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.990800531329619
Encrypted:	true
SSDEEP:	3072:3j4TmGjDgIUePbMztfFEIO53Mporam3QL/cy844YmP0vkR4ogy8IHRO6DQKK7Bw2:T4TmG5UUbMEIOtskQmYom0OdKUw/v2
MD5:	30112D177834BDE1902FCB7D97AA6232
SHA1:	5DE37A27EA03262F03A1D7683F1C74B0F3AA7B26
SHA-256:	D309AE8A3B5DB190CA5704FA9A93541B2152DF97E302E59E41A8A94D48731364
SHA-512:	419AA1662D38B982E95F135C5CAB3D570392E8B10153A4CF629A7D9AAAC0C4C4BE468D236A2BE0F8140A78B7BF4BFD1B443B3C3C2B771BC181E86762250EF072
Malicious:	false
Reputation:	low
Preview:	...Y@LICTSOD..ZY.YCLICPS.DZYZYUYCLICPSODZYZYUYCLICPSODZYZYUY.LIC^L.JZ.S.t.B..b.;&7z)(62+"!i 1=!+.y8<u+6"i*>s...y761<mADItSODZYZY,XJ.t#7.r$=.g92.Y..j3(.@..i9$.S...s$=..061~,..PSODZYZY..CL.BQS...ZYUYCLIC.SMEQXQYU.GLICPSODZY:JUYC\ICP#KDZY.YUICLIAPSIDZYZYUYELICPSODZ)^YU[CLICPSMD..ZYEYC\ICPS_DZIZYUYCLYCPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODt-?!!YCL}.TSOTZYZ.QYC\ICPSODZYZYUYCLiCP3ODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCLICPSODZYZYUYCL

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.194956018253899
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FJRUb5lb9m.exe
File size:	1'213'440 bytes
MD5:	896cef1e1ce8fb012437f05a81195d27
SHA1:	b825b626e64342dd5c3162ccd3df9c8c7c593f7b
SHA256:	dd0cbee3fccd6992b6441f30f51b452caaa7cfc79edd13204fa4099a19421525
SHA512:	9f8f0033db162205c57ddb90a5c53130b52bef8bd096db853a3cfc72be43b50a69757fede9925b7c74195b9bf8f678b5e95f71421508add14e7f18417ea50c3b
SSDEEP:	24576:Ou6J33O0c+JY5UZ+XC0kGso6FaYfSmkgvy+/tT7/odUWY:Au0c++OCvkGs9FaY4gxtHAZY
TLSH:	3F45CE2273DDC360CB669173BF6AB7016EBF7C214630B95B2F880D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x674FE556 [Wed Dec 4 05:15:02 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F423114525Ah
jmp 00007F4231138024h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F42311381AAh
cmp edi, eax
jc 00007F423113850Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F42311381A9h
rep movsb
jmp 00007F42311384BCh
cmp ecx, 00000080h
jc 00007F4231138374h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F42311381B0h
bt dword ptr [004BE324h], 01h
jc 00007F4231138680h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F423113834Dh
test edi, 00000003h
jne 00007F423113835Eh
test esi, 00000003h
jne 00007F423113833Dh
bt edi, 02h
jnc 00007F42311381AFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F42311381B3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F4231138205h
bt esi, 03h
jnc 00007F4231138258h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5fa18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x127000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5fa18	0x5fc00	83af89597ebb36ca72d38df17f12d3be	False	0.9305289246083551	data	7.902264540181182	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x127000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x56cdf	data			1.0003262541801317
RT_GROUP_ICON	0x126498	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x126510	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x126524	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x126538	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12654c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x126628	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 04:06:09.462251902 CET	1.1.1.1	192.168.2.9	0x6699	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 04:06:09.462251902 CET	1.1.1.1	192.168.2.9	0x6699	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	22:06:13
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\FJRUb5lb9m.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FJRUb5lb9m.exe"
Imagebase:	0x1000000
File size:	1'213'440 bytes
MD5 hash:	896CEF1E1CE8FB012437F05A81195D27
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:06:14
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FJRUb5lb9m.exe"
Imagebase:	0xd60000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1542995143.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1543024692.0000000000520000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	8.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	58

Executed Functions

Function 01003B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01003B68
IsDebuggerPresent.KERNEL32 ref: 01003B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,010C52F8,010C52E0,?,?), ref: 01003BEB

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

Part of subcall function 0101092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,01003C14,010C52F8,?,?,?), ref: 0101096E

SetCurrentDirectoryW.KERNEL32(?), ref: 01003C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010B7770,00000010), ref: 0103D281
SetCurrentDirectoryW.KERNEL32(?,010C52F8,?,?,?), ref: 0103D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,010B4260,010C52F8,?,?,?), ref: 0103D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0103D346

Part of subcall function 01003A46: GetSysColorBrush.USER32(0000000F), ref: 01003A50
Part of subcall function 01003A46: LoadCursorW.USER32(00000000,00007F00), ref: 01003A5F
Part of subcall function 01003A46: LoadIconW.USER32(00000063), ref: 01003A76
Part of subcall function 01003A46: LoadIconW.USER32(000000A4), ref: 01003A88
Part of subcall function 01003A46: LoadIconW.USER32(000000A2), ref: 01003A9A
Part of subcall function 01003A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 01003AC0
Part of subcall function 01003A46: RegisterClassExW.USER32(?), ref: 01003B16

Part of subcall function 010039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 01003A03
Part of subcall function 010039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 01003A24
Part of subcall function 010039D5: ShowWindow.USER32(00000000,?,?), ref: 01003A38
Part of subcall function 010039D5: ShowWindow.USER32(00000000,?,?), ref: 01003A41

Part of subcall function 0100434A: _memset.LIBCMT ref: 01004370
Part of subcall function 0100434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 01004415

Strings

runas, xrefs: 0103D33A
This is a third-party compiled AutoIt script., xrefs: 0103D279

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 900ec422a59c827b77936bb8ac92b1eed2c9dc2e8cf4d7c0086ca44d12a308de
Instruction ID: d2746b3336e7a71297e48a14d1481a2340abbda8e2e27582ea4a4484efeff5f7
Opcode Fuzzy Hash: 900ec422a59c827b77936bb8ac92b1eed2c9dc2e8cf4d7c0086ca44d12a308de
Instruction Fuzzy Hash: 5651F534A0410EAEEF23EBF5DC05DED7BBABB66610F004099F5D1AA1C1CA7A6545CF21

Function 010049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 010049CD

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

GetCurrentProcess.KERNEL32(?,0108FAEC,00000000,00000000,?), ref: 01004A9A
IsWow64Process.KERNEL32(00000000), ref: 01004AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 01004AE7
FreeLibrary.KERNEL32(00000000), ref: 01004AF2
GetSystemInfo.KERNEL32(00000000), ref: 01004B23
GetSystemInfo.KERNEL32(00000000), ref: 01004B2F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 956cf17e5a242dec1f2e809f2e32ac285939912db3198a7d163af356ab36c1bd
Instruction ID: e7915ee067b0df9066f2daa2fdd5c685a68cdab59f7d514332ce2c198c718b16
Opcode Fuzzy Hash: 956cf17e5a242dec1f2e809f2e32ac285939912db3198a7d163af356ab36c1bd
Instruction Fuzzy Hash: 2B91D331949BC1DEDB73DBB884501AEFFF5AF2A200F44499DD1CA93A82D224B548C76D

Function 01004E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,01004D8E,?,?,00000000,00000000), ref: 01004E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,01004D8E,?,?,00000000,00000000), ref: 01004EB0
LoadResource.KERNEL32(?,00000000,?,?,01004D8E,?,?,00000000,00000000,?,?,?,?,?,?,01004E2F), ref: 0103D937
SizeofResource.KERNEL32(?,00000000,?,?,01004D8E,?,?,00000000,00000000,?,?,?,?,?,?,01004E2F), ref: 0103D94C
LockResource.KERNEL32(01004D8E,?,?,01004D8E,?,?,00000000,00000000,?,?,?,?,?,?,01004E2F,00000000), ref: 0103D95F

Strings

SCRIPT, xrefs: 01004EA6

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 2ccf60f6d10466f49279b113aeb51409bc082d44a267f0b6d58e95578f71b371
Instruction ID: 882ed2793ca280a3eaa62a7644c2ebc3b60a9e0ed79cc475572c3bb48a52251d
Opcode Fuzzy Hash: 2ccf60f6d10466f49279b113aeb51409bc082d44a267f0b6d58e95578f71b371
Instruction Fuzzy Hash: C7115E75244701BFE7218B65EC88F6B7BBAEBC5B51F10426CF685C6290DB62EC018664

Function 0100FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: cebac8415d937cfa145b6a7dbf4d07b5937cfc270d0977e17d52404fc4643c0f
Instruction ID: f3897931a6fa467e4c4688ce858d3555bde631aa0e42577e0b23066374db915d
Opcode Fuzzy Hash: cebac8415d937cfa145b6a7dbf4d07b5937cfc270d0977e17d52404fc4643c0f
Instruction Fuzzy Hash: 5E927BB06083428FD761DF18C480B6ABBE5BF89304F14896DF9CA8B355D775E885CB92

Function 0106445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0103E398), ref: 0106446A
FindFirstFileW.KERNELBASE(?,?), ref: 0106447B
FindClose.KERNEL32(00000000), ref: 0106448B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c17bef41c3379ea9673c7096395dcb8b85a9ad71675296965efff147028eb482
Instruction ID: a39d80906400da37a881627a663af0163351226b2f0be68f58f3feb54235ea73
Opcode Fuzzy Hash: c17bef41c3379ea9673c7096395dcb8b85a9ad71675296965efff147028eb482
Instruction Fuzzy Hash: 7CE026338189026B8220AA3CEC0E8EE779C9F45236F104746F8F5C20C0EFB89900C7D6

Function 0100E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 01043E62

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: af7f7da7a01b1037b0cba60811ece7675c39e59de12c013c1ada64880a0b1295
Instruction ID: 57ae2dcf2105e1942edc6deac297940cea4bb2a5be56e6da41b9d8e194d9ee95
Opcode Fuzzy Hash: af7f7da7a01b1037b0cba60811ece7675c39e59de12c013c1ada64880a0b1295
Instruction Fuzzy Hash: 59A2A474A00216CFEB66CF58C480AAEBBF1FF59314F1484A9D985AB381D735ED42CB91

Function 010109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01010A5B
timeGetTime.WINMM ref: 01010D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01010E53
Sleep.KERNEL32(0000000A), ref: 01010E61
LockWindowUpdate.USER32(00000000,?,?), ref: 01010EFA
DestroyWindow.USER32 ref: 01010F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01010F20
Sleep.KERNEL32(0000000A,?,?), ref: 01044E83
TranslateMessage.USER32(?), ref: 01045C60
DispatchMessageW.USER32(?), ref: 01045C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01045C82

Strings

@TRAY_ID, xrefs: 0104578F
@COM_EVENTOBJ, xrefs: 010454F0
@GUI_WINHANDLE, xrefs: 01044F8F
@GUI_CTRLID, xrefs: 01044F3A
@GUI_CTRLHANDLE, xrefs: 01044FE4

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 3d856b53e0d2c5795157d84f657e5a3c5b7608d60d4ada2e3412f4c0ab326a5c
Instruction ID: 3df279bf9cdf35bb21749356ec01b2c6fa72908871945ced0090a1e8578be918
Opcode Fuzzy Hash: 3d856b53e0d2c5795157d84f657e5a3c5b7608d60d4ada2e3412f4c0ab326a5c
Instruction Fuzzy Hash: B2B28EB06083429FE765DF24C884BAEBBE5BB85304F04496DF5C997295CB75E884CB82

Function 01069155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01068F5F: __time64.LIBCMT ref: 01068F69

Part of subcall function 01004EE5: _fseek.LIBCMT ref: 01004EFD

__wsplitpath.LIBCMT ref: 01069234

Part of subcall function 010240FB: __wsplitpath_helper.LIBCMT ref: 0102413B

_wcscpy.LIBCMT ref: 01069247
_wcscat.LIBCMT ref: 0106925A
__wsplitpath.LIBCMT ref: 0106927F
_wcscat.LIBCMT ref: 01069295
_wcscat.LIBCMT ref: 010692A8

Part of subcall function 01068FA5: _memmove.LIBCMT ref: 01068FDE
Part of subcall function 01068FA5: _memmove.LIBCMT ref: 01068FED

_wcscmp.LIBCMT ref: 010691EF

Part of subcall function 01069734: _wcscmp.LIBCMT ref: 01069824
Part of subcall function 01069734: _wcscmp.LIBCMT ref: 01069837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 01069452
_wcsncpy.LIBCMT ref: 010694C5
DeleteFileW.KERNEL32(?,?), ref: 010694FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01069511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01069522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01069534

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: c96df52dd2e4ca1fe7e5f67e8b402e3408bb3e44229597ef7c1ff6bdedcb6a9d
Instruction ID: 49f259b26d91fe0449e2e5a949ecade7bf4ab24fe058f60e3a5392255f3257e9
Opcode Fuzzy Hash: c96df52dd2e4ca1fe7e5f67e8b402e3408bb3e44229597ef7c1ff6bdedcb6a9d
Instruction Fuzzy Hash: 05C12DB1D0022AAFDF21DFA5CC84EDEB7BDEF55214F0040AAE649E7150DB309A848F65

Function 0100301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 01003074
RegisterClassExW.USER32(00000030), ref: 0100309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 010030AF
InitCommonControlsEx.COMCTL32(?), ref: 010030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 010030DC
LoadIconW.USER32(000000A9), ref: 010030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 01003101

Strings

TaskbarCreated, xrefs: 010030A4
0, xrefs: 01003056
AutoIt v3 GUI, xrefs: 01003090
+, xrefs: 0100305D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9e00c499a9c1140eee9dc4bf4bdfd2f31f4e6fdd209387bc319e4dce9430ed46
Instruction ID: 6e6d401fef22b9000a4d4028d4dfde9ccf319a232bc66a91f02677cd5c0ff908
Opcode Fuzzy Hash: 9e00c499a9c1140eee9dc4bf4bdfd2f31f4e6fdd209387bc319e4dce9430ed46
Instruction Fuzzy Hash: 253127B594530AEFDB60DFA4D885A9DBBF0FB09320F10411AE5C0EA294D7BA5585CF50

Function 01003041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 01003074
RegisterClassExW.USER32(00000030), ref: 0100309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 010030AF
InitCommonControlsEx.COMCTL32(?), ref: 010030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 010030DC
LoadIconW.USER32(000000A9), ref: 010030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 01003101

Strings

TaskbarCreated, xrefs: 010030A4
0, xrefs: 01003056
AutoIt v3 GUI, xrefs: 01003090
+, xrefs: 0100305D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1f3fc1a6544820b1bc3b2209e3106e7ba9a0dbb6baec4278eeebec5b9aea1bc3
Instruction ID: 50cf0bee14b4b0a571d09ffd47c1c180e3ef21430a57d1c918b241a4eb4f72f2
Opcode Fuzzy Hash: 1f3fc1a6544820b1bc3b2209e3106e7ba9a0dbb6baec4278eeebec5b9aea1bc3
Instruction Fuzzy Hash: EE2127B5A04209AFEB20DFA4E848B8EBBF4FB08700F10411AF591E6284D7BA55488F91

Function 0100708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01004706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010C52F8,?,010037AE,?), ref: 01004724

Part of subcall function 0102050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,01007165), ref: 0102052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 010071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0103E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0103E909
RegCloseKey.ADVAPI32(?), ref: 0103E947
_wcscat.LIBCMT ref: 0103E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 0100719E
\Include\, xrefs: 01007165
Include, xrefs: 0103E8BF, 0103E900
\, xrefs: 0103E9C3

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: b349d9312926b613a30f4b91daabb3b7e29a37402c0da58449032c568804176b
Instruction ID: a4f395830795ede337fe5f884ea0716ad84b18b6c1c38f6e31011cd2590a376d
Opcode Fuzzy Hash: b349d9312926b613a30f4b91daabb3b7e29a37402c0da58449032c568804176b
Instruction Fuzzy Hash: 6F719E711083029ED721EF69E8409AFBBE9FF98310F40052EF5C5872A4EB36A549CF52

Function 01003A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 01003A50
LoadCursorW.USER32(00000000,00007F00), ref: 01003A5F
LoadIconW.USER32(00000063), ref: 01003A76
LoadIconW.USER32(000000A4), ref: 01003A88
LoadIconW.USER32(000000A2), ref: 01003A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 01003AC0
RegisterClassExW.USER32(?), ref: 01003B16

Part of subcall function 01003041: GetSysColorBrush.USER32(0000000F), ref: 01003074
Part of subcall function 01003041: RegisterClassExW.USER32(00000030), ref: 0100309E
Part of subcall function 01003041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 010030AF
Part of subcall function 01003041: InitCommonControlsEx.COMCTL32(?), ref: 010030CC
Part of subcall function 01003041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 010030DC
Part of subcall function 01003041: LoadIconW.USER32(000000A9), ref: 010030F2
Part of subcall function 01003041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 01003101

Strings

AutoIt v3, xrefs: 01003B05
0, xrefs: 01003AF4
#, xrefs: 01003AFB

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e2d2fab62c9d3986fbe7dfb383f858d6bdcc4c358fe4579922e4fad60380a902
Instruction ID: 6a37af970a97feca516606e6370a0f3c5e315628f1790dcd27ad7a03f60880f9
Opcode Fuzzy Hash: e2d2fab62c9d3986fbe7dfb383f858d6bdcc4c358fe4579922e4fad60380a902
Instruction Fuzzy Hash: A7215C74E04305AFFB21DFA4EC09B9D7BF6FB09711F00011AF584AA295D3BA65508F84

Function 01003633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 010036D2
KillTimer.USER32(?,00000001), ref: 010036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0100371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0100372A
CreatePopupMenu.USER32 ref: 0100373E
PostQuitMessage.USER32(00000000), ref: 0100374D

Strings

TaskbarCreated, xrefs: 01003725

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 30ffc6a317f6e02fca791280b4eaeaaa1effaa237cb1bbf8847c222efa1b060e
Instruction ID: b1152ddca0a7a8d59591b82163bcd9fee8f0f1e27c65c6bf3e84fc9d09de6a69
Opcode Fuzzy Hash: 30ffc6a317f6e02fca791280b4eaeaaa1effaa237cb1bbf8847c222efa1b060e
Instruction Fuzzy Hash: 3441D675204106AFFB776FBCDC08BBE3AD9FB45600F404119F6C2DA2D5CA6AA4548B61

Function 01003766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 01003822
CMDLINERAW, xrefs: 010037FB
/AutoIt3ExecuteScript, xrefs: 010038BC
/AutoIt3ExecuteLine, xrefs: 010038A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 010037AE
/ErrorStdOut, xrefs: 0100387D
/AutoIt3OutputDebug, xrefs: 01003892

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 20377789bf8511cd6298d414564c7f8cefce523b10e3ff26f028573701562094
Instruction ID: 342d910549016379b2b11b67d1c073505cb088d7cacf0a60c03b1d72e45c7968
Opcode Fuzzy Hash: 20377789bf8511cd6298d414564c7f8cefce523b10e3ff26f028573701562094
Instruction Fuzzy Hash: EAA16F7190021E9EEF16EBE4DC509EEB7B9BF25310F40051AE595BB1D0DF746A04CB60

Function 015B14F8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015B15C9
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015B17EF

Memory Dump Source

Source File: 00000000.00000002.1366952141.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ae000_FJRUb5lb9m.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction ID: 8351acc342603d186c8f5a14665e444bc648802d1e87c83c2d269a2f2f6e988e
Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
Instruction Fuzzy Hash: B9A10774E00609EBDB54CFA4D8D8BEEBBB5BF48304F208559E501BB280D7759A81CF94

Function 010039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 01003A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 01003A24
ShowWindow.USER32(00000000,?,?), ref: 01003A38
ShowWindow.USER32(00000000,?,?), ref: 01003A41

Strings

AutoIt v3, xrefs: 010039FB, 01003A00, 01003A01
edit, xrefs: 01003A1E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 03e5f9fd4c309d045123371acc3d085e33d4afcf7a5e596de7354a0e522214a0
Instruction ID: bb809906a1e11d02ea7da57690aef547dffcb437cef0c404bc21ca7187977b7d
Opcode Fuzzy Hash: 03e5f9fd4c309d045123371acc3d085e33d4afcf7a5e596de7354a0e522214a0
Instruction Fuzzy Hash: 6DF0DA756412907EEA316727AC49E6B3EBEE7CBF50B00411EB980E6154C67A2851DFB0

Function 015B1278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 015B1168: Sleep.KERNELBASE(000001F4), ref: 015B1179

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015B13E2

Strings

ZYUYCLICPSODZY, xrefs: 015B1448, 015B144B

Memory Dump Source

Source File: 00000000.00000002.1366952141.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ae000_FJRUb5lb9m.jbxd

Similarity

API ID: CreateFileSleep
String ID: ZYUYCLICPSODZY
API String ID: 2694422964-2526276962
Opcode ID: 852eecdd52096100c6425cf790eafece19aa946a55e5635f538dcf611f25d407
Instruction ID: 2275e2b2426ed3c398f98b1324233f46c2f4691f1488eabd5aa4175a6d0c3ab4
Opcode Fuzzy Hash: 852eecdd52096100c6425cf790eafece19aa946a55e5635f538dcf611f25d407
Instruction Fuzzy Hash: 74618130E14649DBEF10DBE4D894BEEBB75EF58300F004599E608BB2C0D7795A45CBA6

Function 0100407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0103D3D7

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

_memset.LIBCMT ref: 010040FC
_wcscpy.LIBCMT ref: 01004150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 01004160

Strings

Line: , xrefs: 0103D400

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 17ac9bf5812c651586c59862a7a1004899512d8857e933b65508bad84a472786
Instruction ID: 03a3b86d4afbc227c4aaf359ef493817e8fdb315ac996164815561ff5e4f0642
Opcode Fuzzy Hash: 17ac9bf5812c651586c59862a7a1004899512d8857e933b65508bad84a472786
Instruction Fuzzy Hash: 9531CF72108306AEE372EB64DC44FDB77E8AF65304F10491EF6C5920D0DB79A648CB96

Function 0100686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01004DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 01004E0F

_free.LIBCMT ref: 0103E263
_free.LIBCMT ref: 0103E2AA

Part of subcall function 01006A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 01006BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0103E039
Bad directive syntax error, xrefs: 0103E292

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 775847b43595838ef547a12eeb8afa703d78a2c1bfec6e53ef3099683f46e558
Instruction ID: 94a00187fd01bbd577df6b2e7b994ebd9c132c6dcc2d11d4afd6df80632d0309
Opcode Fuzzy Hash: 775847b43595838ef547a12eeb8afa703d78a2c1bfec6e53ef3099683f46e558
Instruction Fuzzy Hash: 5D91B27190021AEFDF15EFA4CC809EDB7B8FF55310F00456AE995AB2A0DB34A955CF50

Function 010035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,010035A1,SwapMouseButtons,00000004,?), ref: 010035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,010035A1,SwapMouseButtons,00000004,?,?,?,?,01002754), ref: 010035F5
RegCloseKey.KERNELBASE(00000000,?,?,010035A1,SwapMouseButtons,00000004,?,?,?,?,01002754), ref: 01003617

Strings

Control Panel\Mouse, xrefs: 010035D2

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 8c7ddd696e8a30abb61ef25f8229c8da3ae779ba8ea30dee88a514d2034dfc08
Instruction ID: 5b5eaa0e9f0892185f31f861a60309e4c553bc94589b334f2b4534a7fc5978a4
Opcode Fuzzy Hash: 8c7ddd696e8a30abb61ef25f8229c8da3ae779ba8ea30dee88a514d2034dfc08
Instruction Fuzzy Hash: 22115A71514208BFEB228F68DC44DEFBBB8FF08740F008459F885DB240D6719A419B60

Function 015B0168 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 015B0923
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015B09B9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015B09DB

Memory Dump Source

Source File: 00000000.00000002.1366952141.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ae000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction ID: 2b958b3df775b89e0f0f38ed261d822d806baa2bf0ce6b1f8fbb183afd3fdc1f
Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
Instruction Fuzzy Hash: AA62F930A146189BEB24CFA4C891BDEB772FF58300F1095A9E10DEB2D0E7759E81CB59

Function 0106955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 01004EE5: _fseek.LIBCMT ref: 01004EFD

Part of subcall function 01069734: _wcscmp.LIBCMT ref: 01069824
Part of subcall function 01069734: _wcscmp.LIBCMT ref: 01069837

_free.LIBCMT ref: 010696A2
_free.LIBCMT ref: 010696A9
_free.LIBCMT ref: 01069714

Part of subcall function 01022D55: RtlFreeHeap.NTDLL(00000000,00000000,?,01029A24), ref: 01022D69
Part of subcall function 01022D55: GetLastError.KERNEL32(00000000,?,01029A24), ref: 01022D7B

_free.LIBCMT ref: 0106971C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 0dc7305f7250a3367947807b554db3ae66bf5e63e106579fa2092542bfadd632
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 11516FB1D04259AFDF259FA4DC84AEEBBB9FF48304F00449EE249A3240DB715A90CF58

Function 0102470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 010247A0
__flush.LIBCMT ref: 010247C0
__write.LIBCMT ref: 010247F3
__flsbuf.LIBCMT ref: 01024821

Part of subcall function 01028B28: __getptd_noexit.LIBCMT ref: 01028B28

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 4104374f780afe5034fa1f1affe733ac7b3be372c10be7b0296ecd308858051f
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: DD41D234B00B669BDB19CFADC8809AE7BE5FF45360B1481BDE9A9C7640E6B0D941CB40

Function 01007285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0103EA39
GetOpenFileNameW.COMDLG32(?), ref: 0103EA83

Part of subcall function 01004750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01004743,?,?,010037AE,?), ref: 01004770

Part of subcall function 01020791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 010207B0

Strings

X, xrefs: 0103EA51

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 5acad21b79cd46307768fcbf06f0336a317671ebcdf23d7a306a991604e0777c
Instruction ID: f9b18222e9d609ccb5655f52ee0dac20acbc646185a9da90d9bdc4b482b23667
Opcode Fuzzy Hash: 5acad21b79cd46307768fcbf06f0336a317671ebcdf23d7a306a991604e0777c
Instruction Fuzzy Hash: DB21D871A002599BDB52DF94C844BDE7BFDAF49310F00805AE5C8B7280DBB855498FA1

Function 010698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 010698F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0106990F

Strings

aut, xrefs: 01069909

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1aa03d317e4538b59f3d792311f563d0f88a94049b619f559ea059866b0baf72
Instruction ID: 252131a277ca90898dd3737f78ddd2c1c82e3a6cddd58e29516a649dd2a7eeac
Opcode Fuzzy Hash: 1aa03d317e4538b59f3d792311f563d0f88a94049b619f559ea059866b0baf72
Instruction Fuzzy Hash: C0D05E7954430EABDB609AA0EC4EFDA773CE704700F0042A1BAD4D5091EAB599988B95

Function 0107CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e0bb3051f2577176baf8cd987e5b89d9f19df4de9be600d1773d13d285b370
Instruction ID: 39137682425c6a9eaa98cd83408b7e99ce07d16e77457f3e5b0c077b0fbeea67
Opcode Fuzzy Hash: c2e0bb3051f2577176baf8cd987e5b89d9f19df4de9be600d1773d13d285b370
Instruction Fuzzy Hash: 0CF13770A083029FDB14DF28C580A6ABBE5FF88314F54896EF8999B351D730E945CF92

Function 0100F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 01020162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 01020193
Part of subcall function 01020162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0102019B
Part of subcall function 01020162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 010201A6
Part of subcall function 01020162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 010201B1
Part of subcall function 01020162: MapVirtualKeyW.USER32(00000011,00000000), ref: 010201B9
Part of subcall function 01020162: MapVirtualKeyW.USER32(00000012,00000000), ref: 010201C1

Part of subcall function 010160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0100F930), ref: 01016154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0100F9CD
OleInitialize.OLE32(00000000), ref: 0100FA4A
CloseHandle.KERNEL32(00000000), ref: 010445C8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 054c68cae5889cd0d24b2ce13d47bd15fcd2b25ea0d3e24689e04d67d7e5430b
Instruction ID: bc1a2be6bbf5b2ed843fd0c5cbe02b2a2a534b98371bc7baa346fdfe9a2e6580
Opcode Fuzzy Hash: 054c68cae5889cd0d24b2ce13d47bd15fcd2b25ea0d3e24689e04d67d7e5430b
Instruction Fuzzy Hash: 1881B2B8B01641CFC3A4DF79EC54659BBE5FBA820AB50822ED0D9C7259EB7E6444CF10

Function 0100434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01004370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 01004415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 01004432

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 097e9e807440374a051fdb9591979797c93ee8201fb95849e69e4d8ff15568e2
Instruction ID: a6d8456f7cee64a1629a55f2b6ef5fd4022de574b8e7574ad1d8f1caf019e9d8
Opcode Fuzzy Hash: 097e9e807440374a051fdb9591979797c93ee8201fb95849e69e4d8ff15568e2
Instruction Fuzzy Hash: BD3180706043018FE762DF68D88469BBBE8FB49308F00096EF6DAC2281D775A544CB56

Function 0102571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 01025733

Part of subcall function 0102A16B: __NMSG_WRITE.LIBCMT ref: 0102A192
Part of subcall function 0102A16B: __NMSG_WRITE.LIBCMT ref: 0102A19C

__NMSG_WRITE.LIBCMT ref: 0102573A

Part of subcall function 0102A1C8: GetModuleFileNameW.KERNEL32(00000000,010C33BA,00000104,?,00000001,00000000), ref: 0102A25A
Part of subcall function 0102A1C8: ___crtMessageBoxW.LIBCMT ref: 0102A308

Part of subcall function 0102309F: ___crtCorExitProcess.LIBCMT ref: 010230A5
Part of subcall function 0102309F: ExitProcess.KERNEL32 ref: 010230AE

Part of subcall function 01028B28: __getptd_noexit.LIBCMT ref: 01028B28

RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,01020DD3,?), ref: 0102575F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: cf8cb18600325d30e414280b1368db84dfbe1678f2858d26b58c77cafeadbb13
Instruction ID: e484b987e1c0f35c5cf0ffbfb4c1b45d05c238c62033537bdb8183bb0aa01954
Opcode Fuzzy Hash: cf8cb18600325d30e414280b1368db84dfbe1678f2858d26b58c77cafeadbb13
Instruction Fuzzy Hash: 7D01F535380333DEEA612738FC84BEE77C8BB52561F50442AE9C59B180DE7488004768

Function 010698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,01069548,?,?,?,?,?,00000004), ref: 010698BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01069548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 010698D1
CloseHandle.KERNEL32(00000000,?,01069548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 010698D8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: bd0b976adfaf274cabf6c67c22790ade33f499cc46a3789bbb3caf764d1e4bbe
Instruction ID: 60c1ef362b5f455906be8f130806478c8edbf78784662fe36433ea1e0203b820
Opcode Fuzzy Hash: bd0b976adfaf274cabf6c67c22790ade33f499cc46a3789bbb3caf764d1e4bbe
Instruction Fuzzy Hash: 63E08632144215BBEB312A64EC09FDE7F59EB06764F108110FBD4A90D0C7B615219798

Function 01068D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01068D1B

Part of subcall function 01022D55: RtlFreeHeap.NTDLL(00000000,00000000,?,01029A24), ref: 01022D69
Part of subcall function 01022D55: GetLastError.KERNEL32(00000000,?,01029A24), ref: 01022D7B

_free.LIBCMT ref: 01068D2C
_free.LIBCMT ref: 01068D3E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 0f635a88aac7a0a2dfb6a7e87014a76e235c2dba0fa6d6e628111b72348c4008
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: F0E0C7B160172243EB60BABCA840AC323EC4FBC252B44484EF68DD7180CE60F8828038

Function 0100A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0103FC01

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 64e8a28784613f469dfa31b36e461edda7d415f865e60a62a33af91a37a01767
Instruction ID: abf48f54b4c081b0060030bc3dc2c70a870a4e9bbffe883477e5f45d7ff6cd0e
Opcode Fuzzy Hash: 64e8a28784613f469dfa31b36e461edda7d415f865e60a62a33af91a37a01767
Instruction Fuzzy Hash: DE227C74608302DFE726DF14C494A6ABBE1BF85304F05899DE9CA9B3A1D735EC45CB82

Function 01004C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01004CBA

Strings

EA06, xrefs: 0103D8CC

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 02947bb97b82accd1fd231a8de306ee8a39cf9d70927be16136427e11f74c828
Instruction ID: 30ed5f7dfba82d7f7c77e0b4ca3da00e741ca690d840b156ef2ca67005f6c039
Opcode Fuzzy Hash: 02947bb97b82accd1fd231a8de306ee8a39cf9d70927be16136427e11f74c828
Instruction Fuzzy Hash: 9D415D21A0415967FF23AF588C907FE7FE69B55200F5840B6EFC6DB2C2D6305D4487A5

Function 01007A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01007AAB
_memmove.LIBCMT ref: 01007B16

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: 392b06b6522110a1ec2955d41d51da9ca734e993eb9589d3633d362c9c3d7c28
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: 2031C4B1600606AFD705DF68C8D0E69B3E9FF89310B158269E599CB2D1EB34F960CB90

Function 010047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 01004834

Part of subcall function 0102336C: __lock.LIBCMT ref: 01023372
Part of subcall function 0102336C: DecodePointer.KERNEL32(00000001,?,01004849,01057C74), ref: 0102337E
Part of subcall function 0102336C: EncodePointer.KERNEL32(?,?,01004849,01057C74), ref: 01023389

Part of subcall function 010048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 01004915
Part of subcall function 010048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0100492A

Part of subcall function 01003B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01003B68
Part of subcall function 01003B3A: IsDebuggerPresent.KERNEL32 ref: 01003B7A
Part of subcall function 01003B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010C52F8,010C52E0,?,?), ref: 01003BEB
Part of subcall function 01003B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 01003C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 01004874

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: db43b00a40785a2749b44adb07652280369fce4c4aae88cafe43def60946b46b
Instruction ID: 745b121be32b115617589d2867b761d056b0061d56f700a639fb3d2be14f62b4
Opcode Fuzzy Hash: db43b00a40785a2749b44adb07652280369fce4c4aae88cafe43def60946b46b
Instruction Fuzzy Hash: 91116A719083069FE721EF29D80494EFBE9FBA9750F00491EF4C4872A0DB769649CF96

Function 01020DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0102571C: __FF_MSGBANNER.LIBCMT ref: 01025733
Part of subcall function 0102571C: __NMSG_WRITE.LIBCMT ref: 0102573A
Part of subcall function 0102571C: RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,01020DD3,?), ref: 0102575F

std::exception::exception.LIBCMT ref: 01020DEC
__CxxThrowException@8.LIBCMT ref: 01020E01

Part of subcall function 0102859B: RaiseException.KERNEL32(?,?,?,010B9E78,00000000,?,?,?,?,01020E06,?,010B9E78,?,00000001), ref: 010285F0

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 9f19671a965e2ce114978ce7c3a7a9cb36edc1053878eeb9a5687d280b7b234e
Instruction ID: 26f600c7e3ce34312e7ee5b2e0278cff1cb81b801218f7ae448d62a7904c36f2
Opcode Fuzzy Hash: 9f19671a965e2ce114978ce7c3a7a9cb36edc1053878eeb9a5687d280b7b234e
Instruction Fuzzy Hash: 65F0A43550233A76DF14BAA8EC109DFBBECAF15215F00446AFD8896244DF709A80D2D1

Function 010253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01028B28: __getptd_noexit.LIBCMT ref: 01028B28

__lock_file.LIBCMT ref: 010253EB

Part of subcall function 01026C11: __lock.LIBCMT ref: 01026C34

__fclose_nolock.LIBCMT ref: 010253F6

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 5983794dbb24dbb56bd3fd6f39372e996b013eea00d5eff3caab8fb671e364a2
Instruction ID: 8c839d07071ea1d2af4d3faf04f603ba0ee3ec5a7c1a6cdeaac31e1bbe372bac
Opcode Fuzzy Hash: 5983794dbb24dbb56bd3fd6f39372e996b013eea00d5eff3caab8fb671e364a2
Instruction Fuzzy Hash: A5F0B4319016269ADB11BF799C007ED7BF06F51334F25D249D4E4AB1C0CBFC89419B59

Function 015B0165 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 015B0923
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015B09B9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015B09DB

Memory Dump Source

Source File: 00000000.00000002.1366952141.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ae000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction ID: cf190628ea6c0a3e29474a32d595ed12c231997de4609b4e0ee1e3aeaf4ff2cd
Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
Instruction Fuzzy Hash: 4D12DD24E24658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4E81CF5A

Function 01020C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 01020CB7

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 5e87f718da24d247138a06449f0655226c15d3d9183732f21e2fd6a676c66e79
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 1131D4B0A003199BD758DF58C49496DFBA6FB49300B7486A5E98ACB359D731EDC1CBC0

Function 0103FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0103FCB7

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 711e68c9c7ae3f494ea095a2115238ff622077601a1ce7f3d068ba472e4bb93a
Instruction ID: 79ad6295468dd9464b6ea57578a144b334eced2c1537c5f65f4ecdfbba0fccad
Opcode Fuzzy Hash: 711e68c9c7ae3f494ea095a2115238ff622077601a1ce7f3d068ba472e4bb93a
Instruction Fuzzy Hash: 2C411874608341DFEB15DF18C448B5ABBE1BF45318F09889CE9D98B362C736E845CB52

Function 01007B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01007BB3

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6e9fcb1987c2e05347aabe668f2705aae82ef1c269eeaaa8a3e237c56dba5ee3
Instruction ID: f5552a2bfcd348bcd629befbd1a4e790acf53e622608bd71bf431d230abdf84d
Opcode Fuzzy Hash: 6e9fcb1987c2e05347aabe668f2705aae82ef1c269eeaaa8a3e237c56dba5ee3
Instruction Fuzzy Hash: 23214872610A0DEBEB254F15E8807ED7BB8FF84350F24856DEAC6C5184EB359090C705

Function 0100784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01007899

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
Instruction ID: c36359f26b2d85901db7c128416d9124a38f248eb2f4bc839f2fbffb07814e75
Opcode Fuzzy Hash: debd4a192cd98d234165f3013593147144481ea24bfc443804d127757904428b
Instruction Fuzzy Hash: 32118731604216ABE756DF28D480CBEB7A9EF85324B24811AE9D5CB3D0DB35FD11C790

Function 01004DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 01004BB5: FreeLibrary.KERNEL32(00000000,?), ref: 01004BEF

Part of subcall function 0102525B: __wfsopen.LIBCMT ref: 01025266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 01004E0F

Part of subcall function 01004B6A: FreeLibrary.KERNEL32(00000000), ref: 01004BA4

Part of subcall function 01004C70: _memmove.LIBCMT ref: 01004CBA

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 16041156027ee3c9eb0be113cdd35b0b4d1e51c94a24913a6a04beb3465b9bec
Instruction ID: e1eef6c6854183ba78c1c0797b650e4b91bcf662422c0f450fb4bbc9f8465e5f
Opcode Fuzzy Hash: 16041156027ee3c9eb0be113cdd35b0b4d1e51c94a24913a6a04beb3465b9bec
Instruction Fuzzy Hash: 7011C131604206ABEF26BFB4C815FED77A89F94710F10882DE7C1EB1C0EA759E019B58

Function 0103FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0103FD91

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 913960cda3c42fc1097e7488bc3211713fe5fc7cc26465b581b22ee588bf0f10
Instruction ID: cd41f556d819628aecf88d4cf157676b0c16bc9b10348e7396f66defa1628a11
Opcode Fuzzy Hash: 913960cda3c42fc1097e7488bc3211713fe5fc7cc26465b581b22ee588bf0f10
Instruction Fuzzy Hash: E92124B4A08302DFEB15DF24C844A5ABBE0BF88314F0589ACF9CA57361D731E805CB92

Function 01024863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 010248A6

Part of subcall function 01028B28: __getptd_noexit.LIBCMT ref: 01028B28

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: f605b7a8bacb2c38c3e3173d48405346f9b5836f081f15622278369254375a95
Instruction ID: c121e59a3facc5421610384b96aafb12c2bc136dd595340807f90bb29ea060d1
Opcode Fuzzy Hash: f605b7a8bacb2c38c3e3173d48405346f9b5836f081f15622278369254375a95
Instruction Fuzzy Hash: FBF0C23191062AEBEF51AFB48C047EE37E0AF11325F158459E8A4DA290D7B88951DB51

Function 01004E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 01004E7E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: dfa0ac9f07ed8730c573d2c33f1e4e15acdd62fdff43dab9de5d3099ac778a73
Instruction ID: 2e17fda144d008a7260a0d77c118a572d20b6d51fda1c247316d72e8d6664175
Opcode Fuzzy Hash: dfa0ac9f07ed8730c573d2c33f1e4e15acdd62fdff43dab9de5d3099ac778a73
Instruction Fuzzy Hash: 37F03971509752CFEB369F68E494856BBE1AF143697108A7EE2D6C2650C772A840CF44

Function 01020791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 010207B0

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 9f7045aff2c9b00c9620cbb9ffb23642725abfa2c4df43fe06f88ad4091734e9
Instruction ID: 3319d483aec19e64eb369c299fe62f63427474823bced25c4e87ccb6f3fcb341
Opcode Fuzzy Hash: 9f7045aff2c9b00c9620cbb9ffb23642725abfa2c4df43fe06f88ad4091734e9
Instruction Fuzzy Hash: 0CE0CD3690412957C721D5699C05FEA77DDDFCC6A0F0541B6FD8CD7248DD75AC8086D0

Function 0102525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 01025266

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4aa58b32b7dbb5630a066cef8cc822e79740136f51471bccdfff4cc5f52e215e
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 6BB0927644020C77CE012A82EC02A997B199B56664F408020FB0C181A1A673A6689A89

Function 015B1164 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015B1179

Memory Dump Source

Source File: 00000000.00000002.1366952141.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ae000_FJRUb5lb9m.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 746693d7ecb9713dc986a625125e200e194245840c950cfb44b1fdb065092d93
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 22E0BF7494020DEFDB00DFA4D6496ED7BB4FF04301F1005A1FD05E7680DB309E548A62

Function 015B1168 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 015B1179

Memory Dump Source

Source File: 00000000.00000002.1366952141.00000000015AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 015AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_15ae000_FJRUb5lb9m.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: f9bc555dd93800447e2a4cac8149d242134b184f23bdf425f67ea07498fc4d2f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 23E0E67494020DDFDB00DFB4D6496ED7BB4FF04301F100161FD05E2280D6309D508A62

Non-executed Functions

Function 0108CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0108CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0108CB95
GetWindowLongW.USER32(?,000000F0), ref: 0108CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0108CC00
SendMessageW.USER32 ref: 0108CC29
_wcsncpy.LIBCMT ref: 0108CC95
GetKeyState.USER32(00000011), ref: 0108CCB6
GetKeyState.USER32(00000009), ref: 0108CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0108CCD9
GetKeyState.USER32(00000010), ref: 0108CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0108CD0C
SendMessageW.USER32 ref: 0108CD33
SendMessageW.USER32(?,00001030,?,0108B348), ref: 0108CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0108CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0108CE60
SetCapture.USER32(?), ref: 0108CE69
ClientToScreen.USER32(?,?), ref: 0108CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0108CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0108CEF5
ReleaseCapture.USER32 ref: 0108CF00
GetCursorPos.USER32(?), ref: 0108CF3A
ScreenToClient.USER32(?,?), ref: 0108CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0108CFA3
SendMessageW.USER32 ref: 0108CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0108D00E
SendMessageW.USER32 ref: 0108D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0108D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0108D06D
GetCursorPos.USER32(?), ref: 0108D08D
ScreenToClient.USER32(?,?), ref: 0108D09A
GetParent.USER32(?), ref: 0108D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0108D123
SendMessageW.USER32 ref: 0108D154
ClientToScreen.USER32(?,?), ref: 0108D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0108D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0108D20C
SendMessageW.USER32 ref: 0108D22F
ClientToScreen.USER32(?,?), ref: 0108D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0108D2B5

Part of subcall function 010025DB: GetWindowLongW.USER32(?,000000EB), ref: 010025EC

GetWindowLongW.USER32(?,000000F0), ref: 0108D351

Strings

@GUI_DRAGID, xrefs: 0108CE9C
F, xrefs: 0108D235
@U=u, xrefs: 0108CB95, 0108CC00, 0108CC29, 0108CCD9, 0108CD0C, 0108CD33, 0108CE37, 0108CFA3, 0108CFD1, 0108D00E, 0108D03D, 0108D123, 0108D154, 0108D20C, 0108D22F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3977979337-1007936534
Opcode ID: 9f9377816abecbed9cb70750202bc7057a7a59bc686c6204b39e62cb97ab861f
Instruction ID: 824a040f9e4f32c3534b1b4eb2c80e22d1a1f7d1365fe71065414ed52cf60364
Opcode Fuzzy Hash: 9f9377816abecbed9cb70750202bc7057a7a59bc686c6204b39e62cb97ab861f
Instruction Fuzzy Hash: B042AD74208641AFE721EF28C948AAABFF5FF48314F140659F6D9972A0C732E854DF61

Function 01016F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 010171C3
_memset.LIBCMT ref: 01017539
_memmove.LIBCMT ref: 010176AC

Strings

\b(?=\w), xrefs: 01053769
DEFINE, xrefs: 01052103
\b(?<=\w), xrefs: 01053773
[:<:]], xrefs: 01017479
[:>:]], xrefs: 01017492
Q\E, xrefs: 01017FCB

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 645c00b05ec617e209f2250526e34ecb52cc52a49f7c3c274d4aa3fd57f96f5f
Instruction ID: b72b1826d6cf4d22aad3ce71ab2c81f25999bd049be988332187cb09f8547e65
Opcode Fuzzy Hash: 645c00b05ec617e209f2250526e34ecb52cc52a49f7c3c274d4aa3fd57f96f5f
Instruction Fuzzy Hash: 6C939375E00219DBDB65CF98C8817AEBBF1FF48310F1481AAED85EB285E7749981CB50

Function 010048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 010048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0103D665
IsIconic.USER32(?), ref: 0103D66E
ShowWindow.USER32(?,00000009), ref: 0103D67B
SetForegroundWindow.USER32(?), ref: 0103D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0103D69B
GetCurrentThreadId.KERNEL32 ref: 0103D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0103D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0103D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0103D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0103D6CF
SetForegroundWindow.USER32(?), ref: 0103D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0103D6E7
keybd_event.USER32(00000012,00000000), ref: 0103D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0103D6FC
keybd_event.USER32(00000012,00000000), ref: 0103D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0103D70A
keybd_event.USER32(00000012,00000000), ref: 0103D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0103D719
keybd_event.USER32(00000012,00000000), ref: 0103D71E
SetForegroundWindow.USER32(?), ref: 0103D721
AttachThreadInput.USER32(?,?,00000000), ref: 0103D748

Strings

Shell_TrayWnd, xrefs: 0103D660

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 643f6d00ef5e338cf3c32100da3630640eb3962056316fd4850917e1ca15943b
Instruction ID: 482fcefd514e1fd71f6fb21df6b5a613d40af809deae1257ee3e19e04010e5cd
Opcode Fuzzy Hash: 643f6d00ef5e338cf3c32100da3630640eb3962056316fd4850917e1ca15943b
Instruction Fuzzy Hash: 16319371A403187AEB312BB19C49F7F3E6CEB84B50F104025FA84EA1C1D6B55910ABA0

Function 01058310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 010587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0105882B
Part of subcall function 010587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01058858
Part of subcall function 010587E1: GetLastError.KERNEL32 ref: 01058865

_memset.LIBCMT ref: 01058353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 010583A5
CloseHandle.KERNEL32(?), ref: 010583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010583CD
GetProcessWindowStation.USER32 ref: 010583E6
SetProcessWindowStation.USER32(00000000), ref: 010583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0105840A

Part of subcall function 010581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01058309), ref: 010581E0
Part of subcall function 010581CB: CloseHandle.KERNEL32(?,?,01058309), ref: 010581F2

Strings

winsta0, xrefs: 010583C8
, xrefs: 01058362
default, xrefs: 01058405

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: b3da6cb76a65c9079bde0c0d4610efc4f71abc0c6bcecc6365bee0f587c6c82f
Instruction ID: 1eb76ea2fbdd507f6abd203bbdb687bf39af22d0f8b3236371df70d89fb6db4b
Opcode Fuzzy Hash: b3da6cb76a65c9079bde0c0d4610efc4f71abc0c6bcecc6365bee0f587c6c82f
Instruction Fuzzy Hash: 56814F7190020AAFEF919FA5DC44AEF7FB9FF08308F14819AFD94A6164D7358A54DB20

Function 0106C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0106C78D
FindClose.KERNEL32(00000000), ref: 0106C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0106C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0106C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0106C844
__swprintf.LIBCMT ref: 0106C890
__swprintf.LIBCMT ref: 0106C8D3

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

__swprintf.LIBCMT ref: 0106C927

Part of subcall function 01023698: __woutput_l.LIBCMT ref: 010236F1

__swprintf.LIBCMT ref: 0106C975

Part of subcall function 01023698: __flsbuf.LIBCMT ref: 01023713
Part of subcall function 01023698: __flsbuf.LIBCMT ref: 0102372B

__swprintf.LIBCMT ref: 0106C9C4
__swprintf.LIBCMT ref: 0106CA13
__swprintf.LIBCMT ref: 0106CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0106C88A
%4d, xrefs: 0106C8CD
%02d, xrefs: 0106C91B, 0106C925, 0106C973, 0106C9C2, 0106CA11, 0106CA60

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 6c5dc98832495c35f015edd3ad7b52b82c81ca7dae75cb900f7c2e51d0a4c2b1
Instruction ID: b1403778d14d100b290f553b9d940b1307eeea0f441234feac92f0f1b0c2462d
Opcode Fuzzy Hash: 6c5dc98832495c35f015edd3ad7b52b82c81ca7dae75cb900f7c2e51d0a4c2b1
Instruction Fuzzy Hash: 36A12FB1404346AFE711EFA4C984DEFB7ECBFA8704F40491AF5D586191EA35DA08CB62

Function 0106EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0106EFB6
_wcscmp.LIBCMT ref: 0106EFCB
_wcscmp.LIBCMT ref: 0106EFE2
GetFileAttributesW.KERNEL32(?), ref: 0106EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0106F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0106F026
FindClose.KERNEL32(00000000), ref: 0106F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0106F04D
_wcscmp.LIBCMT ref: 0106F074
_wcscmp.LIBCMT ref: 0106F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0106F09D
SetCurrentDirectoryW.KERNEL32(010B8920), ref: 0106F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0106F0C5
FindClose.KERNEL32(00000000), ref: 0106F0D2
FindClose.KERNEL32(00000000), ref: 0106F0E4

Strings

*.*, xrefs: 0106F048

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f44771763de84a64c68dfef7d57083ede5140d102311504336874d092d10d8a3
Instruction ID: f4e3926e718c702e8475ede5783a51ecd860f3221bed10a9dafb1e68f8cebea1
Opcode Fuzzy Hash: f44771763de84a64c68dfef7d57083ede5140d102311504336874d092d10d8a3
Instruction Fuzzy Hash: AE31A53250521A7AEB24EFB4EC58ADE77EC9F48260F144196F9C4D2050DB75DA84CB61

Function 01080857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01080953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0108F910,00000000,?,00000000,?,?), ref: 010809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01080A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01080A92
RegCloseKey.ADVAPI32(?), ref: 01080DB2
RegCloseKey.ADVAPI32(00000000), ref: 01080DBF

Strings

REG_DWORD, xrefs: 01080C83
REG_BINARY, xrefs: 01080D4D
REG_EXPAND_SZ, xrefs: 01080A2F
REG_MULTI_SZ, xrefs: 01080B7A
REG_QWORD, xrefs: 01080D00
REG_SZ, xrefs: 01080AD0

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 8e4a53f7772b37eefd09aeeced205a7a87c50297f83b29727974f84503346f64
Instruction ID: 63821114593c9da23de33fa12462db73944e0c69f418334aef9adb554c26f2a6
Opcode Fuzzy Hash: 8e4a53f7772b37eefd09aeeced205a7a87c50297f83b29727974f84503346f64
Instruction Fuzzy Hash: 3C0255756046129FDB55EF28C880E6AB7E5EF88724F04845CF9DA9B3A1CB30ED45CB81

Function 0106F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 0106F113
_wcscmp.LIBCMT ref: 0106F128
_wcscmp.LIBCMT ref: 0106F13F

Part of subcall function 01064385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 010643A0

FindNextFileW.KERNEL32(00000000,?), ref: 0106F16E
FindClose.KERNEL32(00000000), ref: 0106F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0106F195
_wcscmp.LIBCMT ref: 0106F1BC
_wcscmp.LIBCMT ref: 0106F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0106F1E5
SetCurrentDirectoryW.KERNEL32(010B8920), ref: 0106F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0106F20D
FindClose.KERNEL32(00000000), ref: 0106F21A
FindClose.KERNEL32(00000000), ref: 0106F22C

Strings

*.*, xrefs: 0106F190

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 0bf50504d8b541c09987c546cdb3279887f41948d632d43a59fe99f0e081b84e
Instruction ID: 1ffc16e3520e5866ea156cb6940f92d3984902f7baf85f65bbcfd42781345450
Opcode Fuzzy Hash: 0bf50504d8b541c09987c546cdb3279887f41948d632d43a59fe99f0e081b84e
Instruction Fuzzy Hash: 4731263650021B7AEF20EEB8FC68EDE77AC9F49260F104195E9C4E6090DB35DA84CF64

Function 0106A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0106A20F
__swprintf.LIBCMT ref: 0106A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0106A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0106A293
_memset.LIBCMT ref: 0106A2B2
_wcsncpy.LIBCMT ref: 0106A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0106A323
CloseHandle.KERNEL32(00000000), ref: 0106A32E
RemoveDirectoryW.KERNEL32(?), ref: 0106A337
CloseHandle.KERNEL32(00000000), ref: 0106A341

Strings

\??\%s, xrefs: 0106A22B
:, xrefs: 0106A252
\, xrefs: 0106A247

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a88a43a966cec4b0b195c1c80f36b20c8577f55273efb17f0e6bbe964d5430ec
Instruction ID: b2dee37aead6ec0149e67f9f57acd53c3d8062f053f2842c66cdaf105529a34c
Opcode Fuzzy Hash: a88a43a966cec4b0b195c1c80f36b20c8577f55273efb17f0e6bbe964d5430ec
Instruction Fuzzy Hash: C931B47160411AABDB21EFA4DC48FEF77BCEF89740F1041B6F688E6150E77592448B24

Function 010166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 0105114F
UTF), xrefs: 010510FA
LIMIT_MATCH=, xrefs: 01051170
BSR_UNICODE), xrefs: 01051338
UCP), xrefs: 0105110D
NO_AUTO_POSSESS), xrefs: 0105112E
CRLF), xrefs: 010512C1
ANYCRLF), xrefs: 010512FB
LIMIT_RECURSION=, xrefs: 010511FC
UTF16), xrefs: 010510CF
ANY), xrefs: 010512DE
LF), xrefs: 010512A4
CR), xrefs: 01051287
BSR_ANYCRLF), xrefs: 0105131E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: b8ff8fdd3bc3889d45c29cbf68e0c3b7f3914d511bacdb566d502db56bad3bc6
Instruction ID: 12103731988928a5edb3d025c426e92386c1826f6985a74ac0d05e7d980e7d96
Opcode Fuzzy Hash: b8ff8fdd3bc3889d45c29cbf68e0c3b7f3914d511bacdb566d502db56bad3bc6
Instruction Fuzzy Hash: 0F72B1B5E00219CBDB54CF59C8807EEB7F5FF48310F1481AAE985EB285E7759A81CB90

Function 0106001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 01060097
SetKeyboardState.USER32(?), ref: 01060102
GetAsyncKeyState.USER32(000000A0), ref: 01060122
GetKeyState.USER32(000000A0), ref: 01060139
GetAsyncKeyState.USER32(000000A1), ref: 01060168
GetKeyState.USER32(000000A1), ref: 01060179
GetAsyncKeyState.USER32(00000011), ref: 010601A5
GetKeyState.USER32(00000011), ref: 010601B3
GetAsyncKeyState.USER32(00000012), ref: 010601DC
GetKeyState.USER32(00000012), ref: 010601EA
GetAsyncKeyState.USER32(0000005B), ref: 01060213
GetKeyState.USER32(0000005B), ref: 01060221

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0ed895b45e1af6a7d758d23c34f8094f4a90f4c47ef6e90b790eebc18092c7db
Instruction ID: e85794b0c61fa95e543640b97b7a7ea95c63433b771f3d6e1e60c39db6322a7c
Opcode Fuzzy Hash: 0ed895b45e1af6a7d758d23c34f8094f4a90f4c47ef6e90b790eebc18092c7db
Instruction Fuzzy Hash: D051093094478969FB75DBB888147EABFFC9F01280F0845DEE6C25A1C7DAA4978CC761

Function 010803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01080E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0107FDAD,?,?), ref: 01080E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010804AC

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0108054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01080822
RegCloseKey.ADVAPI32(00000000), ref: 0108082F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 8a4f0966968944f1111c31a191b4ac138df2d1d86b0b9f13df6811d75130e07a
Instruction ID: 3a0243abcf1d76128ab8f0e9d05123bfc4cfedaad43c493bb08ca96a0b6e9b41
Opcode Fuzzy Hash: 8a4f0966968944f1111c31a191b4ac138df2d1d86b0b9f13df6811d75130e07a
Instruction Fuzzy Hash: 07E15D70608201AFDB15EF28C894D6ABBE4FF89714F04856DF8C9DB2A5DA31E905CB91

Function 01074164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0107418B
EmptyClipboard.USER32 ref: 01074191
GlobalAlloc.KERNEL32(00000002,?), ref: 010741A6
CloseClipboard.USER32 ref: 01074245

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7e1bbbff8979c3bd5376f0a247d3d658b7955d846107e35709a892faa1a1fe44
Instruction ID: 19dbd19b1b850b66ffc9eaf18bc542efcdffd87463b030de6dbe2aa80c4bec89
Opcode Fuzzy Hash: 7e1bbbff8979c3bd5376f0a247d3d658b7955d846107e35709a892faa1a1fe44
Instruction Fuzzy Hash: E6219F75704212DFDB21AF74EC08B6E7BA8EF14714F108019F9C6DB2A5DB36A911CB58

Function 010637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01004750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01004743,?,?,010037AE,?), ref: 01004770

Part of subcall function 01064A31: GetFileAttributesW.KERNEL32(?,0106370B), ref: 01064A32

FindFirstFileW.KERNEL32(?,?), ref: 010638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0106394B
MoveFileW.KERNEL32(?,?), ref: 0106395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0106397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0106399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 010639B9

Strings

\*.*, xrefs: 0106384E, 01063857, 0106386C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: fae7e35ddb45217c5d6c4ffc36c12b8e58e85d8bae281809812873c6a4771073
Instruction ID: 638f08547ba161b448585e527ba92d07036dfe22af978bbf11244af2aafceb73
Opcode Fuzzy Hash: fae7e35ddb45217c5d6c4ffc36c12b8e58e85d8bae281809812873c6a4771073
Instruction Fuzzy Hash: A051843180114EAADF16EBA4D991DEDB7B8AF25204F6040A9D4C6BB1D0DF356F09CFA1

Function 0106F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0106F440
Sleep.KERNEL32(0000000A), ref: 0106F470
_wcscmp.LIBCMT ref: 0106F484
_wcscmp.LIBCMT ref: 0106F49F
FindNextFileW.KERNEL32(?,?), ref: 0106F53D
FindClose.KERNEL32(00000000), ref: 0106F553

Strings

*.*, xrefs: 0106F425

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 3bc46bee170562a381da098b5a52e84c665a2a03a167c94be89ddb1f3130039a
Instruction ID: 7b65520a2f10ac38d2fafd26055dbfe51d28b689618e25dcd657c40dc69ac1db
Opcode Fuzzy Hash: 3bc46bee170562a381da098b5a52e84c665a2a03a167c94be89ddb1f3130039a
Instruction Fuzzy Hash: 6C418E7180421BAFDF51EF68DC54AEEBBB8FF15310F14409AE995A6190EB319E84CF50

Function 01015760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 010158A5
_memmove.LIBCMT ref: 010158F5
_memmove.LIBCMT ref: 0101595B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1c5d6d70b2228553b1ef8db7757a7a27fc2e30ca9bac0a1a5b0cce67a448e110
Instruction ID: 8c3ff471d119004c9690a9d13036f31b7066b4580e6d78b49128e168eddc533a
Opcode Fuzzy Hash: 1c5d6d70b2228553b1ef8db7757a7a27fc2e30ca9bac0a1a5b0cce67a448e110
Instruction Fuzzy Hash: CF12C370A0020ADFDF54DFA5D981AEEB7F5FF48300F104569E885EB294EB3AA910CB51

Function 01063B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 01004750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01004743,?,?,010037AE,?), ref: 01004770

Part of subcall function 01064A31: GetFileAttributesW.KERNEL32(?,0106370B), ref: 01064A32

FindFirstFileW.KERNEL32(?,?), ref: 01063B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 01063BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 01063BEA
FindClose.KERNEL32(00000000), ref: 01063C01
FindClose.KERNEL32(00000000), ref: 01063C0A

Strings

\*.*, xrefs: 01063B5B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 1186bdc4ca0628032ae67d18c79ee4d4264496cb23d5f5bbbca17ea60b3ea63e
Instruction ID: 30e51c72728f3b02d93c83508dac1997d10b520d50508f4ef5d43ca6d89c391e
Opcode Fuzzy Hash: 1186bdc4ca0628032ae67d18c79ee4d4264496cb23d5f5bbbca17ea60b3ea63e
Instruction Fuzzy Hash: 03316F310083869BD202EF24D8908EFB7ECBEA5214F404D1DF5D9861D1EB25A909CB97

Function 010651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 010587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0105882B
Part of subcall function 010587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01058858
Part of subcall function 010587E1: GetLastError.KERNEL32 ref: 01058865

ExitWindowsEx.USER32(?,00000000), ref: 010651F9

Strings

SeShutdownPrivilege, xrefs: 010651C9
, xrefs: 010651E7
@, xrefs: 010651EC

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: feb6d1a70145165510d17ebfc503c9f8e647b6f5e908f5660c48026667f888c1
Instruction ID: 3d098a8ceb2cf6735ce8f057108fd190db13723f3621f59b66ae75691ef980ba
Opcode Fuzzy Hash: feb6d1a70145165510d17ebfc503c9f8e647b6f5e908f5660c48026667f888c1
Instruction Fuzzy Hash: 2B01D4316952136AF7686278AC9AFBF769CAB062C0F100465FEC3E60C1D5555C008690

Function 01076283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010762DC
WSAGetLastError.WSOCK32(00000000), ref: 010762EB
bind.WSOCK32(00000000,?,00000010), ref: 01076307
listen.WSOCK32(00000000,00000005), ref: 01076316
WSAGetLastError.WSOCK32(00000000), ref: 01076330
closesocket.WSOCK32(00000000,00000000), ref: 01076344

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 1841a045e7b28336c1696f6b8daa1b0c2b59a1b249612dc9514b6de2800452ed
Instruction ID: 96a651d390d68487a10146505ee2cab00518bda43f334ecf8e2f09dd3d34d730
Opcode Fuzzy Hash: 1841a045e7b28336c1696f6b8daa1b0c2b59a1b249612dc9514b6de2800452ed
Instruction Fuzzy Hash: F521D275600601DFEB10EF68C844A6EBBE9EF44724F148158E9D6E73D1CB71AD01CB51

Function 01015520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 01020DB6: std::exception::exception.LIBCMT ref: 01020DEC
Part of subcall function 01020DB6: __CxxThrowException@8.LIBCMT ref: 01020E01

_memmove.LIBCMT ref: 01050258
_memmove.LIBCMT ref: 0105036D
_memmove.LIBCMT ref: 01050414

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: e6615cc178f4cc5035f7f53246a3bedc4d0fee701b245e0bf83766e1c7d2eb4b
Instruction ID: 0c4365e2917123af7c5e5eab9220f174c5588aa58fa555afb66ec25701b9a5ac
Opcode Fuzzy Hash: e6615cc178f4cc5035f7f53246a3bedc4d0fee701b245e0bf83766e1c7d2eb4b
Instruction Fuzzy Hash: D0029270A00206DBDF45DF68D981AAE7BF5FF84304F1480A9E886DB299EB35D950CB91

Function 01001287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

DefDlgProcW.USER32(?,?,?,?,?), ref: 010019FA
GetSysColor.USER32(0000000F), ref: 01001A4E
SetBkColor.GDI32(?,00000000), ref: 01001A61

Part of subcall function 01001290: DefDlgProcW.USER32(?,00000020,?), ref: 010012D8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 567f1a55ef28feb0687e7ac6f2a1e31971b252850d22784fc9a626974e501ace
Instruction ID: 4603ec378b5d8958278baf1083126b034230931f97c3129f02c37f236f2f1c77
Opcode Fuzzy Hash: 567f1a55ef28feb0687e7ac6f2a1e31971b252850d22784fc9a626974e501ace
Instruction Fuzzy Hash: 92A13671204945BEF67BAB6C9C48EBF39DCEB8B345F04025AF5C2D61C1CA35D98186B2

Function 01076747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01077D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01077DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0107679E
WSAGetLastError.WSOCK32(00000000), ref: 010767C7
bind.WSOCK32(00000000,?,00000010), ref: 01076800
WSAGetLastError.WSOCK32(00000000), ref: 0107680D
closesocket.WSOCK32(00000000,00000000), ref: 01076821

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: b28df317ec171bba49ca5a1c8481e425d64bf0e8f988d45dd45b862512baf312
Instruction ID: 8e6fe4951e42933a74381a0ee76156dd13416431ceed7c6c8c48d910e87fc3e2
Opcode Fuzzy Hash: b28df317ec171bba49ca5a1c8481e425d64bf0e8f988d45dd45b862512baf312
Instruction Fuzzy Hash: BE411575A00611AFFB51BF248885FAE77E8EF14714F048159FACAAB3C2CA709E008791

Function 01085376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 010853C5
IsWindowEnabled.USER32 ref: 010853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 010853E0
IsIconic.USER32 ref: 010853EE
IsZoomed.USER32 ref: 010853FC

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 81682dc465e1669cde64223f42ab283910b3e6703abfabb7c18ba6d0701508ca
Instruction ID: 92ff660a070de4890ef02b3e91b7beb5b4354e28458d71ac64c7b8cf1f7cffe1
Opcode Fuzzy Hash: 81682dc465e1669cde64223f42ab283910b3e6703abfabb7c18ba6d0701508ca
Instruction Fuzzy Hash: 8F110431308512AFEB227F3ADC44A6E7BD8FF44261F408028E9C5D3280CB74D90187A0

Function 0105810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01058121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0105812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0105813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01058141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01058157

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e8fd43a4baa793c9bc1636e9e7e42a21f8497842e87d84abf86e8afc2d33d43c
Instruction ID: c35667b2372697d0ab1f54855a01b7b1e9db538dc1843685e633c7ba226f266a
Opcode Fuzzy Hash: e8fd43a4baa793c9bc1636e9e7e42a21f8497842e87d84abf86e8afc2d33d43c
Instruction Fuzzy Hash: 6FF06271204305AFEBA11FBAEC88E6B3BACFF4A654B104056FDC5C6140EB669951DB60

Function 0106C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0106C432
CoCreateInstance.OLE32(01092D6C,00000000,00000001,01092BDC,?), ref: 0106C44A

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

CoUninitialize.OLE32 ref: 0106C6B7

Strings

.lnk, xrefs: 0106C3C6, 0106C3EE, 0106C3F8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 66c76e136a340482f30e31c264b55a842a703cc226324067aeb0be785d537795
Instruction ID: a9569ee13640a9f5c74a146db8d9d97d633e7664442a90e7446ed73809f8058a
Opcode Fuzzy Hash: 66c76e136a340482f30e31c264b55a842a703cc226324067aeb0be785d537795
Instruction Fuzzy Hash: 42A12CB1104206AFE701EF54C880EABB7ECFF95358F00491DF5999B191DB71EA49CB62

Function 01004B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,01004AD0), ref: 01004B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 01004B57

Strings

kernel32.dll, xrefs: 01004B40
GetNativeSystemInfo, xrefs: 01004B51

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: d98d808f9f49e0a103143c2392c652693a1160b82be5d08d7c8abc86c817e12a
Instruction ID: 2ec5156d0fbd11d04baf71e85cb21c124e8211b4d4438bb5d5f492847046568b
Opcode Fuzzy Hash: d98d808f9f49e0a103143c2392c652693a1160b82be5d08d7c8abc86c817e12a
Instruction Fuzzy Hash: 7FD01234A14B13CFEB21AF36D828B0676D4AF45651F11886D95C5D6140D678D480C758

Function 01013030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: b2a85317a7918bde48ad64d802101a719f50fb1bdd04d0a9fdc1e123a005a32d
Instruction ID: a2ca04f9c95997042f198f1315a44bc4b5ba691deec79b2d687d343b12ce91e1
Opcode Fuzzy Hash: b2a85317a7918bde48ad64d802101a719f50fb1bdd04d0a9fdc1e123a005a32d
Instruction Fuzzy Hash: B722ACB16083028FD725DF14C880BAFB7E4BF95314F00492DE9DA9B291EB35E904CB92

Function 0107EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0107EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0107EE4B

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Process32NextW.KERNEL32(00000000,?), ref: 0107EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0107EF1A

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: f01f66b54f100191a8cfbcbda5a9f35c32695701606673d52b5b2593efdcf19e
Instruction ID: 91a398b1b970d79215feb42b1ac8f0e095fbe9396fdbff6fe34a7502d9b9c66d
Opcode Fuzzy Hash: f01f66b54f100191a8cfbcbda5a9f35c32695701606673d52b5b2593efdcf19e
Instruction Fuzzy Hash: E1516D71504302AFE721EF24DC80EABB7E8EF98714F50491DF5D5972A1EB70A904CB92

Function 0105E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0105E628

Strings

|, xrefs: 0105E658
(, xrefs: 0105E66E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c267c243f9231c6ec6a91996b1842d0e37238edfdd60a95274e94737b80dbe27
Instruction ID: b6e7504b6434aa2e98bf353f3c8af034f91d946e18a7bcd442d2933a1b615ff2
Opcode Fuzzy Hash: c267c243f9231c6ec6a91996b1842d0e37238edfdd60a95274e94737b80dbe27
Instruction Fuzzy Hash: 4B321675A007059FD768CF29C4809AAF7F1FF48310B15C5AEE99ADB3A1D770A941CB50

Function 010722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0107180A,00000000), ref: 010723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01072418

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 7eb2ed3eabcf2a8267e4f8c6202f3fac749f9c7dabe5628ef60f5c5d099ed979
Instruction ID: 9e81ffa9e9e55f45b0f80d47e2b9aa4a9184c301d55b5a6465232c8e43a2eba8
Opcode Fuzzy Hash: 7eb2ed3eabcf2a8267e4f8c6202f3fac749f9c7dabe5628ef60f5c5d099ed979
Instruction Fuzzy Hash: 80419471D0420ABFEB20DE99DD84FBFB7FCEB40614F10806AF6C5A6141DB719E419658

Function 0106B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0106B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0106B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0106B3EA

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 56de3470552a6b9182ca8ca4165678f98ed23e202e992363eb347b400e3b3aef
Instruction ID: 4f18475003fe1282c8c8142cfccd2266118737ec91cc6b07ceda78dfa43fa563
Opcode Fuzzy Hash: 56de3470552a6b9182ca8ca4165678f98ed23e202e992363eb347b400e3b3aef
Instruction Fuzzy Hash: 52217175A00119EFDF00EFA5D880AEEBBB8FF49314F048099E985EB355CB319915CB50

Function 010587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 01020DB6: std::exception::exception.LIBCMT ref: 01020DEC
Part of subcall function 01020DB6: __CxxThrowException@8.LIBCMT ref: 01020E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0105882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 01058858
GetLastError.KERNEL32 ref: 01058865

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: d613b841334b74cb79995d068a69c29bfdfe460b894b7889b53da6f0682f7ad5
Instruction ID: 2ca9ac512d50d4ca52cd60cab0bf796c2dd8e2eff96fe2de752b3d196bccd4f6
Opcode Fuzzy Hash: d613b841334b74cb79995d068a69c29bfdfe460b894b7889b53da6f0682f7ad5
Instruction Fuzzy Hash: EB116DB2414306AFE728DF64EC85D7BB7E8EB44714B20C52EF89597240EA31A8418B60

Function 0105874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01058774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0105878B
FreeSid.ADVAPI32(?), ref: 0105879B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 50583930b8ab16c8922e0f997d47ef57257fefc8ff5cab643db2427f32d0bf50
Instruction ID: fe691002162dbb85097bd7ba1eb5681af57af4c52c4e24cde6dba9527ddbdb5d
Opcode Fuzzy Hash: 50583930b8ab16c8922e0f997d47ef57257fefc8ff5cab643db2427f32d0bf50
Instruction Fuzzy Hash: DAF04975A1130DBFDF04DFF4DC89AAEBBBCEF08201F1044A9AA41E2180E7756A148B50

Function 0106C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0106C6FB
FindClose.KERNEL32(00000000), ref: 0106C72B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: b0a0c40f0cb84cc4884ab25a42c5a441aa55ab88bcc056fdf043ae7d5e0ce177
Instruction ID: c40df29210e8a5a4d11f471a6dc986ba5def449a25f6e300bfbcf856ef4bbe8d
Opcode Fuzzy Hash: b0a0c40f0cb84cc4884ab25a42c5a441aa55ab88bcc056fdf043ae7d5e0ce177
Instruction Fuzzy Hash: B1118B726006019FEB10EF29C884A6AF7E8FF94224F00851EE8E9C7390DB34A901CB91

Function 0106A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,01079468,?,0108FB84,?), ref: 0106A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,01079468,?,0108FB84,?), ref: 0106A0A9

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: eb102bee65344556431a16071d7dd1360264d59664b0982b591c222de353f00f
Instruction ID: 62e9fa3a426089c1cc4af87dfe364234d120f73f629fb0d1b0373a87cfbfce1a
Opcode Fuzzy Hash: eb102bee65344556431a16071d7dd1360264d59664b0982b591c222de353f00f
Instruction Fuzzy Hash: 62F0823520522EABEB21AEA4CC48FEE776CBF08361F008156F989D7181DA309540CBA1

Function 010581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,01058309), ref: 010581E0
CloseHandle.KERNEL32(?,?,01058309), ref: 010581F2

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 13ca8194d3da42d4fda1bfbc552faaa34ac2b09e19a5ba300acf435af4152daa
Instruction ID: 65c93f217371b51198a39f1bc7f9627881864ab153de95bebc098487bc51ba09
Opcode Fuzzy Hash: 13ca8194d3da42d4fda1bfbc552faaa34ac2b09e19a5ba300acf435af4152daa
Instruction Fuzzy Hash: 85E0B672014622AEEB652B75EC08DB77BEEEB042107248869FDE684474DB62AC91DB10

Function 0102A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,01028D57,?,?,?,00000001), ref: 0102A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0102A163

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 430b28e024bb28d6273ec9c4568826ccbddfd510f099e8694233084be98b3ab8
Instruction ID: 5107e8936739212285fcf3ad3f66ec3fe70b449ebb5517456af7c771c771ef31
Opcode Fuzzy Hash: 430b28e024bb28d6273ec9c4568826ccbddfd510f099e8694233084be98b3ab8
Instruction Fuzzy Hash: 9AB0923125830AABCA102BA1E809B8C3F68EB46AA2F408010F68D84054CBE754508B91

Function 0102F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33579b19d75b9344b021902bce7c72e552e2f3b9d41b669e03bc6f1056d30850
Instruction ID: e828c891a21bd30896a9f66c9e4e8e40f18809eb9a5338e37c22f8d6f25c0b64
Opcode Fuzzy Hash: 33579b19d75b9344b021902bce7c72e552e2f3b9d41b669e03bc6f1056d30850
Instruction Fuzzy Hash: 1D321532D29F124DD7739538D832335A698BFB73D4F15D727E899B59AAEB29C0834200

Function 0103242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b130d03247ed8b5ca619321063dc3d1e5145484334f9296c92edf1e11dc29a
Instruction ID: e514a8e27da57b2e7921f2ba12123dc6f4b33f41e9806b27e0ed3368c0bd92b8
Opcode Fuzzy Hash: 14b130d03247ed8b5ca619321063dc3d1e5145484334f9296c92edf1e11dc29a
Instruction Fuzzy Hash: F0B1EF30E2AF418DD62396398831336BA5CBFFB2C5B51D71BFCA675D16EB2685834240

Function 01068889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0106889B

Part of subcall function 0102520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01068F6E,00000000,?,?,?,?,0106911F,00000000,?), ref: 01025213
Part of subcall function 0102520A: __aulldiv.LIBCMT ref: 01025233

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 8a6ed2efe6cc83f7c3cb032f34428ff40ddb50f50f0b47e961b2825e08e732a6
Instruction ID: cc972cacaf4bfb636c14eb32bbcc09cc78557b053d1e93b4d174dbe2a21f2537
Opcode Fuzzy Hash: 8a6ed2efe6cc83f7c3cb032f34428ff40ddb50f50f0b47e961b2825e08e732a6
Instruction Fuzzy Hash: EF21AF326356108FC729CF29D440A92B3E5EBA5311F288E6DD1F5CB2C0CA36A905CF54

Function 01064C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 01064C4A

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: df6fb8c3d702005b36031dc1c1b7f81e2daec71a0acc7feccafb50c07ab97ff1
Instruction ID: 1837cf0e39ec5111d2927c867a0b082137e5848fa7c001f8aff8a122dca95ffb
Opcode Fuzzy Hash: df6fb8c3d702005b36031dc1c1b7f81e2daec71a0acc7feccafb50c07ab97ff1
Instruction Fuzzy Hash: AFD05EA116421E78FCEC0B249E2FFBE15CCE3006A2FC0918973C1CA2C9ECC058404130

Function 010587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,01058389), ref: 010587D1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 02993bd5e69a28f475d8a149a085573820e9c0e828c8c0f3dea4c164c8016180
Instruction ID: 36054ebc79a4039de2904233852a49155da0c315f68a5c5db48a9d970066ebae
Opcode Fuzzy Hash: 02993bd5e69a28f475d8a149a085573820e9c0e828c8c0f3dea4c164c8016180
Instruction Fuzzy Hash: 2CD05E3226450EAFEF018EA4DC01EAE3B69EB04B01F408111FE15D5090C776D835AF60

Function 0102A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0102A12A

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4a1ce117729e2ae14e425d9e293afabe7459a577003c6c55e908459c9e811e86
Instruction ID: 55025f9815af33771e176173192d4413d94895774797daeb13b3c88ef2db0ce0
Opcode Fuzzy Hash: 4a1ce117729e2ae14e425d9e293afabe7459a577003c6c55e908459c9e811e86
Instruction Fuzzy Hash: 3BA0123000410DA78A001A51E8044487F5CD6011907008010F44C80011C7B354104680

Function 01018808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df3c1f3ab018f1b86fa71c5795af8103d4fd93c1dd948bdf8e4e020c3d7455f7
Instruction ID: e771a66e24440ca4984f14b41b1f8e7aeab54d52dcd9af90b6e6964f8d376c13
Opcode Fuzzy Hash: df3c1f3ab018f1b86fa71c5795af8103d4fd93c1dd948bdf8e4e020c3d7455f7
Instruction Fuzzy Hash: 8C221831904106CBEFB98A5CC8946BD7BE1FB01344F58C0ABEBC6CB59AD7789A91C741

Function 010221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 72d1efcdff19519abb30f75769ad079778fdc2e84bd633c1882c27f081515fdd
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7BC192322051B34AEBAE567D843403EFEE15E926B131B47ADD8F3CB1D5EE20D169D620

Function 010225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: e7b38bb6d821be94a47db050bb10981737393667d7f6a2a547fb430b90f2c4e1
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 54C164322091B34AEFAE567D843413EBEE15E926B131B07EDE4F2DB1D5EE20C525D620

Function 01021978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: acbfe60ab08baee29b180d8475f81c6f32951e63c6101e7d731567b4113bc7e7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: B2C160362051B349EFAE663D847413EBEE15E926B131B07ADD4F2CB1D5EE30C165C660

Function 01077806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0107785B
DeleteObject.GDI32(00000000), ref: 0107786D
DestroyWindow.USER32 ref: 0107787B
GetDesktopWindow.USER32 ref: 01077895
GetWindowRect.USER32(00000000), ref: 0107789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 010779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 010779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077A35
GetClientRect.USER32(00000000,?), ref: 01077A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01077A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077ABB
GlobalLock.KERNEL32(00000000), ref: 01077AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077AD3
GlobalUnlock.KERNEL32(00000000), ref: 01077ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077AE3
GlobalFree.KERNEL32(00000000), ref: 01077AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01092CAC,00000000), ref: 01077B16
GlobalFree.KERNEL32(00000000), ref: 01077B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01077B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01077B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01077D7A

Strings

static, xrefs: 01077A75, 01077BCC
, xrefs: 01077D00
AutoIt v3, xrefs: 01077A2D
DISPLAY, xrefs: 01077BDD
@U=u, xrefs: 01077B6B, 01077CFA

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 1b68d30db18e4bc3fb88c53ebc5b75ae2184365ab58ff75d425fd47a2f3cdb8f
Instruction ID: be8cbc564312c19af1316e7cb83f2ed35c85112110a82ee99a47324cc90cf4a4
Opcode Fuzzy Hash: 1b68d30db18e4bc3fb88c53ebc5b75ae2184365ab58ff75d425fd47a2f3cdb8f
Instruction Fuzzy Hash: 0B027E71A00116EFDB24DFA8CD88EAE7BB9FF49354F148158F985AB291C735AD01CB60

Function 0108A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0108A630
GetSysColorBrush.USER32(0000000F), ref: 0108A661
GetSysColor.USER32(0000000F), ref: 0108A66D
SetBkColor.GDI32(?,000000FF), ref: 0108A687
SelectObject.GDI32(?,00000000), ref: 0108A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0108A6C1
GetSysColor.USER32(00000010), ref: 0108A6C9
CreateSolidBrush.GDI32(00000000), ref: 0108A6D0
FrameRect.USER32(?,?,00000000), ref: 0108A6DF
DeleteObject.GDI32(00000000), ref: 0108A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0108A731
FillRect.USER32(?,?,00000000), ref: 0108A763
GetWindowLongW.USER32(?,000000F0), ref: 0108A78E

Part of subcall function 0108A8CA: GetSysColor.USER32(00000012), ref: 0108A903
Part of subcall function 0108A8CA: SetTextColor.GDI32(?,?), ref: 0108A907
Part of subcall function 0108A8CA: GetSysColorBrush.USER32(0000000F), ref: 0108A91D
Part of subcall function 0108A8CA: GetSysColor.USER32(0000000F), ref: 0108A928
Part of subcall function 0108A8CA: GetSysColor.USER32(00000011), ref: 0108A945
Part of subcall function 0108A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0108A953
Part of subcall function 0108A8CA: SelectObject.GDI32(?,00000000), ref: 0108A964
Part of subcall function 0108A8CA: SetBkColor.GDI32(?,00000000), ref: 0108A96D
Part of subcall function 0108A8CA: SelectObject.GDI32(?,?), ref: 0108A97A
Part of subcall function 0108A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0108A999
Part of subcall function 0108A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0108A9B0
Part of subcall function 0108A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0108A9C5
Part of subcall function 0108A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0108A9ED

Strings

@U=u, xrefs: 0108A7B8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: 122867ff7da549e9ca4994b613e61bd5c6d10dd4d8d2df13f63baeed74991132
Instruction ID: 1b3fb790df38019188bb2ec7f8754d6de6f3013e0892513edb2bea117a0d7a5f
Opcode Fuzzy Hash: 122867ff7da549e9ca4994b613e61bd5c6d10dd4d8d2df13f63baeed74991132
Instruction Fuzzy Hash: DA917C7150C302EFDB21AF64DC08A5F7BA9FB89321F100B1AF6E296194D736D945CB61

Function 0108356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0108F910), ref: 01083627
IsWindowVisible.USER32(?), ref: 0108364B

Strings

EDITPASTE, xrefs: 0108395F
GETSELECTED, xrefs: 010838A3
GETCURRENTLINE, xrefs: 010838ED
GETCURRENTCOL, xrefs: 01083928
SELECTSTRING, xrefs: 01083806
CURRENTTAB, xrefs: 010836BD
TABRIGHT, xrefs: 0108369D
DELSTRING, xrefs: 01083749
ISVISIBLE, xrefs: 01083637
GETLINECOUNT, xrefs: 010838C6
SENDCOMMANDID, xrefs: 010839DA
ADDSTRING, xrefs: 01083716
FINDSTRING, xrefs: 01083776
ISENABLED, xrefs: 0108366B
UNCHECK, xrefs: 01083883
SETCURRENTSELECTION, xrefs: 010837B6
GETCURRENTSELECTION, xrefs: 010837E3
ISCHECKED, xrefs: 01083839
CHECK, xrefs: 0108386D
TABLEFT, xrefs: 01083687
HIDEDROPDOWN, xrefs: 01083700
GETLINE, xrefs: 0108399B
SHOWDROPDOWN, xrefs: 010836E0
@U=u, xrefs: 010838E3, 0108390A, 01083993

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: e874e34c25613a5cf3ff2f4c87397efe5d82be41b712fe9b471d33370615c92a
Instruction ID: 25cfb3cac203e7b1bae487e9c20c349d9f2a462dfd2810f4758ce872cf05250c
Opcode Fuzzy Hash: e874e34c25613a5cf3ff2f4c87397efe5d82be41b712fe9b471d33370615c92a
Instruction Fuzzy Hash: 0AD17F70208302DBDB04FF14C494AAEBBE5BFA5658F448558EDC65F3A2DB31E90ACB51

Function 01002C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 01002CA2
DeleteObject.GDI32(00000000), ref: 01002CE8
DeleteObject.GDI32(00000000), ref: 01002CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 01002CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 01002D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0103C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0103C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0103C89D

Part of subcall function 01001B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,01002036,?,00000000,?,?,?,?,010016CB,00000000,?), ref: 01001B9A

SendMessageW.USER32(?,00001053), ref: 0103C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0103C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0103C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0103C912

Strings

0, xrefs: 0103C731
@U=u, xrefs: 0103C43B, 0103C542, 0103C81D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: ece6e6f34b7a48f472ac8d128d98d7adde9c4e30e92233555078729f41ea180c
Instruction ID: 47a87858a53f975c93a0681e2af288d57ae21b0092ccfc58ab03fe491ff0a7b9
Opcode Fuzzy Hash: ece6e6f34b7a48f472ac8d128d98d7adde9c4e30e92233555078729f41ea180c
Instruction Fuzzy Hash: A712C330604206DFFB62CF28C588BA97BE9FF85314F5445AAE9D5DB292C731E841CB51

Function 010774AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 010774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0107759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 010775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01077633
GetClientRect.USER32(00000000,?), ref: 0107763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01077683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01077692
GetStockObject.GDI32(00000011), ref: 010776A2
SelectObject.GDI32(00000000,00000000), ref: 010776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010776BF
DeleteDC.GDI32(00000000), ref: 010776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0107770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01077746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0107775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0107776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0107779B
GetStockObject.GDI32(00000011), ref: 010777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 010777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 010777BB

Strings

static, xrefs: 0107767D, 01077795
AutoIt v3, xrefs: 0107762B
DISPLAY, xrefs: 01077688
@U=u, xrefs: 010776FA
msctls_progress32, xrefs: 0107773C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 86104edd63d30b9f0ebd26f10e26e8b9d67dc71d518ef15775946970130f55ae
Instruction ID: a74f597dd9c100cf64c1ebebc7bd0aaf1d6d6020e89a87fbf5198aa9e2b5529f
Opcode Fuzzy Hash: 86104edd63d30b9f0ebd26f10e26e8b9d67dc71d518ef15775946970130f55ae
Instruction Fuzzy Hash: A6A150B1A40215BFEB24DBA4DC49FAE7BA9EB09714F008114FA95E72D0C775AD00CF64

Function 0108A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0108A903
SetTextColor.GDI32(?,?), ref: 0108A907
GetSysColorBrush.USER32(0000000F), ref: 0108A91D
GetSysColor.USER32(0000000F), ref: 0108A928
CreateSolidBrush.GDI32(?), ref: 0108A92D
GetSysColor.USER32(00000011), ref: 0108A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0108A953
SelectObject.GDI32(?,00000000), ref: 0108A964
SetBkColor.GDI32(?,00000000), ref: 0108A96D
SelectObject.GDI32(?,?), ref: 0108A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0108A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0108A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0108A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0108A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0108AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0108AA32
DrawFocusRect.USER32(?,?), ref: 0108AA3D
GetSysColor.USER32(00000011), ref: 0108AA4B
SetTextColor.GDI32(?,00000000), ref: 0108AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0108AA67
SelectObject.GDI32(?,0108A5FA), ref: 0108AA7E
DeleteObject.GDI32(?), ref: 0108AA89
SelectObject.GDI32(?,?), ref: 0108AA8F
DeleteObject.GDI32(?), ref: 0108AA94
SetTextColor.GDI32(?,?), ref: 0108AA9A
SetBkColor.GDI32(?,?), ref: 0108AAA4

Strings

@U=u, xrefs: 0108A9ED

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: 37d099dce45bbdc1bc0e20e20cb8602b22c8826c61530b3cdaf5ed6d0c5dbbea
Instruction ID: d8f1925691d5b591af23833477512395990b25e84db66fc4dc86526e3e51e8e9
Opcode Fuzzy Hash: 37d099dce45bbdc1bc0e20e20cb8602b22c8826c61530b3cdaf5ed6d0c5dbbea
Instruction Fuzzy Hash: 35515E71904209FFDF11AFB4DC48EAE7BB9EB08320F114215FA91AB295D7759940CF50

Function 0106AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0106AD1E
GetDriveTypeW.KERNEL32(?,0108FAC0,?,\\.\,0108F910), ref: 0106ADFB
SetErrorMode.KERNEL32(00000000,0108FAC0,?,\\.\,0108F910), ref: 0106AF59

Strings

USB, xrefs: 0106AEF0
Network, xrefs: 0106AE39
RAMDisk, xrefs: 0106AE25
RAID, xrefs: 0106AEF7
FileBackedVirtual, xrefs: 0106AF28
\\.\, xrefs: 0106AD70
PhysicalDrive, xrefs: 0106ADA7
Fixed, xrefs: 0106AE43
ATAPI, xrefs: 0106AECD
SCSI, xrefs: 0106AEC6
ATA, xrefs: 0106AED4
Unknown, xrefs: 0106AE1B, 0106AEBF
MMC, xrefs: 0106AF1A
SSD, xrefs: 0106AE86
SSA, xrefs: 0106AEE2
Virtual, xrefs: 0106AF21
SATA, xrefs: 0106AF0C
Fibre, xrefs: 0106AEE9
iSCSI, xrefs: 0106AEFE
1394, xrefs: 0106AEDB
Removable, xrefs: 0106AE4D
CDROM, xrefs: 0106AE2F
SAS, xrefs: 0106AF05

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 85f52130fbe3afc1862da31866e1aaa2da861eeb0c1f54cae3662863bed14ab6
Instruction ID: c76ad7a53da083032dd58e08404a9c24dd5b9cada5362bf226886f3329063dcc
Opcode Fuzzy Hash: 85f52130fbe3afc1862da31866e1aaa2da861eeb0c1f54cae3662863bed14ab6
Instruction Fuzzy Hash: 7C51B3B0744206EB9B50FBA5C9D1DFDB7ECEF19604B10805AE4C7BB2E1D6319A41CB52

Function 01089A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 01089AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 01089B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 01089BA7

Strings

0, xrefs: 01089BE4
@U=u, xrefs: 01089B8B, 01089BA7, 01089D23, 01089D56, 01089DB6, 01089E00, 01089E60, 01089E84, 01089F40

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: fbf141fdd3994c914e4d3bdee7ac7fbe24376cf40a21d233efb10cdcc1ad0b9d
Instruction ID: 45b37017355aa3aa332d47dec7a38ce9451890fa40c33ac3dbe60f611a939f9b
Opcode Fuzzy Hash: fbf141fdd3994c914e4d3bdee7ac7fbe24376cf40a21d233efb10cdcc1ad0b9d
Instruction Fuzzy Hash: 8D02BE3020C201AFE765AF28C848BBABFE5FF89318F04465DF6D5962A1C775D854CB51

Function 010068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 01006931
__wcsnicmp.LIBCMT ref: 01006949
__wcsnicmp.LIBCMT ref: 01006961
__wcsnicmp.LIBCMT ref: 01006979
__wcsnicmp.LIBCMT ref: 01006991
__wcsnicmp.LIBCMT ref: 010069A9
__wcsnicmp.LIBCMT ref: 010069C1
__wcsnicmp.LIBCMT ref: 010069D5
__wcsnicmp.LIBCMT ref: 01006A16
__wcsnicmp.LIBCMT ref: 01006A2A
__wcsnicmp.LIBCMT ref: 01006A3E
__wcsnicmp.LIBCMT ref: 01006A52

Strings

#include, xrefs: 010069A3
Cannot parse #include, xrefs: 0103E3F0
#comments-start, xrefs: 010069BB, 01006A10
#requireadmin, xrefs: 0100695B
#include-once, xrefs: 0100698B
#ce, xrefs: 01006A4C
#notrayicon, xrefs: 01006943
#pragma compile, xrefs: 0100692B
#OnAutoItStartRegister, xrefs: 01006973
Bad directive syntax error, xrefs: 0103E31A
Unterminated group of comments, xrefs: 0103E403
#cs, xrefs: 010069CF, 01006A24
#comments-end, xrefs: 01006A38

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d00ea8ddae0801a533192582faf621b74bccff79b6368188a6b864f9953a923b
Instruction ID: e0fb3f7c3aa5b8898157e1da5dfb080bc869daf659cd77acf66eeff95c52f0cd
Opcode Fuzzy Hash: d00ea8ddae0801a533192582faf621b74bccff79b6368188a6b864f9953a923b
Instruction Fuzzy Hash: 48813670200217BAEF22BA65DC41FEE37ADBF15600F044029FAC19E0D5EB62D955C6A1

Function 010889D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01088AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01088AD2
CharNextW.USER32(0000014E), ref: 01088B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01088B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01088B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01088B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01088B86
SetWindowTextW.USER32(?,0000014E), ref: 01088BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01088BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 01088C1F
_memset.LIBCMT ref: 01088C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01088C8D
_memset.LIBCMT ref: 01088CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 01088D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 01088D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 01088E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 01088E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01088E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01088EB4
DrawMenuBar.USER32(?), ref: 01088EC3
SetWindowTextW.USER32(?,0000014E), ref: 01088EEB

Strings

0, xrefs: 01088E55
@U=u, xrefs: 01088AC1, 01088AD2, 01088B07, 01088B86, 01088BEE, 01088C1F, 01088C8D, 01088D16, 01088D6E, 01088E1B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: d5dbc64d544a7fef64d1ee3a943626d7d20aadbbfdefda492424c5fa53dc903f
Instruction ID: 20679d69adc95bfdbe89a62c8826ae6ad4ef97169fb964a0cf9d4d83a8003857
Opcode Fuzzy Hash: d5dbc64d544a7fef64d1ee3a943626d7d20aadbbfdefda492424c5fa53dc903f
Instruction Fuzzy Hash: ADE18274908219AFEF20AF64CC84EEE7BB9FF09710F408196FAD5AA191D7759580CF60

Function 0108488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 010849CA
GetDesktopWindow.USER32 ref: 010849DF
GetWindowRect.USER32(00000000), ref: 010849E6
GetWindowLongW.USER32(?,000000F0), ref: 01084A48
DestroyWindow.USER32(?), ref: 01084A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01084A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01084ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01084AE1
SendMessageW.USER32(?,00000421,?,?), ref: 01084AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01084B09
IsWindowVisible.USER32(?), ref: 01084B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01084B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01084B58
GetWindowRect.USER32(?,?), ref: 01084B70
MonitorFromPoint.USER32(?,?,00000002), ref: 01084B96
GetMonitorInfoW.USER32(00000000,?), ref: 01084BB0
CopyRect.USER32(?,?), ref: 01084BC7
SendMessageW.USER32(?,00000412,00000000), ref: 01084C32

Strings

(, xrefs: 01084BA3
tooltips_class32, xrefs: 01084A96
0, xrefs: 01084975

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 932983ba963a5e6c83f67a46399a8870e67147e81ca26ce43aca93c48ed6ab62
Instruction ID: 7b5b47c4417cdce99b1378ec375c162fbd1a8ce23e007ff15e838f237ae3165f
Opcode Fuzzy Hash: 932983ba963a5e6c83f67a46399a8870e67147e81ca26ce43aca93c48ed6ab62
Instruction Fuzzy Hash: E1B18A70608342AFDB54EF68C844B6EBBE4BF88314F008A1CF5D99B291D771E905CB55

Function 0106449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 010644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 010644D2
_wcscpy.LIBCMT ref: 01064500
_wcscmp.LIBCMT ref: 0106450B
_wcscat.LIBCMT ref: 01064521
_wcsstr.LIBCMT ref: 0106452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01064548
_wcscat.LIBCMT ref: 01064591
_wcscat.LIBCMT ref: 01064598
_wcsncpy.LIBCMT ref: 010645C3

Strings

\VarFileInfo\Translation, xrefs: 01064540
DefaultLangCodepage, xrefs: 010645AB
%u.%u.%u.%u, xrefs: 01064626
StringFileInfo\, xrefs: 0106451B
04090000, xrefs: 0106457E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: e475b1ec5d57f56aebe774860ef56a3424188fd294972fe081484e6b5cf54978
Instruction ID: 33999a544be52bd166546edaf72f2f77b98cd409e2178183a314e021035cc70d
Opcode Fuzzy Hash: e475b1ec5d57f56aebe774860ef56a3424188fd294972fe081484e6b5cf54978
Instruction Fuzzy Hash: 9D412971A003227BEB11FA75CC46EFF77ACEF55710F00405AF9C4EA181EB359A0186A6

Function 010027D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 010028BC
GetSystemMetrics.USER32(00000007), ref: 010028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 010028EF
GetSystemMetrics.USER32(00000008), ref: 010028F7
GetSystemMetrics.USER32(00000004), ref: 0100291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 01002939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 01002949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0100297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 01002990
GetClientRect.USER32(00000000,000000FF), ref: 010029AE
GetStockObject.GDI32(00000011), ref: 010029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 010029D5

Part of subcall function 01002344: GetCursorPos.USER32(?), ref: 01002357
Part of subcall function 01002344: ScreenToClient.USER32(010C57B0,?), ref: 01002374
Part of subcall function 01002344: GetAsyncKeyState.USER32(00000001), ref: 01002399
Part of subcall function 01002344: GetAsyncKeyState.USER32(00000002), ref: 010023A7

SetTimer.USER32(00000000,00000000,00000028,01001256), ref: 010029FC

Strings

AutoIt v3 GUI, xrefs: 01002974
@U=u, xrefs: 010029D5

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 99473d645444a5b1f512e0f960f6db6a44e0df5b38d3622d361c82dae7c75f0e
Instruction ID: f512e7f707b18589bd6b9294b12c8c2335afa77facae1644f791083c77dee1a7
Opcode Fuzzy Hash: 99473d645444a5b1f512e0f960f6db6a44e0df5b38d3622d361c82dae7c75f0e
Instruction Fuzzy Hash: 8CB19E7460020AEFEB25DFA8D949BAE7BB4FB48314F104219FA95E72D4CB75A850CF50

Function 0108BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0108BA56
GetFileSize.KERNEL32(00000000,00000000), ref: 0108BA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 0108BA78
CloseHandle.KERNEL32(00000000), ref: 0108BA85
GlobalLock.KERNEL32(00000000), ref: 0108BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0108BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0108BAA6
CloseHandle.KERNEL32(00000000), ref: 0108BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0108BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,01092CAC,?), ref: 0108BAD7
GlobalFree.KERNEL32(00000000), ref: 0108BAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 0108BB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 0108BB36
DeleteObject.GDI32(00000000), ref: 0108BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0108BB74

Strings

@U=u, xrefs: 0108BB74

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 6db2479561a6786f62a12056425cd0560ea819303885969c96557376f5076918
Instruction ID: 0a0d7432e143431d7e576d02f4656e97b1dc51c008d637a8a6dca90e5ac2c9e5
Opcode Fuzzy Hash: 6db2479561a6786f62a12056425cd0560ea819303885969c96557376f5076918
Instruction Fuzzy Hash: 2A414875604209AFDB21AF69DC88EAEBBB8FF89711F104058F9C5D7254CB759901CB20

Function 0105A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0105A47A
__swprintf.LIBCMT ref: 0105A51B
_wcscmp.LIBCMT ref: 0105A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0105A583
_wcscmp.LIBCMT ref: 0105A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0105A5F6
GetDlgCtrlID.USER32(?), ref: 0105A648
GetWindowRect.USER32(?,?), ref: 0105A67E
GetParent.USER32(?), ref: 0105A69C
ScreenToClient.USER32(00000000), ref: 0105A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0105A71D
_wcscmp.LIBCMT ref: 0105A731
GetWindowTextW.USER32(?,?,00000400), ref: 0105A757
_wcscmp.LIBCMT ref: 0105A76B

Part of subcall function 0102362C: _iswctype.LIBCMT ref: 01023634

Strings

%s%u, xrefs: 0105A515

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 434a7cd9c4fd07c984f31710d2d0e19132ead42c8436cfef364105f8ab9ca7bd
Instruction ID: 3bc4e26e1aba8e8730b65082d502682d76e620ef8c0209738300e9f1e631dd93
Opcode Fuzzy Hash: 434a7cd9c4fd07c984f31710d2d0e19132ead42c8436cfef364105f8ab9ca7bd
Instruction Fuzzy Hash: FDA1A131304206EFDB95DE64C884BABBBE8FF48254F008619EDDAD7150DB34E955CBA1

Function 0105AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0105AF18
_wcscmp.LIBCMT ref: 0105AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0105AF51
CharUpperBuffW.USER32(?,00000000), ref: 0105AF6E
_wcscmp.LIBCMT ref: 0105AF8C
_wcsstr.LIBCMT ref: 0105AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0105AFD5
_wcscmp.LIBCMT ref: 0105AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0105B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0105B055
_wcscmp.LIBCMT ref: 0105B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0105B08D
GetWindowRect.USER32(00000004,?), ref: 0105B0F6

Strings

ThumbnailClass, xrefs: 0105AFE0, 0105B060
@, xrefs: 0105AEF9

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 2e8b236d51fcd744e060ff5c58a2a455a9edc11972e834d76449c0d747e513bc
Instruction ID: 3e67176ca4a4d02f3552a9d645ee26a89e03592105c42a99afbe190c44aea0d3
Opcode Fuzzy Hash: 2e8b236d51fcd744e060ff5c58a2a455a9edc11972e834d76449c0d747e513bc
Instruction Fuzzy Hash: 2B81C3711082069FEB95DF28C884FAB7BD9FF44314F0485A9EEC58A095DB34E945CB61

Function 0108A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0108A259
DestroyWindow.USER32(?,?), ref: 0108A2D3

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0108A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0108A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0108A382
DestroyWindow.USER32(00000000), ref: 0108A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,01000000,00000000), ref: 0108A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0108A3F4
GetDesktopWindow.USER32 ref: 0108A40D
GetWindowRect.USER32(00000000), ref: 0108A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0108A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0108A444

Part of subcall function 010025DB: GetWindowLongW.USER32(?,000000EB), ref: 010025EC

Strings

0, xrefs: 0108A26F
tooltips_class32, xrefs: 0108A346, 0108A3D4
@U=u, xrefs: 0108A36F, 0108A382, 0108A3F4, 0108A41E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: c1b5614401b3cd338bb1aabd3633f7d7d84c3b62873ae25e26814a0613a3c1c0
Instruction ID: cb84ad17fb06ec67f28b9310d2086c3c14fbf2403769a3ee4be8c7efc449da13
Opcode Fuzzy Hash: c1b5614401b3cd338bb1aabd3633f7d7d84c3b62873ae25e26814a0613a3c1c0
Instruction Fuzzy Hash: 8B71AC70245205AFEB21DF28CC48FAA7BE5FB88304F04455DFAC59B2A0DB75E906CB56

Function 0108C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

DragQueryPoint.SHELL32(?,?), ref: 0108C627

Part of subcall function 0108AB37: ClientToScreen.USER32(?,?), ref: 0108AB60
Part of subcall function 0108AB37: GetWindowRect.USER32(?,?), ref: 0108ABD6
Part of subcall function 0108AB37: PtInRect.USER32(?,?,0108C014), ref: 0108ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0108C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0108C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0108C6BE
_wcscat.LIBCMT ref: 0108C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0108C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0108C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0108C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0108C757
DragFinish.SHELL32(?), ref: 0108C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0108C851

Strings

@GUI_DRAGID, xrefs: 0108C7C9
@GUI_DRAGFILE, xrefs: 0108C800
@GUI_DROPID, xrefs: 0108C77E
@U=u, xrefs: 0108C690, 0108C705, 0108C71E, 0108C735, 0108C757

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: 54f5a2bc78df0e4e25b99832944e8b2bfbe71b826ee0277698a7c95705a288a2
Instruction ID: 96a60c25eed4ebddb541ccd0e34e5c58a4d48c0e86a2af608190e1f14af8109b
Opcode Fuzzy Hash: 54f5a2bc78df0e4e25b99832944e8b2bfbe71b826ee0277698a7c95705a288a2
Instruction Fuzzy Hash: 35616A71108302AFD711EF64D884D9FBBF8EB98754F00091EF6D5962A0DB31AA49CB62

Function 0105ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0105AC33

Strings

HANDLE=, xrefs: 0105AC2C
[HANDLE:, xrefs: 0105AC3F
[REGEXPTITLE:, xrefs: 0105AC5B
REGEXP=, xrefs: 0105AC48
LAST, xrefs: 0105ABF8
CLASSNAME=, xrefs: 0105AC70
[CLASS:, xrefs: 0105AC83
[ACTIVE, xrefs: 0105AC20
ALL, xrefs: 0105ACC7
[ALL, xrefs: 0105ACD9
ACTIVE, xrefs: 0105AC0E
[LAST, xrefs: 0105ACE0

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 17a2502faac2fe25c7acac62bed6a634d527d8d168b42fbcee58b274fa5c4315
Instruction ID: 7a0c465c7ed949cfba964fcabcc281ad75f6864c799b77c233668e184302d80c
Opcode Fuzzy Hash: 17a2502faac2fe25c7acac62bed6a634d527d8d168b42fbcee58b274fa5c4315
Instruction Fuzzy Hash: CF31C831A4020EEBEB96FA95DE42EEF7BA8AF60610F10056DE9C2760D0EF556F04C651

Function 01074FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 01075013
LoadCursorW.USER32(00000000,00007F00), ref: 0107501E
LoadCursorW.USER32(00000000,00007F03), ref: 01075029
LoadCursorW.USER32(00000000,00007F8B), ref: 01075034
LoadCursorW.USER32(00000000,00007F01), ref: 0107503F
LoadCursorW.USER32(00000000,00007F81), ref: 0107504A
LoadCursorW.USER32(00000000,00007F88), ref: 01075055
LoadCursorW.USER32(00000000,00007F80), ref: 01075060
LoadCursorW.USER32(00000000,00007F86), ref: 0107506B
LoadCursorW.USER32(00000000,00007F83), ref: 01075076
LoadCursorW.USER32(00000000,00007F85), ref: 01075081
LoadCursorW.USER32(00000000,00007F82), ref: 0107508C
LoadCursorW.USER32(00000000,00007F84), ref: 01075097
LoadCursorW.USER32(00000000,00007F04), ref: 010750A2
LoadCursorW.USER32(00000000,00007F02), ref: 010750AD
LoadCursorW.USER32(00000000,00007F89), ref: 010750B8
GetCursorInfo.USER32(?), ref: 010750C8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: ec4a2c2ed890a53fd39b04fa9613c5e505b8a61d2b35aa0b431004c761fc44ef
Instruction ID: 6f8e9a5679dee924a5c30e987f581e4c2acb8939e6f1f7d60b59bf63ddc3add5
Opcode Fuzzy Hash: ec4a2c2ed890a53fd39b04fa9613c5e505b8a61d2b35aa0b431004c761fc44ef
Instruction Fuzzy Hash: 873117B1D0831EAADF509FB68C8989EBFE8FF04750F50452AA54DE7280DA786500CF95

Function 01084392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01084424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0108446F

Strings

GETSELECTED, xrefs: 0108457F
EXISTS, xrefs: 010844D8
EXPAND, xrefs: 01084521
GETTOTALCOUNT, xrefs: 01084456
UNCHECK, xrefs: 0108464B
ISCHECKED, xrefs: 010845F2
GETTEXT, xrefs: 010845C2
CHECK, xrefs: 0108448F
GETITEMCOUNT, xrefs: 01084551
COLLAPSE, xrefs: 010844B5
@U=u, xrefs: 0108446F
SELECT, xrefs: 01084620

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: fb320e2b75e75d94d64e437b7f43dee8ad59cee02e75825c3ed9b5f8fc61d1fb
Instruction ID: c3e9b16e31ba62ec7ed78555ef6a855d29a9232fe24e5251eabc041b33400195
Opcode Fuzzy Hash: fb320e2b75e75d94d64e437b7f43dee8ad59cee02e75825c3ed9b5f8fc61d1fb
Instruction Fuzzy Hash: BA916270204312DFDB05EF14C490AAEB7E1BFA4658F44896CE8D69B7A2CB31ED45CB91

Function 0108B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0108B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,01086B11,?), ref: 0108B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0108B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0108B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0108B9C3
FreeLibrary.KERNEL32(?), ref: 0108B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0108B9DF
DestroyIcon.USER32(?), ref: 0108B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0108BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0108BA17

Part of subcall function 01022EFD: __wcsicmp_l.LIBCMT ref: 01022F86

Strings

.dll, xrefs: 0108B86D
.icl, xrefs: 0108B82A
@U=u, xrefs: 0108B9F7
.exe, xrefs: 0108B84A

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: 883ceef7704a38acfbd87380a3fe429719a91a67741cdc209f642b078afcb472
Instruction ID: 7d355e3995356cb8c39ccac94101afda062fcbd15bdc1a7a138f38253153e51b
Opcode Fuzzy Hash: 883ceef7704a38acfbd87380a3fe429719a91a67741cdc209f642b078afcb472
Instruction Fuzzy Hash: 1C61BE71504216BAEB25EF68CD40FBE7BA8EB08721F104149F9D5D61C0DB759A90DBA0

Function 0106A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

CharLowerBuffW.USER32(?,?), ref: 0106A3CB
GetDriveTypeW.KERNEL32 ref: 0106A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0106A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0106A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0106A4C5

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

Strings

closed, xrefs: 0106A3DF, 0106A3E8
set cd door , xrefs: 0106A466
wait, xrefs: 0106A482
type cdaudio alias cd wait, xrefs: 0106A443
close cd wait, xrefs: 0106A4B0
open , xrefs: 0106A427
open, xrefs: 0106A3F2
close, xrefs: 0106A3D1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 6453018c7b0ed3b417ab45ff60a3980e5cc4b1509c5b53fc9555096b96fb85b7
Instruction ID: 82c4cd3aad92969236ab1e63276d083636af02b64f4ca2a83a9557fd52c6985b
Opcode Fuzzy Hash: 6453018c7b0ed3b417ab45ff60a3980e5cc4b1509c5b53fc9555096b96fb85b7
Instruction Fuzzy Hash: 0B5140711043069FD701EF24C8909AEB7E8FF94618F04895DF8D9572A1DB31EE09CB52

Function 0105F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0103E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0105F8DF
LoadStringW.USER32(00000000,?,0103E029,00000001), ref: 0105F8E8

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

GetModuleHandleW.KERNEL32(00000000,010C5310,?,00000FFF,?,?,0103E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0105F90A
LoadStringW.USER32(00000000,?,0103E029,00000001), ref: 0105F90D
__swprintf.LIBCMT ref: 0105F95D
__swprintf.LIBCMT ref: 0105F96E
_wprintf.LIBCMT ref: 0105FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0105FA2E

Strings

^ ERROR, xrefs: 0105F9C3
Line %d (File "%s"):, xrefs: 0105F957
Line %d:, xrefs: 0105F968
%s (%d) : ==> %s: %s %s, xrefs: 0105FA12
Error: , xrefs: 0105F9E5

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 8eaeab862eb698d22857596f9487c8b13188ff538b2f606fed0d1f50035b86eb
Instruction ID: bfa75b26456f8faeae3bd04883aa3de872f1c3f6bc5caf26a0b3bd0247bc7586
Opcode Fuzzy Hash: 8eaeab862eb698d22857596f9487c8b13188ff538b2f606fed0d1f50035b86eb
Instruction Fuzzy Hash: 3441217280011FAADF16FBE0DD85DEE777CAF28210F500465E685B61D0EA396F49CB61

Function 0106D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0106DA10
_wcscat.LIBCMT ref: 0106DA28
_wcscat.LIBCMT ref: 0106DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0106DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0106DA63
GetFileAttributesW.KERNEL32(?), ref: 0106DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0106DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0106DAA7

Strings

*.*, xrefs: 0106DAE6

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: f4c22e79ea4a06898edfd60e82b58196913c876efea7ea5031f630786de98a67
Instruction ID: 06105de87f2d5ccbd45000749d2b6a87178b38f171d3953c0b408d40674616bd
Opcode Fuzzy Hash: f4c22e79ea4a06898edfd60e82b58196913c876efea7ea5031f630786de98a67
Instruction Fuzzy Hash: 7681A6716083419FDB64EFA8C8449AEB7EDBF89214F088C6EE5C9CB251D630D945CB62

Function 0108C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0108C1FC
GetFocus.USER32 ref: 0108C20C
GetDlgCtrlID.USER32(00000000), ref: 0108C217
_memset.LIBCMT ref: 0108C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0108C36D
GetMenuItemCount.USER32(?), ref: 0108C38D
GetMenuItemID.USER32(?,00000000), ref: 0108C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0108C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0108C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0108C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0108C489

Strings

0, xrefs: 0108C33A

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d4bb91d2a25880ffababa099072dd4197e9ba34ef8c4e51e107b3ec3e25ef532
Instruction ID: d82ffc098378366487193582ef9af66636161c5170a8bdb04cdb8aa6dd47e9fe
Opcode Fuzzy Hash: d4bb91d2a25880ffababa099072dd4197e9ba34ef8c4e51e107b3ec3e25ef532
Instruction Fuzzy Hash: CE816B702083029FE761EF28D984AABBBF4FB88714F00456DFAD597291CB71D945CB62

Function 0107731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0107738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0107739B
CreateCompatibleDC.GDI32(?), ref: 010773A7
SelectObject.GDI32(00000000,?), ref: 010773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01077408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01077444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01077468
SelectObject.GDI32(00000006,?), ref: 01077470
DeleteObject.GDI32(?), ref: 01077479
DeleteDC.GDI32(00000006), ref: 01077480
ReleaseDC.USER32(00000000,?), ref: 0107748B

Strings

(, xrefs: 01077410

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a52f84b0a255e0d905b352e2123d9c8051b15b9c6534993210f2b98ab40609e3
Instruction ID: 781ae4d2e1e9ec4bc14a8f2b075453b5a153f8f826daedf58fb29763ab2d5979
Opcode Fuzzy Hash: a52f84b0a255e0d905b352e2123d9c8051b15b9c6534993210f2b98ab40609e3
Instruction Fuzzy Hash: 8A515B75904309EFDB24CFA8C889EAEBBF9EF48350F14851DF99997210C735A941CB54

Function 01064F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 01064F7A

Part of subcall function 0102049F: timeGetTime.WINMM(?,753DB400,01010E7B), ref: 010204A3

Sleep.KERNEL32(0000000A), ref: 01064FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 01064FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 01064FEC
SetActiveWindow.USER32 ref: 0106500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01065019
SendMessageW.USER32(00000010,00000000,00000000), ref: 01065038
Sleep.KERNEL32(000000FA), ref: 01065043
IsWindow.USER32 ref: 0106504F
EndDialog.USER32(00000000), ref: 01065060

Strings

BUTTON, xrefs: 01064FDE
@U=u, xrefs: 01065019, 01065038

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: 9a13d5d34c0e8ae068d7ba0b9b821543333daff4458d2d8dbd14e6d640703368
Instruction ID: 60b9a291da1aba522cc4266d9ad5c3e244698d3fe7f2225d8703e7cb51a25eba
Opcode Fuzzy Hash: 9a13d5d34c0e8ae068d7ba0b9b821543333daff4458d2d8dbd14e6d640703368
Instruction Fuzzy Hash: 6B216274208206AFF7315F74EC88B6E3BADEB5A785F141024F1C6C129DCB6B9D608B61

Function 01006A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 01020957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,01006B0C,?,00008000), ref: 01020973

Part of subcall function 01004750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01004743,?,?,010037AE,?), ref: 01004770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 01006BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 01006CFA

Part of subcall function 0100586D: _wcscpy.LIBCMT ref: 010058A5

Part of subcall function 0102363D: _iswctype.LIBCMT ref: 01023645

Strings

Error opening the file, xrefs: 0103E43D, 0103E4B8
>>>AUTOIT SCRIPT<<<, xrefs: 0103E496
EA06, xrefs: 0103E452
Bad directive syntax error, xrefs: 0103E79D
Unterminated string, xrefs: 0103E7E4
AU3!, xrefs: 01006B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0103E421

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 8d168274ce5788e74965093c1b44655fee640d566acdbfabe874242f64e3cbe8
Instruction ID: 0e8b47bc3a86fb70b723bb22c1479b04367a35a94463a06f217c9ec7461e6b14
Opcode Fuzzy Hash: 8d168274ce5788e74965093c1b44655fee640d566acdbfabe874242f64e3cbe8
Instruction Fuzzy Hash: ED027C305083429FD726EF24C8809AFBBE9BFA9314F04491EF5C6972A0DB35D949CB52

Function 01062D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01062D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01062DDD
GetMenuItemCount.USER32(010C5890), ref: 01062E66
DeleteMenu.USER32(010C5890,00000005,00000000,000000F5,?,?), ref: 01062EF6
DeleteMenu.USER32(010C5890,00000004,00000000), ref: 01062EFE
DeleteMenu.USER32(010C5890,00000006,00000000), ref: 01062F06
DeleteMenu.USER32(010C5890,00000003,00000000), ref: 01062F0E
GetMenuItemCount.USER32(010C5890), ref: 01062F16
SetMenuItemInfoW.USER32(010C5890,00000004,00000000,00000030), ref: 01062F4C
GetCursorPos.USER32(?), ref: 01062F56
SetForegroundWindow.USER32(00000000), ref: 01062F5F
TrackPopupMenuEx.USER32(010C5890,00000000,?,00000000,00000000,00000000), ref: 01062F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01062F7E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 0014d49ea66a3643f4cdd81fbf7646fcf7cac5c581bddccd0f30af253ec1d3bf
Instruction ID: d796b2c26b1654fdb0c7f8370012f64785d41017656e5af151b0e4d5a0b22d94
Opcode Fuzzy Hash: 0014d49ea66a3643f4cdd81fbf7646fcf7cac5c581bddccd0f30af253ec1d3bf
Instruction Fuzzy Hash: 0B71D770605206BFFB219F68DC48FAABFACFF14364F140266F695AA1D0C7755860CB51

Function 010577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

_memset.LIBCMT ref: 0105786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01057902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0105792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01057935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0105793A

Strings

\CLSID, xrefs: 01057822
SOFTWARE\Classes\, xrefs: 0105780C
\IPC$, xrefs: 01057882

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: ec2b3c554dc0aa5e6d8a95f3d99b80b7f90cab5c43887b750ef84cc982a8c70a
Instruction ID: f518ea663b511826c68718cc8f8b223b7b449feb8e5dc0c54b8c1fdfa8c19c71
Opcode Fuzzy Hash: ec2b3c554dc0aa5e6d8a95f3d99b80b7f90cab5c43887b750ef84cc982a8c70a
Instruction Fuzzy Hash: 4441DB72C1022EABDF22EBA4DC84DEEB7B8FF14614F404469E985A7190DB355D05CBA0

Function 01080E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0107FDAD,?,?), ref: 01080E31

Strings

HKCC, xrefs: 01080EFF
HKEY_CURRENT_CONFIG, xrefs: 01080EEE
HKCR, xrefs: 01080ED9
HKEY_CURRENT_USER, xrefs: 01080F10
HKEY_USERS, xrefs: 01080F32
HKEY_CLASSES_ROOT, xrefs: 01080EC4
HKCU, xrefs: 01080F21
HKU, xrefs: 01080F43
HKEY_LOCAL_MACHINE, xrefs: 01080E9A
HKLM, xrefs: 01080EAF

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: cc91b81825291690ef33b8c2dda60c962c1aa6cc91f41ec9ef77b61b1c17041d
Instruction ID: 5f91e0ecf9e68d538ed6b73b5b7dddbdbcc21186945e84947661857ea565a1db
Opcode Fuzzy Hash: cc91b81825291690ef33b8c2dda60c962c1aa6cc91f41ec9ef77b61b1c17041d
Instruction Fuzzy Hash: 3D418D7110425A8BDF11FF14D8A0AEF37A0BF22304F448464FDE51B69ADB35A91ECBA0

Function 010874BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0108755E
CreateCompatibleDC.GDI32(00000000), ref: 01087565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01087578
SelectObject.GDI32(00000000,00000000), ref: 01087580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0108758B
DeleteDC.GDI32(00000000), ref: 01087594
GetWindowLongW.USER32(?,000000EC), ref: 0108759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010875BE

Strings

static, xrefs: 010874F6
@U=u, xrefs: 01087578

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 6e89f10ea44a8a0079986da8687a5e9e5e57300b1a7192bed15a2eb27ce14196
Instruction ID: 2293992110c2e3f02c2cfff4d3a0539162841582706d5a2f7c05f7d6708fbdef
Opcode Fuzzy Hash: 6e89f10ea44a8a0079986da8687a5e9e5e57300b1a7192bed15a2eb27ce14196
Instruction Fuzzy Hash: B6316E31108216ABDF22AF78DC08FDE3BA9FF09365F210214FAD596194CB76D861DB64

Function 0105F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0103E2A0,00000010,?,Bad directive syntax error,0108F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0105F7C2
LoadStringW.USER32(00000000,?,0103E2A0,00000010), ref: 0105F7C9

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

_wprintf.LIBCMT ref: 0105F7FC
__swprintf.LIBCMT ref: 0105F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0105F88D

Strings

Line %d (File "%s"):, xrefs: 0105F833
Error: , xrefs: 0105F85B
%s (%d) : ==> %s.: %s %s, xrefs: 0105F7F7
Line %d:, xrefs: 0105F818
., xrefs: 0105F873

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: cb5058d7cc7c040e89a0d20adae375870bbbd1c475bf5433c5460fd5e56f7513
Instruction ID: d8debb8c1e57b2f24116d933417224deac3af365e83816efe2e4e462798056cb
Opcode Fuzzy Hash: cb5058d7cc7c040e89a0d20adae375870bbbd1c475bf5433c5460fd5e56f7513
Instruction Fuzzy Hash: 7C214F3290021FABDF12EFA0CC49EFE7779BF28204F04485AF5956A0A0DA75A518CB51

Function 010652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

Part of subcall function 01007924: _memmove.LIBCMT ref: 010079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01065330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01065346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01065357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01065369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0106537A

Strings

play PlayMe, xrefs: 01065375
status PlayMe mode, xrefs: 0106532B
open , xrefs: 010652DF
play PlayMe wait, xrefs: 01065364
alias PlayMe, xrefs: 01065309
close PlayMe, xrefs: 01065341, 0106536E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 6889c52cffcda50c0e794f1bb0144bc9bbc05e3da1470588db262cb7a536082c
Instruction ID: 4d60c110cb9144da903e2eb6ef4656ac905dbc5e267900eb920270508a264007
Opcode Fuzzy Hash: 6889c52cffcda50c0e794f1bb0144bc9bbc05e3da1470588db262cb7a536082c
Instruction Fuzzy Hash: 7F110870A9012E39E720B676CC88DFF7BBCFBA5F44F00441E74C1960E0E9A05804C6B0

Function 010646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 010646D2
gethostname.WSOCK32(?,00000100), ref: 010646EC
gethostbyname.WSOCK32(?), ref: 010646F9
_wcscpy.LIBCMT ref: 01064721
_memmove.LIBCMT ref: 01064734
inet_ntoa.WSOCK32(?), ref: 0106473F
_strcat.LIBCMT ref: 0106474D
_wcscpy.LIBCMT ref: 01064764
WSACleanup.WSOCK32 ref: 01064772
_wcscpy.LIBCMT ref: 01064780

Strings

0.0.0.0, xrefs: 0106471B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 29f2bd840ed3ac5192f3bb87561e2da220c698d4187607f1461d2d172935bb68
Instruction ID: 5fb4f419e2d1028692c102280ed1bba95985da206a5444b29d6e4d2f21d13d22
Opcode Fuzzy Hash: 29f2bd840ed3ac5192f3bb87561e2da220c698d4187607f1461d2d172935bb68
Instruction Fuzzy Hash: 8311B431504126AFDB24BB749C49EEE77BCFF12711F0441AAE5C5D6050EF799AC28B50

Function 0106D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

CoInitialize.OLE32(00000000), ref: 0106D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0106D67D
SHGetDesktopFolder.SHELL32(?), ref: 0106D691
CoCreateInstance.OLE32(01092D7C,00000000,00000001,010B8C1C,?), ref: 0106D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0106D74C
CoTaskMemFree.OLE32(?,?), ref: 0106D7A4
_memset.LIBCMT ref: 0106D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0106D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0106D840
CoTaskMemFree.OLE32(00000000), ref: 0106D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0106D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0106D880

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 46b0f3c56c3495a32e6f7f05208bce6186a415962c4ba2cbc5ae3ef03fb5944a
Instruction ID: 01fb0f982b998a57755d511ce05872032650cf1ad885755a9b3626cbcc61f831
Opcode Fuzzy Hash: 46b0f3c56c3495a32e6f7f05208bce6186a415962c4ba2cbc5ae3ef03fb5944a
Instruction Fuzzy Hash: A7B1FD75A00109AFDB14DFA4C888DAEBBF9FF48314F148499E989EB251DB35EE41CB50

Function 0105C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0105C283
GetWindowRect.USER32(00000000,?), ref: 0105C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0105C2F3
GetDlgItem.USER32(?,00000002), ref: 0105C2FE
GetWindowRect.USER32(00000000,?), ref: 0105C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0105C364
GetDlgItem.USER32(?,000003E9), ref: 0105C372
GetWindowRect.USER32(00000000,?), ref: 0105C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0105C3C6
GetDlgItem.USER32(?,000003EA), ref: 0105C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0105C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0105C3FE

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ee9b3bfe3e4f081fabc535dab4b272cea03f5295fa66a6f5b9f4b4f5316abe8d
Instruction ID: aef4f53333fc649820a0d4301dcccb2ffd7b0108c492a87f22fede188650e36d
Opcode Fuzzy Hash: ee9b3bfe3e4f081fabc535dab4b272cea03f5295fa66a6f5b9f4b4f5316abe8d
Instruction Fuzzy Hash: B2514171B00205ABEB18CFBDDD89A6EBBB9FB88310F14816DF955D6294D77199408B10

Function 0100201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 01001B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,01002036,?,00000000,?,?,?,?,010016CB,00000000,?), ref: 01001B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 010020D3
KillTimer.USER32(-00000001,?,?,?,?,010016CB,00000000,?,?,01001AE2,?,?), ref: 0100216E
DestroyAcceleratorTable.USER32(00000000), ref: 0103BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,010016CB,00000000,?,?,01001AE2,?,?), ref: 0103BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,010016CB,00000000,?,?,01001AE2,?,?), ref: 0103BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,010016CB,00000000,?,?,01001AE2,?,?), ref: 0103BD0A
DeleteObject.GDI32(00000000), ref: 0103BD1C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: d62fd534e22b3eb08355c2bac34a63f4cf96726bdd987490008678ae54fc29fb
Instruction ID: bed706621d3ac680a11662cce1956aa5ef566fc85879648f57d21aaeb9a0aa2b
Opcode Fuzzy Hash: d62fd534e22b3eb08355c2bac34a63f4cf96726bdd987490008678ae54fc29fb
Instruction Fuzzy Hash: 48619D34204B01DFEB36EF18D94CB2A7BF2FB80316F504558E5C29A9A5C77AA891CF41

Function 010021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 010025DB: GetWindowLongW.USER32(?,000000EB), ref: 010025EC

GetSysColor.USER32(0000000F), ref: 010021D3

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 02ef0767bc2a8c9ca239e0276ca28a88a13bc12d1799b091ebe1b96fd88bced8
Instruction ID: 74a7a50f3dbf80ecbeab48ba1b3e6d2456e5594e5090888d99e042a980e6e74b
Opcode Fuzzy Hash: 02ef0767bc2a8c9ca239e0276ca28a88a13bc12d1799b091ebe1b96fd88bced8
Instruction Fuzzy Hash: B8417131104541AFEF265F6CD88CBB93BA5EB46321F144295FEE58A1E6C7368881CB21

Function 0106A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0108F910), ref: 0106A90B
GetDriveTypeW.KERNEL32(00000061,010B89A0,00000061), ref: 0106A9D5
_wcscpy.LIBCMT ref: 0106A9FF

Strings

unknown, xrefs: 0106A996
all, xrefs: 0106A911
network, xrefs: 0106A969
cdrom, xrefs: 0106A927
removable, xrefs: 0106A93D
fixed, xrefs: 0106A953
ramdisk, xrefs: 0106A97F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: f4dd706e01546bb4324bcb055fc41690395844097eeeca955ee1bf91d9de9bff
Instruction ID: 53c75cdb4fe4eea58e201116c52cfd018b4c2c494bc33be0a9b05cd75a47eb7e
Opcode Fuzzy Hash: f4dd706e01546bb4324bcb055fc41690395844097eeeca955ee1bf91d9de9bff
Instruction Fuzzy Hash: D8519D352183029BD701EF24C890AAFB7E9FFA4254F54482EF5D6672E1DB319909CB62

Function 01088645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 010886FF

Strings

@U=u, xrefs: 01088735

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 6cdcc658b4bd18193d0cc9b271d720a4bcb23fc8b5e331b657454aab479076ae
Instruction ID: 488e58d6ca401089619c5351f9f0e39828f0d17f696d8d5eef1dfc44fb627db3
Opcode Fuzzy Hash: 6cdcc658b4bd18193d0cc9b271d720a4bcb23fc8b5e331b657454aab479076ae
Instruction Fuzzy Hash: 5651A530518205BEEB31BA28DC88F9D7BA4BB19724F908157FAD1E61D0D776E9A0CB40

Function 01002B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0103C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0103C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0103C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0103C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0103C370
DestroyIcon.USER32(00000000), ref: 0103C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0103C39C
DestroyIcon.USER32(?), ref: 0103C3AB

Part of subcall function 0108A4AF: DeleteObject.GDI32(00000000), ref: 0108A4E8

Strings

@U=u, xrefs: 0103C370, 0103C39C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: 9b533a54a6c8538a2d5d45efc23fa92cd4a8114222603dab8d255294658e49f9
Instruction ID: 9724d19bd092d3fcebb4bb3e035bf909aff0a0e153a08d80904b6dc6323861a6
Opcode Fuzzy Hash: 9b533a54a6c8538a2d5d45efc23fa92cd4a8114222603dab8d255294658e49f9
Instruction Fuzzy Hash: 6251697460060AAFEB21DF68CD48FAE3BE9EB58310F104559F982E72D0DB71A990DB50

Function 01009837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 01009862
__swprintf.LIBCMT ref: 010098AC
__i64tow.LIBCMT ref: 0103F5E6

Strings

%.15g, xrefs: 010098A6
False, xrefs: 0103F5AE
0x%p, xrefs: 0103F5C8
True, xrefs: 0103F5A7

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 48b96309b83f76d870dac558b8509655452aa57dae9cd0e16569554a014e10ea
Instruction ID: 2fa965c98b02ee874b480f4b1cd9913494a07a5374b6fd930d477b8f3ba2beae
Opcode Fuzzy Hash: 48b96309b83f76d870dac558b8509655452aa57dae9cd0e16569554a014e10ea
Instruction Fuzzy Hash: 7041B671900206DFFB25EF38D845EBA77ECFB45204F1044AEE6C9DA2D1EA35AA418B11

Function 01087152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0108716A
CreateMenu.USER32 ref: 01087185
SetMenu.USER32(?,00000000), ref: 01087194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01087221
IsMenu.USER32(?), ref: 01087237
CreatePopupMenu.USER32 ref: 01087241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0108726E
DrawMenuBar.USER32 ref: 01087276

Strings

0, xrefs: 01087160
F, xrefs: 01087262

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 91093af73909fe70f9b45b36e876bca60dd8dcf4bc6d52c9ccbd793f950d6d46
Instruction ID: 071c36e6f53233afb418c4445b0aace38042a0bde721d8c92caafc4719c90f36
Opcode Fuzzy Hash: 91093af73909fe70f9b45b36e876bca60dd8dcf4bc6d52c9ccbd793f950d6d46
Instruction Fuzzy Hash: FC413874A05205EFDB20EFA8D884E9A7BF5FF49310F140068FA95A7355D736A910CFA0

Function 01058F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 0105AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0105AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 01059014
GetDlgCtrlID.USER32 ref: 0105901F
GetParent.USER32 ref: 0105903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0105903E
GetDlgCtrlID.USER32(?), ref: 01059047
GetParent.USER32(?), ref: 01059063
SendMessageW.USER32(00000000,?,?,00000111), ref: 01059066

Strings

ComboBox, xrefs: 01058F9C
ListBox, xrefs: 01058FD1
@U=u, xrefs: 01059066

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 137b7e1a38705ebbd81bdb684e1b212ef1d025b42f5bcb8e3b9fa5e93bab7c68
Instruction ID: 5a59835188298f273875e23e5b6aab829238c2c73b3f5c11f390f37923a94ad4
Opcode Fuzzy Hash: 137b7e1a38705ebbd81bdb684e1b212ef1d025b42f5bcb8e3b9fa5e93bab7c68
Instruction Fuzzy Hash: AD21A170A00109BFDF15ABB4CC84EFEBBB4EB59310F10025AB9E1972E0DB795425DB20

Function 0105907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 0105AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0105AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 010590FD
GetDlgCtrlID.USER32 ref: 01059108
GetParent.USER32 ref: 01059124
SendMessageW.USER32(00000000,?,00000111,?), ref: 01059127
GetDlgCtrlID.USER32(?), ref: 01059130
GetParent.USER32(?), ref: 0105914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0105914F

Strings

ComboBox, xrefs: 01059087
ListBox, xrefs: 010590BC
@U=u, xrefs: 0105914F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 60157164dcbc21d4968f315afa6b9b1284a2481b400f2ae3d656c3ced2755579
Instruction ID: ebff345b8d9f1851b887f5052a665375bec957f0a64e297d462a776b8e7d0702
Opcode Fuzzy Hash: 60157164dcbc21d4968f315afa6b9b1284a2481b400f2ae3d656c3ced2755579
Instruction Fuzzy Hash: 6321B375A00109BFEF11ABB4CC84EFEBBB8EF59300F10415ABAD1972A5DB795425DB20

Function 01059163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0105916F
GetClassNameW.USER32(00000000,?,00000100), ref: 01059184
_wcscmp.LIBCMT ref: 01059196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 01059211

Strings

SHELLDLL_DefView, xrefs: 01059190
largeicons, xrefs: 010591A5
details, xrefs: 010591BF
list, xrefs: 010591F3
smallicons, xrefs: 010591D9
@U=u, xrefs: 01059211

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: dd9632180ecc14ab7fe6a254c6fb7f918892f1bd22ea004b0ca67ab7f8e61e43
Instruction ID: 6c8ca3aa4bd00c07e054b7b0fc6685e2bd6c124971f833e6e7594a402fa330d1
Opcode Fuzzy Hash: dd9632180ecc14ab7fe6a254c6fb7f918892f1bd22ea004b0ca67ab7f8e61e43
Instruction Fuzzy Hash: F1112936248317FAFB622538DC0ADEB37DCDB15764B20006AFDC0E84D1FE6264515A94

Function 01026E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01026E3E

Part of subcall function 01028B28: __getptd_noexit.LIBCMT ref: 01028B28

__gmtime64_s.LIBCMT ref: 01026ED7
__gmtime64_s.LIBCMT ref: 01026F0D
__gmtime64_s.LIBCMT ref: 01026F2A
__allrem.LIBCMT ref: 01026F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01026F9C
__allrem.LIBCMT ref: 01026FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01026FD1
__allrem.LIBCMT ref: 01026FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01027006
__invoke_watson.LIBCMT ref: 01027077

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 53255806eaa267d4d74a9a9e10f4c155e772efee0f12d1e466cd505b2e8e4b6e
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: AF710A76A00727EBDB14EE7CCC80B9AB7E8AF54324F14416AF994DB281E775D9048790

Function 01062527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01062542
GetMenuItemInfoW.USER32(010C5890,000000FF,00000000,00000030), ref: 010625A3
SetMenuItemInfoW.USER32(010C5890,00000004,00000000,00000030), ref: 010625D9
Sleep.KERNEL32(000001F4), ref: 010625EB
GetMenuItemCount.USER32(?), ref: 0106262F
GetMenuItemID.USER32(?,00000000), ref: 0106264B
GetMenuItemID.USER32(?,-00000001), ref: 01062675
GetMenuItemID.USER32(?,?), ref: 010626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01062700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01062714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01062735

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: f9dff5b0c4776c60c4269d3bb4b020511854600ada0dea5b2ca9e84ab8b3647e
Instruction ID: b3bdf30ee21dbe9c14be23306fa852ebd57dd31101c293ca4603f96d8509723c
Opcode Fuzzy Hash: f9dff5b0c4776c60c4269d3bb4b020511854600ada0dea5b2ca9e84ab8b3647e
Instruction Fuzzy Hash: B2618E7490424AAFEB21DF68D888DAE7BFDFB45344F140099F9C2A7291D736AD05CB21

Function 01086F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01086FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01086FA8
GetWindowLongW.USER32(?,000000F0), ref: 01086FCC
_memset.LIBCMT ref: 01086FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01086FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01087067

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 2355bf45eccbd5436ac9f0c72b7a990af2924cac592320a1a4f880dee3f73461
Instruction ID: 0d67e24deda35ef77be5e563d822f7cc2962678ae8e17be26feedb063f9512ec
Opcode Fuzzy Hash: 2355bf45eccbd5436ac9f0c72b7a990af2924cac592320a1a4f880dee3f73461
Instruction Fuzzy Hash: B1617C75A04208AFDB21DFA8CC80EEE77F9EB09710F100199FA94EB291C775A945CF90

Function 01056B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 01056BBF
SafeArrayAllocData.OLEAUT32(?), ref: 01056C18
VariantInit.OLEAUT32(?), ref: 01056C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 01056C4A
VariantCopy.OLEAUT32(?,?), ref: 01056C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 01056CB1
VariantClear.OLEAUT32(?), ref: 01056CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 01056CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01056CDC
VariantClear.OLEAUT32(?), ref: 01056CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 01056CF9

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8a6c6186da7a204fef8767bb9cc79f9432085a3551c05676e361b35e2c517aca
Instruction ID: 20778ac4067a5925b4bd946ca1040f3997a225b2f1795dd564035bb7bea1bee9
Opcode Fuzzy Hash: 8a6c6186da7a204fef8767bb9cc79f9432085a3551c05676e361b35e2c517aca
Instruction Fuzzy Hash: 52415171D0011E9FDF10DFA8D8449EEBFB9EF18354F408069E995E7251CB36AA45CBA0

Function 0108D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

GetSystemMetrics.USER32(0000000F), ref: 0108D47C
GetSystemMetrics.USER32(0000000F), ref: 0108D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0108D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0108D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0108D716
ShowWindow.USER32(00000003,00000000), ref: 0108D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0108D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0108D77D

Strings

@U=u, xrefs: 0108D6F5, 0108D716

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: 10c7328bbf652fe557ccb3f7931ebc4b90396da832013c29e5e078ed4c200281
Instruction ID: 72aa668c8705793c29816508b259682325ce3cb09831cf74969b324e56afc4ff
Opcode Fuzzy Hash: 10c7328bbf652fe557ccb3f7931ebc4b90396da832013c29e5e078ed4c200281
Instruction Fuzzy Hash: 0EB19C30604219EFDF14EFA8C5847AD7BF1BF08704F0482A9EDC89A299E735A950CB60

Function 010783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

CoInitialize.OLE32 ref: 01078403
CoUninitialize.OLE32 ref: 0107840E
CoCreateInstance.OLE32(?,00000000,00000017,01092BEC,?), ref: 0107846E
IIDFromString.OLE32(?,?), ref: 010784E1
VariantInit.OLEAUT32(?), ref: 0107857B
VariantClear.OLEAUT32(?), ref: 010785DC

Strings

Invalid parameter, xrefs: 010784FA
Failed to create object, xrefs: 01078479, 0107852F
NULL Pointer assignment, xrefs: 010784B3

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 701e4a5322e7a52034ef38bd027ab1562c5c101076fc0c933cd8e3074479e152
Instruction ID: 7dc07a01de2cfe32f30bdbbe50e831b231eb0bfe29a2aac2bec7fe7cbd5a4d78
Opcode Fuzzy Hash: 701e4a5322e7a52034ef38bd027ab1562c5c101076fc0c933cd8e3074479e152
Instruction Fuzzy Hash: 78618C70A083129FD711DF64C848FAEBBE8AF49754F04845EF9C59B291CB70E944CB96

Function 01002E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 01002EAE

Part of subcall function 01001DB3: GetClientRect.USER32(?,?), ref: 01001DDC
Part of subcall function 01001DB3: GetWindowRect.USER32(?,?), ref: 01001E1D
Part of subcall function 01001DB3: ScreenToClient.USER32(?,?), ref: 01001E45

GetDC.USER32 ref: 0103CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0103CD45
SelectObject.GDI32(00000000,00000000), ref: 0103CD53
SelectObject.GDI32(00000000,00000000), ref: 0103CD68
ReleaseDC.USER32(?,00000000), ref: 0103CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0103CDFB

Strings

U, xrefs: 0103CCD0
@U=u, xrefs: 0103CD45

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 97dce4dcdebe7b049bd01276e688171cf28f78a9b5993c0f96ed3fb765f96845
Instruction ID: 2dd53d21aff614dca8a15c84a65c0aa73f5684a022374557dc74d09c6a9c1f83
Opcode Fuzzy Hash: 97dce4dcdebe7b049bd01276e688171cf28f78a9b5993c0f96ed3fb765f96845
Instruction Fuzzy Hash: A371D631500105DFEF629F68C988AEE7FB9FF88310F1442ABEDD5AA196C7319851CB60

Function 01075732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01075793
inet_addr.WSOCK32(?,?,?), ref: 010757D8
gethostbyname.WSOCK32(?), ref: 010757E4
IcmpCreateFile.IPHLPAPI ref: 010757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01075862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01075878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 010758ED
WSACleanup.WSOCK32 ref: 010758F3

Strings

Ping, xrefs: 01075816

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a14de337c2884ff2b97d7cf126f80cb3fe49276e6e280d04ec409e5ab6600467
Instruction ID: 82e4017630d2eb9a4c1297990d476322b838467b3c49c67a601d4069de173ead
Opcode Fuzzy Hash: a14de337c2884ff2b97d7cf126f80cb3fe49276e6e280d04ec409e5ab6600467
Instruction Fuzzy Hash: A5518E71A043019FEB619F28CC45BAABBE4EF49720F048569F9D6EB2D0DB30E900CB55

Function 0106B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0106B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0106B546
GetLastError.KERNEL32 ref: 0106B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0106B5BD

Strings

READONLY, xrefs: 0106B588
READY, xrefs: 0106B596
UNKNOWN, xrefs: 0106B575
INVALID, xrefs: 0106B58F
NOTREADY, xrefs: 0106B57C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 658fb7a738edc4dd82e82a8c80ed2103f344cb0eb2104d7ef5403121c559217e
Instruction ID: a5e92cbe55e3715f1f04177ed2911ba99f0ea2e2b543832bb6f60c98c385babf
Opcode Fuzzy Hash: 658fb7a738edc4dd82e82a8c80ed2103f344cb0eb2104d7ef5403121c559217e
Instruction Fuzzy Hash: CC3181B5B002069FDB11EB68C884FEE7BB8FF15314F00816AE685DB291DA719A41CB91

Function 010861D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 010861EB
GetDC.USER32(00000000), ref: 010861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010861FE
ReleaseDC.USER32(00000000,00000000), ref: 0108620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01086246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01086257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0108902A,?,?,000000FF,00000000,?,000000FF,?), ref: 01086291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010862B1

Strings

@U=u, xrefs: 01086257, 010862B1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 737c1c1df55bc45959b43f71c1f9ae6653e46e7b4b84164d34817e97cfcd0d9c
Instruction ID: c73816f5f30eadfa38737962b960be78aa2c0416adec3d83b46bb09d705d424f
Opcode Fuzzy Hash: 737c1c1df55bc45959b43f71c1f9ae6653e46e7b4b84164d34817e97cfcd0d9c
Instruction Fuzzy Hash: EF319172104610BFEF215F64CC4AFEA3FA9EF49765F040095FE88DA181C67A9851CB60

Function 010788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010788D7
CoInitialize.OLE32(00000000), ref: 01078904
CoUninitialize.OLE32 ref: 0107890E
GetRunningObjectTable.OLE32(00000000,?), ref: 01078A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 01078B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01092C0C), ref: 01078B6F
CoGetObject.OLE32(?,00000000,01092C0C,?), ref: 01078B92
SetErrorMode.KERNEL32(00000000), ref: 01078BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01078C25
VariantClear.OLEAUT32(?), ref: 01078C35

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: b66a90aa9e884910ee3a3841b319fb5f2f561cd4a1e00200c6487b5e205afe14
Instruction ID: b68a2d82c32d96504fd1318f7c8aa7bf3ff24f40d52cb0da7aa5d881b368f178
Opcode Fuzzy Hash: b66a90aa9e884910ee3a3841b319fb5f2f561cd4a1e00200c6487b5e205afe14
Instruction Fuzzy Hash: 4FC127B1608306AFD700EF68C88896BBBE9FF89248F00895DF5C99B251D771ED05CB56

Function 01067990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 01067A6C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 5e7f767148d2db77e8f15aee97ad918d66cadb34ba6f9dcbddec0ae899188b9c
Instruction ID: 7a45c40d7d84c1892c5376cd5e579c1346bfcfa504c69166f31e330b99fd6319
Opcode Fuzzy Hash: 5e7f767148d2db77e8f15aee97ad918d66cadb34ba6f9dcbddec0ae899188b9c
Instruction Fuzzy Hash: E1B1817190021A9FDB11DFA8C484BFEBBF8FF49329F144469E691E7241D774A941CBA0

Function 010611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 010611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,01060268,?,00000001), ref: 01061204
GetWindowThreadProcessId.USER32(00000000), ref: 0106120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01060268,?,00000001), ref: 0106121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0106122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01060268,?,00000001), ref: 01061245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,01060268,?,00000001), ref: 01061257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,01060268,?,00000001), ref: 0106129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01060268,?,00000001), ref: 010612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,01060268,?,00000001), ref: 010612BC

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: edbaa102c1eef732edc45983b90d16ac210c057d91a0e16eda342f2e7833c1ed
Instruction ID: 43ab99414915e3b4fd71b8c3fd3125610a7ccfd5f1dbb67f94af7578c7a4bcb2
Opcode Fuzzy Hash: edbaa102c1eef732edc45983b90d16ac210c057d91a0e16eda342f2e7833c1ed
Instruction Fuzzy Hash: B831C1B560420ABFEB319F68D848F6D37EDEF98319F104255F9C0C6286D77A99608F50

Function 0100FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0100FAA6
OleUninitialize.OLE32(?,00000000), ref: 0100FB45
UnregisterHotKey.USER32(?), ref: 0100FC9C
DestroyWindow.USER32(?), ref: 010445D6
FreeLibrary.KERNEL32(?), ref: 0104463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 01044668

Strings

close all, xrefs: 0100FAA1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: fdb64ce5735863d13354e0620dfe178a66eb21c3c47774ef5bac9ffefc72be03
Instruction ID: 8aca6994cbaa6e76627a8fd16677e76a83eac3f23fd3a9afb6a0b34dbf7d9bf6
Opcode Fuzzy Hash: fdb64ce5735863d13354e0620dfe178a66eb21c3c47774ef5bac9ffefc72be03
Instruction Fuzzy Hash: 21A18F70701213CFEB2AEF14C594BA9F7A4BF15710F5442ADE98AAB291CB30AD16CF51

Function 0105A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0105A439), ref: 0105A377

Strings

INSTANCE, xrefs: 0105A285
TEXT, xrefs: 0105A2AE
NAME, xrefs: 0105A1A9
CLASS, xrefs: 0105A0F6
CLASSNN, xrefs: 0105A119
REGEXPCLASS, xrefs: 0105A13C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: d265026ea0f1047a2f5891dd5708932b08b22683d4dd80cd6e3dcc4d674041da
Instruction ID: e0f5b1a44df43e86d7e5038691addc35221b256dd0f7bf3813cb2c4744e0eaaa
Opcode Fuzzy Hash: d265026ea0f1047a2f5891dd5708932b08b22683d4dd80cd6e3dcc4d674041da
Instruction Fuzzy Hash: A491B530700616EADB88DFA4C491BEEFBB4BF14354F448259DDDAA7180DB316999CBA0

Function 0108B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01585958), ref: 0108B3EB
IsWindowEnabled.USER32(01585958), ref: 0108B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0108B4DB
SendMessageW.USER32(01585958,000000B0,?,?), ref: 0108B512
IsDlgButtonChecked.USER32(?,?), ref: 0108B54F
GetWindowLongW.USER32(01585958,000000EC), ref: 0108B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0108B589

Strings

@U=u, xrefs: 0108B4DB, 0108B512, 0108B589

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 351fa4997a6e3ef10dbcb6910c6b78d4a0e3b2d1c344fbe5826a9376000e59b4
Instruction ID: d8a7724c12fdec2eb81dc5e423d5967ac1e3e3a3f0801411426e9e92f528029d
Opcode Fuzzy Hash: 351fa4997a6e3ef10dbcb6910c6b78d4a0e3b2d1c344fbe5826a9376000e59b4
Instruction Fuzzy Hash: 5D71C034608205EFEB61AF6CC895FBA7BF5FF09310F145199EAC297291CB36A851CB50

Function 01086D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01086E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 01086E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01086E52
_wcscat.LIBCMT ref: 01086EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 01086EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01086EF2

Strings

SysListView32, xrefs: 01086DF6
@U=u, xrefs: 01086E24, 01086E38

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 89a365e4ba2025e412cb93220fc36fa72b57083623644ca55dd0cf038eaf8f6c
Instruction ID: 52c93fa13b074d736fbe54493b6cc2a2707bf22ab90812e434cb6196e1a1d6f0
Opcode Fuzzy Hash: 89a365e4ba2025e412cb93220fc36fa72b57083623644ca55dd0cf038eaf8f6c
Instruction Fuzzy Hash: B641A471904349EFEB21EF68CC84BEE77E8EF08354F11056AF5C4E7291D67299848B60

Function 01071A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01071A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01071A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01071ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01071AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01071AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01071B10
InternetCloseHandle.WININET(00000000), ref: 01071B57

Part of subcall function 01072483: GetLastError.KERNEL32(?,?,01071817,00000000,00000000,00000001), ref: 01072498
Part of subcall function 01072483: SetEvent.KERNEL32(?,?,01071817,00000000,00000000,00000001), ref: 010724AD

Strings

, xrefs: 01071B01

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 0bf84c6ecdc45251d37a217dd7b48d18f64f4831e3df8d56b0a40dc8300ba7c3
Instruction ID: 553d90a7ea787bad727d3d3c4522d027e8e09b27801c1f41b0cf9949adea94c6
Opcode Fuzzy Hash: 0bf84c6ecdc45251d37a217dd7b48d18f64f4831e3df8d56b0a40dc8300ba7c3
Instruction Fuzzy Hash: 1B4172B1900219BFFB129F64CC89FFE7BACFF08354F004156FA859A181E7759A448BA4

Function 010862CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010862EC
GetWindowLongW.USER32(01585958,000000F0), ref: 0108631F
GetWindowLongW.USER32(01585958,000000F0), ref: 01086354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01086386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 010863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010863DB

Strings

@U=u, xrefs: 010862EC, 01086386, 010863B0

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 60fae286e980bf744d12b42ce6aa486da3b10984fdc2832c398e4420514f0d4b
Instruction ID: bc40052f4914aaa399f964c87deb2579e1b5652aeb6c8ca5741b4b8631c0e834
Opcode Fuzzy Hash: 60fae286e980bf744d12b42ce6aa486da3b10984fdc2832c398e4420514f0d4b
Instruction Fuzzy Hash: B6313434608251AFDB21DF28DC84F593BE1FB4A714F1A81A4F5C09F2B6CB77A8449B50

Function 01078C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0108F910), ref: 01078D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0108F910), ref: 01078D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 01078ED6
SysFreeString.OLEAUT32(?), ref: 01078F00

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 453d788218a377553aa8872045c6543551706aaa920781126465411afe4ba1dd
Instruction ID: e9c1d6e0c43c3f571f895059c071fe6c5e3d940e68cd296eca455dcdf3acbf07
Opcode Fuzzy Hash: 453d788218a377553aa8872045c6543551706aaa920781126465411afe4ba1dd
Instruction Fuzzy Hash: F6F16871A00109AFDF45DF98C888EEEBBB9FF45314F108499F985AB251DB31AE41CB90

Function 0107F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0107F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0107F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0107F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0107F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0107F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0107FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0107FA7C
CloseHandle.KERNEL32(?), ref: 0107FAAB
CloseHandle.KERNEL32(?), ref: 0107FB22

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 76d3c8271faca5342507c4521910d6c170a84a38f26e853146a8483bd2e81e9d
Instruction ID: 21cd7163b27f52cb869d7f422be9533d5e4e9537bc2c9283eaf4d6e96f1c80a6
Opcode Fuzzy Hash: 76d3c8271faca5342507c4521910d6c170a84a38f26e853146a8483bd2e81e9d
Instruction Fuzzy Hash: B3E1CF716043029FDB15EF28C880AAEBBE1BF84354F04855DE8E99B2A1CB31ED45CB56

Function 01064CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0106466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01063697,?), ref: 0106468B

Part of subcall function 0106466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01063697,?), ref: 010646A4

Part of subcall function 01064A31: GetFileAttributesW.KERNEL32(?,0106370B), ref: 01064A32

lstrcmpiW.KERNEL32(?,?), ref: 01064D40
_wcscmp.LIBCMT ref: 01064D5A
MoveFileW.KERNEL32(?,?), ref: 01064D75

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 6641ffe18eb0bda883b364b3fb50fc32761bfaea4a1ddbda2c58f8f502c70fe5
Instruction ID: 399db2bd63814794e08de26e114325aa3739ea51eb66fa2063aa8702d41ac5f7
Opcode Fuzzy Hash: 6641ffe18eb0bda883b364b3fb50fc32761bfaea4a1ddbda2c58f8f502c70fe5
Instruction Fuzzy Hash: 085153B24083469BD765EBA4DC809DFB7ECAF95250F00092EE2C9D3151EF75A288C766

Function 0105966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0105A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0105A84C
Part of subcall function 0105A82C: GetCurrentThreadId.KERNEL32 ref: 0105A853
Part of subcall function 0105A82C: AttachThreadInput.USER32(00000000,?,01059683,?,00000001), ref: 0105A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0105968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 010596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 010596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 010596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 010596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 010596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 010596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 010596FB

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 5e0e82ebc47ceccb11140349a6d7e3b0382f8f5071ebebe09cb45ecab93090f5
Instruction ID: c7ee52714aea136381e6a7c19ab89c973f4ff678bcfcb1c3f08162fb1862c805
Opcode Fuzzy Hash: 5e0e82ebc47ceccb11140349a6d7e3b0382f8f5071ebebe09cb45ecab93090f5
Instruction Fuzzy Hash: C811CBB1A10219BEFB206B709C89FAB3E2DEB4C7A4F100515F6C4AB094C9F35C10CBA4

Function 01058921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0105853C,00000B00,?,?), ref: 0105892A
HeapAlloc.KERNEL32(00000000,?,0105853C,00000B00,?,?), ref: 01058931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0105853C,00000B00,?,?), ref: 01058946
GetCurrentProcess.KERNEL32(?,00000000,?,0105853C,00000B00,?,?), ref: 0105894E
DuplicateHandle.KERNEL32(00000000,?,0105853C,00000B00,?,?), ref: 01058951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0105853C,00000B00,?,?), ref: 01058961
GetCurrentProcess.KERNEL32(0105853C,00000000,?,0105853C,00000B00,?,?), ref: 01058969
DuplicateHandle.KERNEL32(00000000,?,0105853C,00000B00,?,?), ref: 0105896C
CreateThread.KERNEL32(00000000,00000000,01058992,00000000,00000000,00000000), ref: 01058986

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8b81657ba4268f4fa5a6b3e67742f79f70211fa87402297a281157949be743e4
Instruction ID: c5f322a8d52484116ca94c087ee0911f604a62bfb11a73a300dad8594c9f94ac
Opcode Fuzzy Hash: 8b81657ba4268f4fa5a6b3e67742f79f70211fa87402297a281157949be743e4
Instruction Fuzzy Hash: 8301BF75244305BFEB20ABB5DC8DF5B7B6CEB89711F408411FA45DB195C6799810CB20

Function 01079B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 01079B7B
NULL Pointer assignment, xrefs: 01079BA4, 01079EC8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 6684ce3b65b6176fe534eb721ae7c9917d98dd1948bdf07c860506c5993e703a
Instruction ID: 66f6665531e1af64137685305ce0535ec6bd34f553ff5fa06f26dabcb6789a46
Opcode Fuzzy Hash: 6684ce3b65b6176fe534eb721ae7c9917d98dd1948bdf07c860506c5993e703a
Instruction Fuzzy Hash: FFC19671E0020A9FDF10DF98C984AEEB7F5FF48328F148469E985AB241E771AD45CB54

Function 01079113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01079167
VariantInit.OLEAUT32(?), ref: 01079238
VariantInit.OLEAUT32(?), ref: 01079339
VariantClear.OLEAUT32(?), ref: 01079343
VariantClear.OLEAUT32(?), ref: 010793A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0107931C
Null Object assignment in FOR..IN loop, xrefs: 010791C8, 010792F6, 010793AE

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 36f18618aacd909d3e8dd0bc1c905b202d13b13deb9e968a240f184d22c5833b
Instruction ID: eec80c4395ac14ddda839b8fa7dd2d8fcdae33b3d6f6aa270891f5bbae6de217
Opcode Fuzzy Hash: 36f18618aacd909d3e8dd0bc1c905b202d13b13deb9e968a240f184d22c5833b
Instruction Fuzzy Hash: 2C919071E00219EBDF24DFA5C848FAEBBB8EF45728F008159F595AB290D7709901CFA4

Function 0107975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0105710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?,?,?,01057455), ref: 01057127
Part of subcall function 0105710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?,?), ref: 01057142
Part of subcall function 0105710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?,?), ref: 01057150
Part of subcall function 0105710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?), ref: 01057160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01079806
_memset.LIBCMT ref: 01079813
_memset.LIBCMT ref: 01079956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01079982
CoTaskMemFree.OLE32(?), ref: 0107998D

Strings

NULL Pointer assignment, xrefs: 010799DB

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 9d99834163376d66ef815d1273c860008df0001adb230f11d21af30c6aa2e6cf
Instruction ID: d4e2370225acfc05556592f47df4a79c58edbbb9a85f5a487263beda37112d9a
Opcode Fuzzy Hash: 9d99834163376d66ef815d1273c860008df0001adb230f11d21af30c6aa2e6cf
Instruction Fuzzy Hash: 38913A71D0021AEBDF11DFA5DC40EDEBBB9BF08324F10415AE559A7290EB715A44CFA0

Function 0107E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 01063C55: CreateToolhelp32Snapshot.KERNEL32 ref: 01063C7A
Part of subcall function 01063C55: Process32FirstW.KERNEL32(00000000,?), ref: 01063C88
Part of subcall function 01063C55: CloseHandle.KERNEL32(00000000), ref: 01063D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0107E9A4
GetLastError.KERNEL32 ref: 0107E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0107E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0107EA63
GetLastError.KERNEL32(00000000), ref: 0107EA6E
CloseHandle.KERNEL32(00000000), ref: 0107EAA3

Strings

SeDebugPrivilege, xrefs: 0107E9C2

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1a1fbd4837bff9577a66bab08816cc4db212b3cdd31e52db760f793792faa83e
Instruction ID: 2d0e115f99a0b3cd284e70f8ddeec35f3070b5d9b1389e35b0e26e9972261c81
Opcode Fuzzy Hash: 1a1fbd4837bff9577a66bab08816cc4db212b3cdd31e52db760f793792faa83e
Instruction Fuzzy Hash: 37419071604202AFDB15EF24C894FAEB7E5BF54314F048498E9C69F3C2CB75A904CB95

Function 0108B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010C57B0,00000000,01585958,?,?,010C57B0,?,0108B5A8,?,?), ref: 0108B712
EnableWindow.USER32(00000000,00000000), ref: 0108B736
ShowWindow.USER32(010C57B0,00000000,01585958,?,?,010C57B0,?,0108B5A8,?,?), ref: 0108B796
ShowWindow.USER32(00000000,00000004,?,0108B5A8,?,?), ref: 0108B7A8
EnableWindow.USER32(00000000,00000001), ref: 0108B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0108B7EF

Strings

@U=u, xrefs: 0108B7EF

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: a78fe1c748d981869307dcb20035091ca9b60ed42d18ff177c3360c4e08e34fb
Instruction ID: 841e2b84d2c9c6302d57283687ddd470d06768fc3c9f0b61e99e7b654ecdf3ca
Opcode Fuzzy Hash: a78fe1c748d981869307dcb20035091ca9b60ed42d18ff177c3360c4e08e34fb
Instruction Fuzzy Hash: D7418334608241AFDB62EF28C499B957FE0FF09314F1C41E9EAC88F666C735A456CB50

Function 01062F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 01063033

Strings

warning, xrefs: 0106301C
blank, xrefs: 01062FB5
stop, xrefs: 01063004
question, xrefs: 01062FEC
info, xrefs: 01062FD4

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b4170f89dff30e7e87dece0eb671b91f3227e3d1112966734720107ba1195b45
Instruction ID: 9ea4d76a538513252f6abbba3e4c27b190094c13a6f035e51048458472a1a55f
Opcode Fuzzy Hash: b4170f89dff30e7e87dece0eb671b91f3227e3d1112966734720107ba1195b45
Instruction Fuzzy Hash: E5112731348347BEFB159A59DC91CEF7BDCEF15330B10406AFA88AE181EB716A4456E0

Function 010642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01064312
LoadStringW.USER32(00000000), ref: 01064319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0106432F
LoadStringW.USER32(00000000), ref: 01064336
_wprintf.LIBCMT ref: 0106435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0106437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 01064357

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 9e93e1ecdadbf2892655b6f5ef660d800c6302e1d5a704bcd42f70e1342fb8d6
Instruction ID: 6c45f50922db8b610375a1ea0b134b3d805cac53559bd485e2940452d8822e81
Opcode Fuzzy Hash: 9e93e1ecdadbf2892655b6f5ef660d800c6302e1d5a704bcd42f70e1342fb8d6
Instruction Fuzzy Hash: 2501A2F2804209BFE720A7B0DD88EFA776CEB08210F000591B7C5E6001EA395E944B70

Function 01002A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0103C1C7,00000004,00000000,00000000,00000000), ref: 01002ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0103C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 01002B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0103C1C7,00000004,00000000,00000000,00000000), ref: 0103C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0103C1C7,00000004,00000000,00000000,00000000), ref: 0103C286

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d767402e229c2118dfda7f37263b5079a4f61caf61f5e9b8b54da505ad7c50ab
Instruction ID: 05b76ff3c15bac42d666552f512fc0ab3a176d78f24a53f63b334b813a062aae
Opcode Fuzzy Hash: d767402e229c2118dfda7f37263b5079a4f61caf61f5e9b8b54da505ad7c50ab
Instruction Fuzzy Hash: B441E6306086809BFBB79B3C8D8CB6F7ED5AB86304F15888AE1C6D65D0CA75A4C5C720

Function 010670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 010670DD

Part of subcall function 01020DB6: std::exception::exception.LIBCMT ref: 01020DEC
Part of subcall function 01020DB6: __CxxThrowException@8.LIBCMT ref: 01020E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01067114
EnterCriticalSection.KERNEL32(?), ref: 01067130
_memmove.LIBCMT ref: 0106717E
_memmove.LIBCMT ref: 0106719B
LeaveCriticalSection.KERNEL32(?), ref: 010671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 010671DE

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: fd65f971f4501dd3da4abcc56081cafc295456cffd1f1935dc5fd47bd9be4392
Instruction ID: 5c98958581574dce63aea470abed39478bebfa236793a08e0244d74840cb506c
Opcode Fuzzy Hash: fd65f971f4501dd3da4abcc56081cafc295456cffd1f1935dc5fd47bd9be4392
Instruction Fuzzy Hash: B0318171900216EBDF10EFA8DC849AEB7B9EF45714F1441A5ED849B24ADB359A10CB60

Function 0105BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0105BBC4
_memcmp.LIBCMT ref: 0105BBE6
_memcmp.LIBCMT ref: 0105BBFE
_memcmp.LIBCMT ref: 0105BC11
_memcmp.LIBCMT ref: 0105BC2B
_memcmp.LIBCMT ref: 0105BC3E
_memcmp.LIBCMT ref: 0105BC56
_memcmp.LIBCMT ref: 0105BC71

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a4f6f650a788321d26a547fc563b9346cc083b8a4fb83bd6e4534c654231bee3
Instruction ID: a863fbb9110bfd04a20889ce09dfa441f589aea6380cd8601bf794de6f066425
Opcode Fuzzy Hash: a4f6f650a788321d26a547fc563b9346cc083b8a4fb83bd6e4534c654231bee3
Instruction Fuzzy Hash: 152104B120121E7BBB9466169D51FFF7B9E9E10148F044024FDC89A203EFA4FE10C1A5

Function 0106EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

Part of subcall function 0101FC86: _wcscpy.LIBCMT ref: 0101FCA9

_wcstok.LIBCMT ref: 0106EC94
_wcscpy.LIBCMT ref: 0106ED23
_memset.LIBCMT ref: 0106ED56

Strings

X, xrefs: 0106ED93

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 61bf10e0073bf6107d66326ce5115685e69588aa2eb9e9a317d3b41b1fe73295
Instruction ID: 9d25df2575fb0143dca32b672d207f4f30f778a1eeb2e20aa2f17889f3028467
Opcode Fuzzy Hash: 61bf10e0073bf6107d66326ce5115685e69588aa2eb9e9a317d3b41b1fe73295
Instruction Fuzzy Hash: 55C18E755043029FD755EF28C880A9ABBE8FF95324F00496DF9D99B2A1DB30ED45CB82

Function 01076B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01076C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01076C21
WSAGetLastError.WSOCK32(00000000), ref: 01076C34
htons.WSOCK32(?,?,?,00000000,?), ref: 01076CEA
inet_ntoa.WSOCK32(?), ref: 01076CA7

Part of subcall function 0105A7E9: _strlen.LIBCMT ref: 0105A7F3
Part of subcall function 0105A7E9: _memmove.LIBCMT ref: 0105A815

_strlen.LIBCMT ref: 01076D44
_memmove.LIBCMT ref: 01076DAD

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: ed5a0e329fa8e9c3bf8beecbe53d39810fce6ceaf1f44a902cf6b43da5656e58
Instruction ID: 6629914f28b82314c813c53fd872dec8eb5a8a36eb9174c042266fc65ca46463
Opcode Fuzzy Hash: ed5a0e329fa8e9c3bf8beecbe53d39810fce6ceaf1f44a902cf6b43da5656e58
Instruction Fuzzy Hash: A581F071904702AFE711FB24CC80EAFB7E8AF95314F408919FAC69B2D1DA71AD40CB95

Function 01001424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3661c0795a23fcb1a859983b8b6b087785cde26d2eb93801005c42f3b1efa6ad
Instruction ID: 920a7005f9e7f4ce34ad0acdb14cbef962e5d74a999b793f92f5626f4c45d20b
Opcode Fuzzy Hash: 3661c0795a23fcb1a859983b8b6b087785cde26d2eb93801005c42f3b1efa6ad
Instruction Fuzzy Hash: A7718E30904109EFEB16CF98C884ABEBFB9FF85314F148159F995AA291C734EA51CF60

Function 0107F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0107F448
_memset.LIBCMT ref: 0107F511
ShellExecuteExW.SHELL32(?), ref: 0107F556

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

Part of subcall function 0101FC86: _wcscpy.LIBCMT ref: 0101FCA9

GetProcessId.KERNEL32(00000000), ref: 0107F5CD
CloseHandle.KERNEL32(00000000), ref: 0107F5FC

Strings

@, xrefs: 0107F525

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 2d91a3a9b4b020105c08260f8e044245e533a99acd823aa81907c4b552d35acc
Instruction ID: e94f4d4605ffb5414af612ec9dce870a9aaab0c2f9e01dea0b93b9fc5bc1ea56
Opcode Fuzzy Hash: 2d91a3a9b4b020105c08260f8e044245e533a99acd823aa81907c4b552d35acc
Instruction Fuzzy Hash: 93618FB5E0061ADFDB15DF68C4809AEBBF5FF48314F148059D9A9AB391CB30AE41CB94

Function 01060F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 01060F8C
GetKeyboardState.USER32(?), ref: 01060FA1
SetKeyboardState.USER32(?), ref: 01061002
PostMessageW.USER32(?,00000101,00000010,?), ref: 01061030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0106104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 01061095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 010610B8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6aa9b7258b6920c7c9c539245a48360a51cd433369faba231f2c8becb5ab4aab
Instruction ID: 8894a9990ac26f7a5044af1e999be3688dc6001c427bc80efc5196d43b90e9f1
Opcode Fuzzy Hash: 6aa9b7258b6920c7c9c539245a48360a51cd433369faba231f2c8becb5ab4aab
Instruction Fuzzy Hash: AE51D1B06486D63DFB7642388805BBABEED5B46304F0885C9F2D4898D3C2E9E8D4D751

Function 01060D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 01060DA5
GetKeyboardState.USER32(?), ref: 01060DBA
SetKeyboardState.USER32(?), ref: 01060E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01060E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01060E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01060EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01060EC9

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 29fa33ced8bf63aa798af0cfdf8103735ff284c86fc012a81d034e3fd9a191d4
Instruction ID: 98b42c63e9b3316432c6bae3e6b202a84ee5966b6ccbfb9cdbfeaf5128fff083
Opcode Fuzzy Hash: 29fa33ced8bf63aa798af0cfdf8103735ff284c86fc012a81d034e3fd9a191d4
Instruction Fuzzy Hash: D851E6B05887D63DFB7683388C45BBA7FED5B06300F0885C9F2D5468C6D3A5A898D760

Function 010655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0106560A
_wcsncpy.LIBCMT ref: 0106563F
_wcsncpy.LIBCMT ref: 01065671
_wcsncpy.LIBCMT ref: 010656A4
_wcsncpy.LIBCMT ref: 010656E6
_wcsncpy.LIBCMT ref: 01065720
_wcsncpy.LIBCMT ref: 0106574F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: d20d9df344d8605f9d4de32e4552c3168b022097b97d7d5f4b89456c30d669ad
Instruction ID: bb4adc7bacfd90e230fe733efaf0ff59d308d97c52adb6ffacfc393eae1c5170
Opcode Fuzzy Hash: d20d9df344d8605f9d4de32e4552c3168b022097b97d7d5f4b89456c30d669ad
Instruction Fuzzy Hash: 2B419365C1022576CB11EBF49C859CFB7BCAF18310F508956F598E3220FB38A695C7AA

Function 0108A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 0108A14F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 26fca6c63de2f5236d3d1ba29b2cbb4a761a737bc28fc446cf6af94085329082
Instruction ID: 5764c1f25e71a97479c2a8a53daf67062ca3087e417f83c56666dfaff18914e9
Opcode Fuzzy Hash: 26fca6c63de2f5236d3d1ba29b2cbb4a761a737bc28fc446cf6af94085329082
Instruction Fuzzy Hash: 85419235B08104EFEB60EA78CC48FA9BFE4EB09350F1502A6FAD5A76D1C734A951DB50

Function 01063671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0106466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01063697,?), ref: 0106468B

Part of subcall function 0106466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01063697,?), ref: 010646A4

lstrcmpiW.KERNEL32(?,?), ref: 010636B7
_wcscmp.LIBCMT ref: 010636D3
MoveFileW.KERNEL32(?,?), ref: 010636EB
_wcscat.LIBCMT ref: 01063733
SHFileOperationW.SHELL32(?), ref: 0106379F

Strings

\*.*, xrefs: 0106372D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 6eafc0106a0cade2db5407317443479dea2db9c5521151696f2671a6243d7d02
Instruction ID: 7743cd8fd7a4de8a24333a57dd06425fce7b19c052d6c16aeac98d2391c38456
Opcode Fuzzy Hash: 6eafc0106a0cade2db5407317443479dea2db9c5521151696f2671a6243d7d02
Instruction Fuzzy Hash: 02416F71508345AED762EF64D4419DFBBECBF98280F00496EF4DAC7250EA34D689C752

Function 01087291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01087351
IsMenu.USER32(?), ref: 01087369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010873B1
DrawMenuBar.USER32 ref: 010873C4

Strings

0, xrefs: 0108729E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 2540ea83951bb802bf006c3ea580e0032dfa79550583620b7da8f2e9448a1bb5
Instruction ID: 347e1d4a46f859fcc16919ab35e9cda1ffbf8e4916ff4770f92f6d819b61daae
Opcode Fuzzy Hash: 2540ea83951bb802bf006c3ea580e0032dfa79550583620b7da8f2e9448a1bb5
Instruction Fuzzy Hash: 8B415875A04209EFDB21EF64D885A9EBBF8FB04310F248069FEC5A7254C731A950CF61

Function 01080FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01080FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01080FFE
FreeLibrary.KERNEL32(00000000), ref: 010810B5

Part of subcall function 01080FA5: RegCloseKey.ADVAPI32(?), ref: 0108101B
Part of subcall function 01080FA5: FreeLibrary.KERNEL32(?), ref: 0108106D
Part of subcall function 01080FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01081090

RegDeleteKeyW.ADVAPI32(?,?), ref: 01081058

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: b9b6669e892507326399f8bf340e0a13f5a2627ba13de04d7f32fc8732f5dadc
Instruction ID: 782c7ab80a2b4bfa7d555f996d716f2fbfd0ccf92f04d48da9602c9831bedf52
Opcode Fuzzy Hash: b9b6669e892507326399f8bf340e0a13f5a2627ba13de04d7f32fc8732f5dadc
Instruction Fuzzy Hash: B3312171A04119BFEB259FA4DC85EFFBBBCEF08310F1001A9F581E2140D6755A869F60

Function 0105DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0105DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0105DB54
SysAllocString.OLEAUT32(00000000), ref: 0105DB57
SysAllocString.OLEAUT32(?), ref: 0105DB75
SysFreeString.OLEAUT32(?), ref: 0105DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 0105DBA3
SysAllocString.OLEAUT32(?), ref: 0105DBB1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 928c9f57c7db1bf4efde947700a4c46a07595254f603c3392657e6540f9735a2
Instruction ID: 2f6b6b79b9ee57e71b2c60ff8bda75acdf019c150dba3b9102c5fe3b7d9b8cef
Opcode Fuzzy Hash: 928c9f57c7db1bf4efde947700a4c46a07595254f603c3392657e6540f9735a2
Instruction Fuzzy Hash: 1B21713660421AEFEF50AEF8DC88CBF77EDEB09260B008166FD94DB251DA749C418760

Function 01076173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01077D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01077DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010761C6
WSAGetLastError.WSOCK32(00000000), ref: 010761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0107620E
connect.WSOCK32(00000000,?,00000010), ref: 01076217
WSAGetLastError.WSOCK32 ref: 01076221
closesocket.WSOCK32(00000000), ref: 0107624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01076263

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 67d88dad8b1cb9a38e1c37e517faa0be672454b6ead37289c1e2856f3b11fa60
Instruction ID: ee18e44304a962e44cb746e2948dcf9755f57e2fbe23b3a84b0897ba3a3345d9
Opcode Fuzzy Hash: 67d88dad8b1cb9a38e1c37e517faa0be672454b6ead37289c1e2856f3b11fa60
Instruction Fuzzy Hash: CB31D571A00519AFFF50AF64C888FBE7BACEF44754F048059FD86E7281CB75A9048B65

Function 01058E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 0105AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0105AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01058F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01058F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 01058F57

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

Strings

ComboBox, xrefs: 01058E9E
ListBox, xrefs: 01058ED3
@U=u, xrefs: 01058F14, 01058F27, 01058F57

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: 3f7d8df04ff107bcbc6cd688da015e44cd2e062dbc1f98d97e5b531108673dab
Instruction ID: bb4e70e1051deb094d4e37ac2e7a95e02384178b6f776653bf682f441bc14e66
Opcode Fuzzy Hash: 3f7d8df04ff107bcbc6cd688da015e44cd2e062dbc1f98d97e5b531108673dab
Instruction Fuzzy Hash: 1721F571A00105BEEB55AB758C84DFF7B69DB19360F00821AFDD5971E0DB3918098B10

Function 0105F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0105F671
__wcsnicmp.LIBCMT ref: 0105F692
__wcsnicmp.LIBCMT ref: 0105F6AC

Strings

#notrayicon, xrefs: 0105F669
#OnAutoItStartRegister, xrefs: 0105F6A6
#requireadmin, xrefs: 0105F68C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: f943f2cb7c56b0035621571be8fa5bb222092fa646294fac6896136dfbc7f009
Instruction ID: 0d01db56407f7f496af2d337c61ce3795c83ddfb9817e35c444ac47fe1cda4f5
Opcode Fuzzy Hash: f943f2cb7c56b0035621571be8fa5bb222092fa646294fac6896136dfbc7f009
Instruction Fuzzy Hash: FB2149722046236AE771A6399C01EFB73DCFF69340F00442AFDC6CB050EB599D41C2A5

Function 0105DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0105DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0105DC2F
SysAllocString.OLEAUT32(00000000), ref: 0105DC32
SysAllocString.OLEAUT32 ref: 0105DC53
SysFreeString.OLEAUT32 ref: 0105DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 0105DC76
SysAllocString.OLEAUT32(?), ref: 0105DC84

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 45164b4f745f82cf1c3392e2f014a17dbae6e54fc1a1d1b26c03feda8808075e
Instruction ID: 7d90eaa0f1f8780b1ae362bbe5d9ced6d2ab3d8aab3dda0343df68e140005972
Opcode Fuzzy Hash: 45164b4f745f82cf1c3392e2f014a17dbae6e54fc1a1d1b26c03feda8808075e
Instruction Fuzzy Hash: 3121623560821AAF9B50EBFCDC88DAB7BECEB09260B108166FD94CB255DA74DC41C764

Function 0105B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0105B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0105B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0105B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0105B27F
_wcsstr.LIBCMT ref: 0105B289

Strings

@U=u, xrefs: 0105B221, 0105B259

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 683bd1f02ce362e1fe640bbd9465ae275592146934af60c5f819aef37c58a963
Instruction ID: 0393ff10235aceed1788e4a95910fdd773a1e23c099ad1ad384bd772875e1f61
Opcode Fuzzy Hash: 683bd1f02ce362e1fe640bbd9465ae275592146934af60c5f819aef37c58a963
Instruction Fuzzy Hash: 252107312042117BEB655B799C08E7F7B9DDF49790F004169FC85DA151EE65E8409770

Function 01059307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01059320

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01059352
__itow.LIBCMT ref: 0105936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01059392
__itow.LIBCMT ref: 010593A3

Strings

@U=u, xrefs: 01059320, 01059352, 01059392

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: 65a0972c2d422f372105d7e1f487f3f1baaa41f58344e290250e7f55bfdd393c
Instruction ID: 4a0668e4d5fe5fcc4692bc0f9392f2828546d8a2a2ea42dc7996e72d870216f0
Opcode Fuzzy Hash: 65a0972c2d422f372105d7e1f487f3f1baaa41f58344e290250e7f55bfdd393c
Instruction Fuzzy Hash: BF210731700209FBEB11AA748C89EEF3FA8EF58758F049069FEC4AB1C1D6B49D518791

Function 010875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01001D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 01001D73
Part of subcall function 01001D35: GetStockObject.GDI32(00000011), ref: 01001D87
Part of subcall function 01001D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 01001D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01087632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0108763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0108764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01087659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01087665

Strings

Msctls_Progress32, xrefs: 01087603

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 5149c78030f255402e56ff2c2e8cee0779f70816e2b3addd5ad10cfb513035b1
Instruction ID: cea86b6f5601342bc459c1b792198df5c5dd349afc96dd3fe25e516ebb108afd
Opcode Fuzzy Hash: 5149c78030f255402e56ff2c2e8cee0779f70816e2b3addd5ad10cfb513035b1
Instruction Fuzzy Hash: 5811B6B1110119BFEF159F64CC85EEB7F5DEF0C798F114215B684A6150CA729C21DBA4

Function 01029AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 01029AE6

Part of subcall function 01023187: EncodePointer.KERNEL32(00000000), ref: 0102318A
Part of subcall function 01023187: __initp_misc_winsig.LIBCMT ref: 010231A5
Part of subcall function 01023187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 01029EA0
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 01029EB4
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 01029EC7
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 01029EDA
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 01029EED
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 01029F00
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 01029F13
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 01029F26
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 01029F39
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 01029F4C
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 01029F5F
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 01029F72
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 01029F85
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 01029F98
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 01029FAB
Part of subcall function 01023187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 01029FBE

__mtinitlocks.LIBCMT ref: 01029AEB
__mtterm.LIBCMT ref: 01029AF4

Part of subcall function 01029B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,01029AF9,01027CD0,010BA0B8,00000014), ref: 01029C56
Part of subcall function 01029B5C: _free.LIBCMT ref: 01029C5D
Part of subcall function 01029B5C: DeleteCriticalSection.KERNEL32(010BEC00,?,?,01029AF9,01027CD0,010BA0B8,00000014), ref: 01029C7F

__calloc_crt.LIBCMT ref: 01029B19
__initptd.LIBCMT ref: 01029B3B
GetCurrentThreadId.KERNEL32 ref: 01029B42

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 038c551d80b1e7a6da1dd1c6a17310235aa5c5ab672523be1d3986c572dacb30
Instruction ID: 9db062bb2f8b41ee43b18e86da5f3f0e03155e69ecc4205c499cd48d0f7caeb7
Opcode Fuzzy Hash: 038c551d80b1e7a6da1dd1c6a17310235aa5c5ab672523be1d3986c572dacb30
Instruction Fuzzy Hash: A9F0B4325197335AFA757678BC016CA3AD0EF1273CF614A5AE5E4D91C4FF61804146A4

Function 0102406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,01023F85), ref: 01024085
GetProcAddress.KERNEL32(00000000), ref: 0102408C
EncodePointer.KERNEL32(00000000), ref: 01024097
DecodePointer.KERNEL32(01023F85), ref: 010240B2

Strings

combase.dll, xrefs: 01024080
RoUninitialize, xrefs: 01024074

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 8715ea38de66b16508fa7c5a5d44258b73b724aed7aaaabb33c9abad6b2e9cd5
Instruction ID: d3d61c316288f1970ea2f0cbbc6a59e8df5a6e890b4c8bdd48d78831d4284136
Opcode Fuzzy Hash: 8715ea38de66b16508fa7c5a5d44258b73b724aed7aaaabb33c9abad6b2e9cd5
Instruction Fuzzy Hash: F9E092705AA311AFEB70AF72E90DB493AB4B744742F108018F9C1E9188CBBF41409F14

Function 010664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0106660B
_memmove.LIBCMT ref: 01066546

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

_memmove.LIBCMT ref: 010665B9
_memmove.LIBCMT ref: 010666A0
_memmove.LIBCMT ref: 010666B9
_memmove.LIBCMT ref: 010666D5

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 18f37e5838f230a4906ee6e141b0ce789e5d02281ac6c14e15c7cdddf16319b8
Instruction ID: 8e9c85bec9d4014a4d24cfe6c0d52a202c63b51be1daf8f62850b5dd5a7e889e
Opcode Fuzzy Hash: 18f37e5838f230a4906ee6e141b0ce789e5d02281ac6c14e15c7cdddf16319b8
Instruction Fuzzy Hash: 1E615A7050025B9BDF02EF64CC80AFE3BA9AF29208F444559FDD96B292DB35AE45CB50

Function 010801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 01080E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0107FDAD,?,?), ref: 01080E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01080320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 01080349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0108038C
RegCloseKey.ADVAPI32(00000000), ref: 01080399

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 484449f6f3a53e26ab1e578689b85102b2ff82e4fe5831d3e081c363353419dc
Instruction ID: a223c7b90bbfe22bc536004be3bd6e03806bdb2272e877eaa75633578ca2d1e7
Opcode Fuzzy Hash: 484449f6f3a53e26ab1e578689b85102b2ff82e4fe5831d3e081c363353419dc
Instruction Fuzzy Hash: 2A513831208202AFD711EB64C884EAFBBE9FF95314F04491DF9D58B2A5DB71E909CB52

Function 01085799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 010857FB
GetMenuItemCount.USER32(00000000), ref: 01085832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0108585A
GetMenuItemID.USER32(?,?), ref: 010858C9
GetSubMenu.USER32(?,?), ref: 010858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 01085928

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 8a08465820c51420bf37e1eed52806b8c0baa1108ca0947ef7acd43ecd00b6a8
Instruction ID: 1be10b4663756338d07dee827238f1b7d97bc418905cf707d99630b4c01444ea
Opcode Fuzzy Hash: 8a08465820c51420bf37e1eed52806b8c0baa1108ca0947ef7acd43ecd00b6a8
Instruction Fuzzy Hash: 86515C35A04616EFDF11EF68C8449EEBBB4EF58320F104096E9C5BB351CB75AE418B90

Function 0105EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0105EF06
VariantClear.OLEAUT32(00000013), ref: 0105EF78
VariantClear.OLEAUT32(00000000), ref: 0105EFD3
_memmove.LIBCMT ref: 0105EFFD
VariantClear.OLEAUT32(?), ref: 0105F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0105F078

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 49a3743d6df548566021ebb712637622e441eeb77e3592665dd458f6d23799b0
Instruction ID: 521edcd912dacfe5837dd11fdec920fa07991c4e55366593ab94c36785b8c3d0
Opcode Fuzzy Hash: 49a3743d6df548566021ebb712637622e441eeb77e3592665dd458f6d23799b0
Instruction Fuzzy Hash: 8A513C75A0020A9FDB14CF58C884AAAB7F8FF4C314B15855AFE99DB305E735E911CB90

Function 0106220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01062258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 010622A3
IsMenu.USER32(00000000), ref: 010622C3
CreatePopupMenu.USER32 ref: 010622F7
GetMenuItemCount.USER32(000000FF), ref: 01062355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01062386

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 600d395b86719369bf8d6faab3fc1aca22c28189df29c70c37cbcac598635420
Instruction ID: 93a026ec3425142e5922559a325bebb5570a1ef110b819a3f6f96cc3cae955e7
Opcode Fuzzy Hash: 600d395b86719369bf8d6faab3fc1aca22c28189df29c70c37cbcac598635420
Instruction Fuzzy Hash: 6851A07060035AEFDF21CF68D888BADBBF9BF45314F1081A9E9D1A7290D7719944CB51

Function 01001765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0100179A
GetWindowRect.USER32(?,?), ref: 010017FE
ScreenToClient.USER32(?,?), ref: 0100181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0100182C
EndPaint.USER32(?,?), ref: 01001876

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 56e1b77c40661e00ca679c83a8419b196ec8b75792b5badb24cd0f9287ef3667
Instruction ID: 680970bfb15ceac45e5cb55c0bb5be8e48ef716c29505831f27311d5ceab8b98
Opcode Fuzzy Hash: 56e1b77c40661e00ca679c83a8419b196ec8b75792b5badb24cd0f9287ef3667
Instruction Fuzzy Hash: AA418134604301AFE722DF24C884BBA7BE8FB4A724F044669F5D4861E1C735E945CB61

Function 0107709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,01074E41,?,?,00000000,00000001), ref: 010770AC

Part of subcall function 010739A0: GetWindowRect.USER32(?,?), ref: 010739B3

GetDesktopWindow.USER32 ref: 010770D6
GetWindowRect.USER32(00000000), ref: 010770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0107710F

Part of subcall function 01065244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010652BC

GetCursorPos.USER32(?), ref: 0107713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01077199

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: c0285c971f65016bc68da37f310cad18a36afa45aca08d65e97942f00094947f
Instruction ID: ec5781d0f0ea5f6d1bdc54d8d038f668cb25909b25caf10f8baa3a547032b33c
Opcode Fuzzy Hash: c0285c971f65016bc68da37f310cad18a36afa45aca08d65e97942f00094947f
Instruction Fuzzy Hash: DB31D472505306ABD720DF28D848B9FBBEAFF88354F000919F5C597181C775E915CB96

Function 01058879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 010580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 010580C0
Part of subcall function 010580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 010580CA
Part of subcall function 010580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 010580D9
Part of subcall function 010580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 010580E0
Part of subcall function 010580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 010580F6

GetLengthSid.ADVAPI32(?,00000000,0105842F), ref: 010588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 010588D6
HeapAlloc.KERNEL32(00000000), ref: 010588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 010588F6
GetProcessHeap.KERNEL32(00000000,00000000,0105842F), ref: 0105890A
HeapFree.KERNEL32(00000000), ref: 01058911

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 2ec9409976bb5730d3f3acc8b0da4237cd45b17f241ccfcaaf5b47cd1fd2455e
Instruction ID: c99131188261ef24df1ace3e3ac6a2f268bf2e881a791e71edf8e1a416d883aa
Opcode Fuzzy Hash: 2ec9409976bb5730d3f3acc8b0da4237cd45b17f241ccfcaaf5b47cd1fd2455e
Instruction Fuzzy Hash: 7711AF3150120AFFEBA09FA9DC09BAFBBB8EB45315F14805AEDC597204C736A911CB61

Function 010585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010585E2
OpenProcessToken.ADVAPI32(00000000), ref: 010585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 010585F8
CloseHandle.KERNEL32(00000004), ref: 01058603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 01058632
DestroyEnvironmentBlock.USERENV(00000000), ref: 01058646

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: c6200b9879071fe725ca0bea43b0466732a978b5b935f007828b25b2893986c4
Instruction ID: 9ea6090346d16f2590f7e4b216e7cc8d365da09754dbab534dacc09c1c22fb9e
Opcode Fuzzy Hash: c6200b9879071fe725ca0bea43b0466732a978b5b935f007828b25b2893986c4
Instruction Fuzzy Hash: A5115C7250520AABEF519EA9DD49BDF7BA9EF08308F048055FE84A2150C3768E61EB60

Function 0105B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0105B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0105B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0105B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0105B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0105B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0105B7FE

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: c0bd3a706f1e2526db852f667646790e020ad16833b70008119b0d2f4f854f44
Instruction ID: 4bfb309f29d0f500911ffdaf75214704968dee3e63ae6e8ffd1e8c524225d742
Opcode Fuzzy Hash: c0bd3a706f1e2526db852f667646790e020ad16833b70008119b0d2f4f854f44
Instruction Fuzzy Hash: 49018475E00209BBEF509BB69C49A5FBFB8EB48351F044065FE84A7281D6319810CF90

Function 01020162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 01020193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0102019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 010201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 010201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 010201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 010201C1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 67e96c0c948ad92216e6b5e373dc8456091696cac2375c8d513141f302b9339f
Instruction ID: 91cbab9d9e42bd343fb1d676507316e048d48ca3e1f39763221024f5d1b1736a
Opcode Fuzzy Hash: 67e96c0c948ad92216e6b5e373dc8456091696cac2375c8d513141f302b9339f
Instruction Fuzzy Hash: FF016CB090175A7DE3008F6A8C85B56FFA8FF19354F00411BA15C87941C7F5A864CBE5

Function 010653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 010653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0106540F
GetWindowThreadProcessId.USER32(?,?), ref: 0106541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0106542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01065437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0106543E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: fafa22f7832b1f59ad0c6355a4f6ff8fb4520968309edf125e85d53080992b8c
Instruction ID: 6bfd52e686c6882c37a1d2dd053641b10bf7de9553ad8b94a3ed99038a1eb992
Opcode Fuzzy Hash: fafa22f7832b1f59ad0c6355a4f6ff8fb4520968309edf125e85d53080992b8c
Instruction Fuzzy Hash: 5CF06D32244159BBE7315AB29C0DEAF7A7CEFCAB15F000259FA84D1041DAAA1A1187B5

Function 01067230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 01067243
EnterCriticalSection.KERNEL32(?,?,01010EE4,?,?), ref: 01067254
TerminateThread.KERNEL32(00000000,000001F6,?,01010EE4,?,?), ref: 01067261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,01010EE4,?,?), ref: 0106726E

Part of subcall function 01066C35: CloseHandle.KERNEL32(00000000,?,0106727B,?,01010EE4,?,?), ref: 01066C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 01067281
LeaveCriticalSection.KERNEL32(?,?,01010EE4,?,?), ref: 01067288

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5e0af448653e6a5b2880d0ffb90228f54ced7070e7d13fad6091c26fc1dfdf6e
Instruction ID: 131ccdece18a1ab0634d9acac408d16185f6334a80f0aed0f647998bfaa26bfc
Opcode Fuzzy Hash: 5e0af448653e6a5b2880d0ffb90228f54ced7070e7d13fad6091c26fc1dfdf6e
Instruction Fuzzy Hash: 3AF0BE36444603ABE7612B74EC4C9EF3B29EF15302B100121F2C3E0098CB7F1410CB50

Function 01058992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0105899D
UnloadUserProfile.USERENV(?,?), ref: 010589A9
CloseHandle.KERNEL32(?), ref: 010589B2
CloseHandle.KERNEL32(?), ref: 010589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 010589C3
HeapFree.KERNEL32(00000000), ref: 010589CA

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 19632949825b561391f360e168d21723c76fdd480b5d1cbd5528f6db546b7f50
Instruction ID: 01a20ec3c9734e479e550c134589d23fd727cb58149c23f865fb29b14f034ea0
Opcode Fuzzy Hash: 19632949825b561391f360e168d21723c76fdd480b5d1cbd5528f6db546b7f50
Instruction Fuzzy Hash: 84E0C236008002BBDA112FF1EC0C90ABB69FB8A322B108220F299C1068CB3B9420DB50

Function 010785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01078613
CharUpperBuffW.USER32(?,?), ref: 01078722
VariantClear.OLEAUT32(?), ref: 0107889A

Part of subcall function 01067562: VariantInit.OLEAUT32(00000000), ref: 010675A2
Part of subcall function 01067562: VariantCopy.OLEAUT32(00000000,?), ref: 010675AB
Part of subcall function 01067562: VariantClear.OLEAUT32(00000000), ref: 010675B7

Strings

AUTOIT.ERROR, xrefs: 01078728
Incorrect Parameter format, xrefs: 0107864B, 0107880D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: e64b51922ff958bd85eaffb8831c8161100e6f7aaa91051f9902a242d9e9446c
Instruction ID: 902e254b9a83f2a325cd6fa01735d617390e1be2c903070ddb8289f32fc5d0b5
Opcode Fuzzy Hash: e64b51922ff958bd85eaffb8831c8161100e6f7aaa91051f9902a242d9e9446c
Instruction Fuzzy Hash: DB917F74A043029FC750DF28C48499ABBE4FF99714F04896EF9DA9B3A1DB31E905CB52

Function 01062A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0101FC86: _wcscpy.LIBCMT ref: 0101FCA9

_memset.LIBCMT ref: 01062B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01062BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01062C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 01062C97

Strings

0, xrefs: 01062B73

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c987de2857778022d85b70c3b927b88d595633518413f27a03de729e5779efd6
Instruction ID: 2e728f3c22f7a45dff4d2ad5a4b4cd13a02e37f2149ea69c9b73c945f227cb93
Opcode Fuzzy Hash: c987de2857778022d85b70c3b927b88d595633518413f27a03de729e5779efd6
Instruction Fuzzy Hash: 9351ED712083069EE765DFACC844AAFBBECEF99320F040A6DF9C496194DB60D9048B52

Function 010897F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0158E978,?), ref: 01089863
ScreenToClient.USER32(00000002,00000002), ref: 01089896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01089903

Strings

@U=u, xrefs: 0108995E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: a2fc261022ec491769772d8ec320c990446b6f763e791b76ccf6c0c282d1f63f
Instruction ID: 05011191e1728ec317e9977f1557ca660a7fa1d95407cd8dadacfd4629820665
Opcode Fuzzy Hash: a2fc261022ec491769772d8ec320c990446b6f763e791b76ccf6c0c282d1f63f
Instruction Fuzzy Hash: 5F515F34A04206EFDB21EF68C884ABE7BF5FF85364F108299F9D59B291D731A941CB50

Function 01059A80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 01059AD2
__itow.LIBCMT ref: 01059B03

Part of subcall function 01059D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 01059DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 01059B6C
__itow.LIBCMT ref: 01059BC3

Strings

@U=u, xrefs: 01059AD2, 01059B6C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 9fb1109d77dee65e9b6dfe4391074fc93d368e664750200c596f40f6d5092e18
Instruction ID: 4e303def151b04a0cc25e18ea113fef49c74de2d3be8848872dce3f7dfbda20b
Opcode Fuzzy Hash: 9fb1109d77dee65e9b6dfe4391074fc93d368e664750200c596f40f6d5092e18
Instruction Fuzzy Hash: 12417274A00209ABFF52EF54C844FEE7FB9EF58718F400059EE85A7290DB74A944CBA1

Function 010597F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 010614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,01059296,?,?,00000034,00000800,?,00000034), ref: 010614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0105983F

Part of subcall function 01061487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 010614B1

Part of subcall function 010613DE: GetWindowThreadProcessId.USER32(?,?), ref: 01061409
Part of subcall function 010613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0105925A,00000034,?,?,00001004,00000000,00000000), ref: 01061419
Part of subcall function 010613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0105925A,00000034,?,?,00001004,00000000,00000000), ref: 0106142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010598F9

Strings

@, xrefs: 01059911
@U=u, xrefs: 0105983F, 010598AC, 010598F9

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: c499c1250738882bc601ee1354f24c144fc4b41e58c1605215412d79aca23258
Instruction ID: bb7c2c8fd8e6823dd952b4c18f2fb1f09bd497a8b4a3322688fdc91775e94a35
Opcode Fuzzy Hash: c499c1250738882bc601ee1354f24c144fc4b41e58c1605215412d79aca23258
Instruction Fuzzy Hash: F241507690021DBFDB50DFA8CC81ADEBBB8EF59300F104195EA85B7180DA716E45CBA0

Function 0105D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0105D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0105D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0105D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0105D69D

Strings

DllGetClassObject, xrefs: 0105D610

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 35f1dc52118627285ca1c142dcba8e33e5fbbeec158ca565b4fcdfde58ca4a23
Instruction ID: a22331fd4ea2c2088b749c5ab9b476afa6679f1b71bfd89c59a58fb89c6b2eef
Opcode Fuzzy Hash: 35f1dc52118627285ca1c142dcba8e33e5fbbeec158ca565b4fcdfde58ca4a23
Instruction Fuzzy Hash: 3A418CB1600205EFDF55DFA4C884A9BBBE9EF48314F0580AAED89DF205D7B1D941CBA0

Function 01062753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 010627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 01062822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010C5890,00000000), ref: 0106286B

Strings

0, xrefs: 010627B5

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6e040ade3e5b121cd7fd4d9cc45218c70c14e308db85fdabd2bc0eb7b916608f
Instruction ID: 976742c10be85e8204d3e1b558c77bd5bca1340c5a681d35327830393b45d979
Opcode Fuzzy Hash: 6e040ade3e5b121cd7fd4d9cc45218c70c14e308db85fdabd2bc0eb7b916608f
Instruction Fuzzy Hash: F941AE716053029FD720DF28CC44B6ABBE8EF95314F04496DF9E59B291D734A405CB62

Function 01088851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010888DE

Strings

@U=u, xrefs: 0108892D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 4c52efae912b7d8e4774ff1e7e56365ba1d007f84d9709918077d7956ca9e536
Instruction ID: ff356e05f3dc63c7833d94542c261da930ce0442e08b18a6c1f8dc29f721ab75
Opcode Fuzzy Hash: 4c52efae912b7d8e4774ff1e7e56365ba1d007f84d9709918077d7956ca9e536
Instruction Fuzzy Hash: 2A31F234618109FFEB71BA28DC44BAD7BA1FB0A310F98C153FAD1E62E1C631E5408B52

Function 0107D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0107D7C5

Part of subcall function 0100784B: _memmove.LIBCMT ref: 01007899

Strings

cdecl, xrefs: 0107D81C
none, xrefs: 0107D8A0
stdcall, xrefs: 0107D847
winapi, xrefs: 0107D836

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: cbecd16c7ac9e2127048ee184ed745f5d5f393b08b401d4acf47a49bb8507ca6
Instruction ID: 4dcfc472a1ed9c23532856febeaf9b9d8a0d7b5cf52caf72a791929ad8191d10
Opcode Fuzzy Hash: cbecd16c7ac9e2127048ee184ed745f5d5f393b08b401d4acf47a49bb8507ca6
Instruction Fuzzy Hash: D9317071900216ABDF41EF98CC909EEB7B4FF15724F008669E8E9976D1DB71E905CB80

Function 0107182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0107184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01071872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 010718A2
InternetCloseHandle.WININET(00000000), ref: 010718E9

Part of subcall function 01072483: GetLastError.KERNEL32(?,?,01071817,00000000,00000000,00000001), ref: 01072498
Part of subcall function 01072483: SetEvent.KERNEL32(?,?,01071817,00000000,00000000,00000001), ref: 010724AD

Strings

, xrefs: 01071893

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3662dbef0fd2e23cf9507a86bb5173390e3cf94b246ea242af06551a3d985d4d
Instruction ID: 52e5b653f95bfdec943afabfe508f14808c5375fe03b3bddadcca4e056765331
Opcode Fuzzy Hash: 3662dbef0fd2e23cf9507a86bb5173390e3cf94b246ea242af06551a3d985d4d
Instruction Fuzzy Hash: F921B0B1A04209BFEB519E64DC84EBF7BEDEB48644F00412AF5C5D6180DA758D0557A8

Function 010863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 01001D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 01001D73
Part of subcall function 01001D35: GetStockObject.GDI32(00000011), ref: 01001D87
Part of subcall function 01001D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 01001D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01086461
LoadLibraryW.KERNEL32(?), ref: 01086468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0108647D
DestroyWindow.USER32(?), ref: 01086485

Strings

SysAnimate32, xrefs: 0108643C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: a52a49eab83b6d8b9a9b0df1b4b314c18c5a73bf9aedfe547b181e5df073136b
Instruction ID: 9f740222876e89266f6a046aa9025c8486fb09c100b517e0f1a55127731e1e3e
Opcode Fuzzy Hash: a52a49eab83b6d8b9a9b0df1b4b314c18c5a73bf9aedfe547b181e5df073136b
Instruction Fuzzy Hash: C021AF71118205ABEF116E68DC80EBF37EAEB48328F115629FAD093191CA3298519720

Function 01066D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 01066DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01066DEF
GetStdHandle.KERNEL32(0000000C), ref: 01066E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01066E3B

Strings

nul, xrefs: 01066E36

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: aea20b477f398f879b2131449b32d95659c54d1cb4734cec85c65d9520093bf2
Instruction ID: 2656781647940ba33637705bf96711c5500c70413f44aa2f0d5ef517ecfde18e
Opcode Fuzzy Hash: aea20b477f398f879b2131449b32d95659c54d1cb4734cec85c65d9520093bf2
Instruction Fuzzy Hash: 5A215E71A0020AABDB20AF29DC44A9E7BECEF55720F104A59FDE1D72D0DB729954CB50

Function 01066E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 01066E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01066EBB
GetStdHandle.KERNEL32(000000F6), ref: 01066ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 01066F06

Strings

nul, xrefs: 01066F01

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: ac6f6902f3ef6f3671c960e2ef08f86ad26bab36eaefdb7030ac48cd5be3ffb5
Instruction ID: 5c68a97e4bdff24e1868b6227f61c8263df27dcb50d8f1aa0a57f5458819312b
Opcode Fuzzy Hash: ac6f6902f3ef6f3671c960e2ef08f86ad26bab36eaefdb7030ac48cd5be3ffb5
Instruction Fuzzy Hash: 8B219D756003069BEB209F6DCC44AAA7BECAF45730F200B59F9E0D72D0DB72A4508B50

Function 0106AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0106AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0106ACA8
__swprintf.LIBCMT ref: 0106ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0108F910), ref: 0106ACFF

Strings

%lu, xrefs: 0106ACBB

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 0fd3beb3488fa187c5eed0fac51389edffd12e8ecb6ba117468bf9b3817dad43
Instruction ID: a7feda862f2589b9dfa0a5abc9a7b0be0fdfea6476fbe7d0b9a95a63dd78f5e0
Opcode Fuzzy Hash: 0fd3beb3488fa187c5eed0fac51389edffd12e8ecb6ba117468bf9b3817dad43
Instruction Fuzzy Hash: BE21537460010AAFDB10EF65C984DEE7BB8FF89714F0040A9E989EB251DB35EA51CB61

Function 01061AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01061B19

Strings

EXISTS, xrefs: 01061B41
REMOVE, xrefs: 01061B1F
APPEND, xrefs: 01061B52
KEYS, xrefs: 01061B30

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: ad515e116471658713eaa1d55ff83def6f6207d869866e1f714a30bd0c8e6cbb
Instruction ID: ef4b2f4369ab165c66d9cd0cd81d842d8e43c0dff518e1e536d7be3011edcef1
Opcode Fuzzy Hash: ad515e116471658713eaa1d55ff83def6f6207d869866e1f714a30bd0c8e6cbb
Instruction Fuzzy Hash: 0D1184309001198F8F40EF64D8908FEB7B8FF65304F5485A5D8D5A7295EB325906CF50

Function 0107EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0107EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0107EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0107ED6A
CloseHandle.KERNEL32(?), ref: 0107EDEB

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 93fa13fa322b08b369e8cb1cd7c9d5cc4a8e49328c73d252ad27c2f69160b29e
Instruction ID: ec6d16fa88405c8c47f8c83a2669e346c40c1383acda5ad9d3e4e303b10e2060
Opcode Fuzzy Hash: 93fa13fa322b08b369e8cb1cd7c9d5cc4a8e49328c73d252ad27c2f69160b29e
Instruction Fuzzy Hash: 3181AEB1A007019FE761EF28C885F6AB7E5AF54714F04885DFAD99B3C2D6B0AD00CB55

Function 0102541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0102547B
_memcpy_s.LIBCMT ref: 010254ED
__read_nolock.LIBCMT ref: 0102554B
__filbuf.LIBCMT ref: 0102556E
_memset.LIBCMT ref: 010255B2

Part of subcall function 01028B28: __getptd_noexit.LIBCMT ref: 01028B28

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 4faab697c6029a8b527b9027a2feccc73acde7f87451e75fbc974b0c8e1ada8b
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: B251C530B00325DBDB248F6DDC506EEBBE6AF50325F148769F8A5D62D0DB7099508B49

Function 01080037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 01080E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0107FDAD,?,?), ref: 01080E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0108013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01080183
RegCloseKey.ADVAPI32(?,?), ref: 010801AF
RegCloseKey.ADVAPI32(00000000), ref: 010801BC

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 89aea61304a8ade6da55b4b49b7097c97a9cfa785dd6a9010c41955d25d3f7de
Instruction ID: 7c2cc0d04d75fff9a5bef7e2358e36d0619f9230c3735aac4fdce2b872276c73
Opcode Fuzzy Hash: 89aea61304a8ade6da55b4b49b7097c97a9cfa785dd6a9010c41955d25d3f7de
Instruction Fuzzy Hash: 36516931208205AFDB15EF68C880EAEB7E8FF94314F40491DF5D587291DB31E949CB52

Function 0107D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0107D927
GetProcAddress.KERNEL32(00000000,?), ref: 0107D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0107D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0107DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0107DA21

Part of subcall function 01005A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01067896,?,?,00000000), ref: 01005A2C
Part of subcall function 01005A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01067896,?,?,00000000,?,?), ref: 01005A50

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: c59e76b7a791e17f32046fcc6b8e037e034663547fa0a2d88552e26194f94df7
Instruction ID: ddc7f6d5451f57229b44bd6b22479499baaf1e0e5a4cba4f43fadce774c58074
Opcode Fuzzy Hash: c59e76b7a791e17f32046fcc6b8e037e034663547fa0a2d88552e26194f94df7
Instruction Fuzzy Hash: B9512635A0420ADFDB01EFA8C4849ADBBF5FF19224F048095E899AB352D731EE45CF90

Function 0106E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0106E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0106E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0106E687

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0106E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0106E6B4

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 7c766c61f52d34cd21764c84eaf1a67a175e965a36423b53f9f6f2550efc4eb3
Instruction ID: ad2258b89faee2ec9d0572ad7ad37300fd543ac2ae71ed950fcba1682076138e
Opcode Fuzzy Hash: 7c766c61f52d34cd21764c84eaf1a67a175e965a36423b53f9f6f2550efc4eb3
Instruction Fuzzy Hash: 91510D79A00206DFDB01EF64C980AADBBF5EF19314F148095E989AB3A5CB31EE11DF51

Function 01002344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 01002357
ScreenToClient.USER32(010C57B0,?), ref: 01002374
GetAsyncKeyState.USER32(00000001), ref: 01002399
GetAsyncKeyState.USER32(00000002), ref: 010023A7

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 2cc13d3950616cb075b703d6c2b7e7ef674b14bcbc85f05cf7b678fb0817cbb5
Instruction ID: 18c851d09437a0e0a2ad8eceb19183f8ac227e73c4cf55dc44f08f1c5991ec15
Opcode Fuzzy Hash: 2cc13d3950616cb075b703d6c2b7e7ef674b14bcbc85f05cf7b678fb0817cbb5
Instruction Fuzzy Hash: 43418235508116FBEF269E68C848AEDFBB8FB45364F10835AF9A8A21D0C7319950DF90

Function 010563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 010563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 01056433
TranslateMessage.USER32(?), ref: 0105645C
DispatchMessageW.USER32(?), ref: 01056466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01056475

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 7768f0dc480f325cbf551dd12809f6cd1eca2912a2a8efcee67c37e5211b4589
Instruction ID: 6f8c1c374904b6cbe52dbad4e6f14f323526f81748b473c941b67c03f4c4a568
Opcode Fuzzy Hash: 7768f0dc480f325cbf551dd12809f6cd1eca2912a2a8efcee67c37e5211b4589
Instruction Fuzzy Hash: FB31C8316002469FEBF58F74D844BBB7FE9AB05304F9441A5E9D1C2195DB2BA485CF50

Function 01058A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 01058A30
PostMessageW.USER32(?,00000201,00000001), ref: 01058ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 01058AE2
PostMessageW.USER32(?,00000202,00000000), ref: 01058AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 01058AF8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 03867f2c1bba3e6ade6f497523dae592fda936fdc6d69c90b16b39a417d6f41e
Instruction ID: ca85a5fc1a71ac30417dfbd90eafc49f8e23a984eda6d688f23c090d801f40b6
Opcode Fuzzy Hash: 03867f2c1bba3e6ade6f497523dae592fda936fdc6d69c90b16b39a417d6f41e
Instruction Fuzzy Hash: 6131CB7150021AEBEF54CFA9D94CA9E3BA5EB04315F00825AFDA4EA2C1C3B09920CB90

Function 0108B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

GetWindowLongW.USER32(?,000000F0), ref: 0108B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0108B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0108B1CF
GetSystemMetrics.USER32(00000004), ref: 0108B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01070E90,00000000), ref: 0108B216

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 7d098b196dab50669791a90a7cdd0669dfa2c5147798b86a6afbd2c5d9e0d93b
Instruction ID: 6021b5c1a25e2a57cb67ebc254fec27854d3d5aa4caed7a254e5921978ca5826
Opcode Fuzzy Hash: 7d098b196dab50669791a90a7cdd0669dfa2c5147798b86a6afbd2c5d9e0d93b
Instruction Fuzzy Hash: 1F219171A18652AFDB60AF3CDC04A6E3BA4FB05321F144768FAF2D71D0D73198618B90

Function 01075A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01075A6E
GetForegroundWindow.USER32 ref: 01075A85
GetDC.USER32(00000000), ref: 01075AC1
GetPixel.GDI32(00000000,?,00000003), ref: 01075ACD
ReleaseDC.USER32(00000000,00000003), ref: 01075B08

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: a17a665a895aad46a26b5aad3bbba0e538c7541bc87f0353c386fbaedff562e1
Instruction ID: 9e5a06a0fe34b8385d0b5b5a587f48d1d011b7d6f18e30b5215bf883025b6db1
Opcode Fuzzy Hash: a17a665a895aad46a26b5aad3bbba0e538c7541bc87f0353c386fbaedff562e1
Instruction Fuzzy Hash: AC218175A00205AFDB14EF75C984A9EBBE9EF58310F14C479E889D7351CA35ED10DB90

Function 010012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0100134D
SelectObject.GDI32(?,00000000), ref: 0100135C
BeginPath.GDI32(?), ref: 01001373
SelectObject.GDI32(?,00000000), ref: 0100139C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 29a54bd6e184999c035620e035455614899bc039864336844e8e1dbb42ee707b
Instruction ID: ea5aa49ff3e9366b61da0e2e2cdf2eed8bd096c53bfef320a5adea9429cd8e09
Opcode Fuzzy Hash: 29a54bd6e184999c035620e035455614899bc039864336844e8e1dbb42ee707b
Instruction Fuzzy Hash: 55216034900309EFEB229F29DC0476E7BE8FB04361F648256F8D0A61D4D77AA499DF91

Function 01064A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 01064ABA
__beginthreadex.LIBCMT ref: 01064AD8
MessageBoxW.USER32(?,?,?,?), ref: 01064AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 01064B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 01064B0A

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: cb49b2e972fda28069b687c56777480ba8ce192495ed06aed7eb70a2bbc356c8
Instruction ID: 06c2e5b82e895f360b2a59f365932dbe1f1ab2a1d5a840620e85ebd80a23929b
Opcode Fuzzy Hash: cb49b2e972fda28069b687c56777480ba8ce192495ed06aed7eb70a2bbc356c8
Instruction Fuzzy Hash: 69114C76A082057FC7208FB8DC04A9F7FEDEB46320F144255F894D3240D67A99008BA0

Function 01058202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0105821E
GetLastError.KERNEL32(?,01057CE2,?,?,?), ref: 01058228
GetProcessHeap.KERNEL32(00000008,?,?,01057CE2,?,?,?), ref: 01058237
HeapAlloc.KERNEL32(00000000,?,01057CE2,?,?,?), ref: 0105823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 01058255

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 203eb43ea4bcc42445a6dc1a2d604bd2993f8e52d668bb4e68c45522879913dd
Instruction ID: ddcee8bbc1285090530bc911193b3ad031353299b05f3e78b5ee90ffcbeb4721
Opcode Fuzzy Hash: 203eb43ea4bcc42445a6dc1a2d604bd2993f8e52d668bb4e68c45522879913dd
Instruction Fuzzy Hash: A1016D71204205BFDB605FBADC48D6B7FACFF8A6A4B50456AFDC9C2214DA328C10CB60

Function 0105710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?,?,?,01057455), ref: 01057127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?,?), ref: 01057142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?,?), ref: 01057150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?), ref: 01057160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,01057044,80070057,?,?), ref: 0105716C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 99be320c51a570a112e5d10de4e92d4a56d65b14f373967758101c5094d07808
Instruction ID: df14a2ed8205a49257cdd2e2aefc604b4100f1210125201d471a62b67067b4e1
Opcode Fuzzy Hash: 99be320c51a570a112e5d10de4e92d4a56d65b14f373967758101c5094d07808
Instruction Fuzzy Hash: AF01BC72610215ABDB604E68DC44AAE7FEEEB44691F1000A4FE84D2204DB36D900ABA0

Function 01065244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 01065260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0106526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 01065276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01065280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010652BC

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e3b57538afb49d6814c645a3171b803f81cff4af88f0f88deaa7082049978bd0
Instruction ID: 94902982a19212b3059d72cec923bc3d8fe91f8ba2c285fe1b5ad896d98f7c84
Opcode Fuzzy Hash: e3b57538afb49d6814c645a3171b803f81cff4af88f0f88deaa7082049978bd0
Instruction Fuzzy Hash: 42011731D0561ADBCF10EFE4EC889EDBB7CBB0A751F440556E9C1F2248CB35555087A1

Function 010580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 010580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 010580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 010580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 010580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 010580F6

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0698fd5aff3c5bbd5e036246430e2b4612b818216c54c579987870b8bbf762a8
Instruction ID: 5a7f002d9a2a8be5b323cc63ade150484de89aca5e445b89ae2cf1cd95df2fdc
Opcode Fuzzy Hash: 0698fd5aff3c5bbd5e036246430e2b4612b818216c54c579987870b8bbf762a8
Instruction Fuzzy Hash: BBF0C230204305AFEB615FB9EC8CE6B3FACEF4A654B104016FDC5C2140DB669841DB60

Function 0105C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0105C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0105C20E
MessageBeep.USER32(00000000), ref: 0105C226
KillTimer.USER32(?,0000040A), ref: 0105C242
EndDialog.USER32(?,00000001), ref: 0105C25C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ea6aa3be085cd8dc107779f4e6a045e121c093c934cec622aa846ab13c616263
Instruction ID: 338ae3efe65bf8e7060f710d442dbd5e85f2fc516e7dd7a58a4de8703b1c6f48
Opcode Fuzzy Hash: ea6aa3be085cd8dc107779f4e6a045e121c093c934cec622aa846ab13c616263
Instruction Fuzzy Hash: C401A73040470597FB715B74DD4DB9B7BBCBB04705F000259AAC6E14D0DBE965948B50

Function 010013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 010013BF
StrokeAndFillPath.GDI32(?,?,0103B888,00000000,?), ref: 010013DB
SelectObject.GDI32(?,00000000), ref: 010013EE
DeleteObject.GDI32 ref: 01001401
StrokePath.GDI32(?), ref: 0100141C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 64d28a35085bd228dec82d0bb31e7587185e691ebb3b4bbebd17089496e3b96f
Instruction ID: b519486b2d91f1931351fd8de2942bb12db200a6bf0927bf004664c68e1ed9bc
Opcode Fuzzy Hash: 64d28a35085bd228dec82d0bb31e7587185e691ebb3b4bbebd17089496e3b96f
Instruction Fuzzy Hash: 13F01934104209AFEB325F2AEC4C7593FE4A701326F188214F5E9980F8CB3A959ADF10

Function 01012CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 01020DB6: std::exception::exception.LIBCMT ref: 01020DEC
Part of subcall function 01020DB6: __CxxThrowException@8.LIBCMT ref: 01020E01

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 01007A51: _memmove.LIBCMT ref: 01007AAB

__swprintf.LIBCMT ref: 01012ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 01012D66

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 12f0d26c433d7d1974e2a82b1652044339a1c85ae97799e2d1c963cd5fd474f2
Instruction ID: 0566f8a925c72b6ce6e5b8c2d7f98289e22308c17abf75fe35113c5e4e9b1990
Opcode Fuzzy Hash: 12f0d26c433d7d1974e2a82b1652044339a1c85ae97799e2d1c963cd5fd474f2
Instruction Fuzzy Hash: A8916E711043169FDB15EF28C884CAEBBE8EF96710F00486DF5C59B2A4EA35ED44CB92

Function 0106B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 01004750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,01004743,?,?,010037AE,?), ref: 01004770

CoInitialize.OLE32(00000000), ref: 0106B9BB
CoCreateInstance.OLE32(01092D6C,00000000,00000001,01092BDC,?), ref: 0106B9D4
CoUninitialize.OLE32 ref: 0106B9F1

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

Strings

.lnk, xrefs: 0106B99D, 0106B9AB

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 0ab3c27fbdd245802d6cbc8926517a0c01dfc4fd2143877e0004d93ba07a47f9
Instruction ID: 04460876a52da78da1e13780d4bdc41874b6412a630dac0eb65d3b29385bc4ba
Opcode Fuzzy Hash: 0ab3c27fbdd245802d6cbc8926517a0c01dfc4fd2143877e0004d93ba07a47f9
Instruction Fuzzy Hash: 8FA135B56043069FDB11DF14C884D6ABBE9FF89314F148988E8D99B3A1CB31ED45CB91

Function 0102501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 010250AD

Part of subcall function 010300F0: __87except.LIBCMT ref: 0103012B

Strings

pow, xrefs: 01025085, 010250A2

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 6195e48848775851e5af80441cdf0f811fd6c82a53d29bada61fb28a0cfd256b
Instruction ID: ba34b2e09ccf5979c72ffceb731ffa984c78a65ba8d06759679134ed008aa7bd
Opcode Fuzzy Hash: 6195e48848775851e5af80441cdf0f811fd6c82a53d29bada61fb28a0cfd256b
Instruction Fuzzy Hash: 31515D7191A10296EB61761CCD513FE3BD8AB80710F208DD9F4D58629EEF3D85C4CB8A

Function 01016192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01016248
_memmove.LIBCMT ref: 010162E4
_memset.LIBCMT ref: 01016308

Strings

ERCP, xrefs: 010161B3

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: b394f43c9036b364b80db52df6d18afe975fb3d2964b0d099cf7df75aa14b0d6
Instruction ID: 1e24b12898fb36dcd9f046c21e7aa3d35d478449e01b11249619445bc751d0bf
Opcode Fuzzy Hash: b394f43c9036b364b80db52df6d18afe975fb3d2964b0d099cf7df75aa14b0d6
Instruction Fuzzy Hash: 32518E71A00706DBDB64DF69C9807EEBBF4EF04304F2085AEE98ADB244E775A644CB50

Function 01087946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0108F910,00000000,?,?,?,?), ref: 010879DF
GetWindowLongW.USER32 ref: 010879FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01087A0C

Strings

SysTreeView32, xrefs: 010879B1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 93f7c5172e70c19a4a6ad60e868328348081f5e9ff3b9aa2b7a923b5f3f3547f
Instruction ID: 13b0235679a0d298748b737418b443623fa98c517fcce5d81b2822efed964567
Opcode Fuzzy Hash: 93f7c5172e70c19a4a6ad60e868328348081f5e9ff3b9aa2b7a923b5f3f3547f
Instruction Fuzzy Hash: 12310131204206AFEB62AE38CC44BEA7BA8FB48324F204715F9F5A32D4D731E9508B50

Function 010873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01087461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01087475
SendMessageW.USER32(?,00001002,00000000,?), ref: 01087499

Strings

SysMonthCal32, xrefs: 0108742C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 6a3bebba5d1da956f0e0bb5845ee4fc879388eb3c8e14ab580b9c3079acfd510
Instruction ID: 71488841cc393956d2ae4b878a722e857ff224204f1f2be4dd6e6f1dd9e435f7
Opcode Fuzzy Hash: 6a3bebba5d1da956f0e0bb5845ee4fc879388eb3c8e14ab580b9c3079acfd510
Instruction Fuzzy Hash: 1821F632100219AFDF12DE68CC41FEE3BA9EF48724F110214FE946B1C4DB75A850CBA0

Function 01087B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01087C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01087C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01087C5F

Strings

msctls_updown32, xrefs: 01087BC4

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 20b5791a7f4229157ffd04395690a89fe3b2fa9f3f87152cb28b6d653db4ce83
Instruction ID: 817942c41dfb3c8a2c8e0ba6edc0c5b4fd73f8340ecd174031cff7110910e667
Opcode Fuzzy Hash: 20b5791a7f4229157ffd04395690a89fe3b2fa9f3f87152cb28b6d653db4ce83
Instruction Fuzzy Hash: 4C218EB5204209AFEB11EF28DCC1DAB37EDEF59254B14005DFA819B3A5CA32EC118B60

Function 01086CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01086D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01086D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01086D70

Strings

Listbox, xrefs: 01086D08

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: b07fd8a997c0315ad7362be26d592c26160f36dbdffb9be31448ce571eecfa86
Instruction ID: e6708ef934b0d62be39fc3aeba849fdfa35598ccf73fc11e9c249375eb76fa56
Opcode Fuzzy Hash: b07fd8a997c0315ad7362be26d592c26160f36dbdffb9be31448ce571eecfa86
Instruction Fuzzy Hash: 5421B332604118BFEF12AF58DC44FBB3BAAEF89750F018124F9C59B190CA729C5187A0

Function 01058C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01058C6D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01058C84
SendMessageW.USER32(?,0000000D,?,00000000), ref: 01058CBC

Strings

@U=u, xrefs: 01058CBC

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 9a9acf3db69eb6d95dbdbc78bbb79a8d2d683b7c61f38088546c4586e3cfe642
Instruction ID: 69f7daf7419d54c9fc3ccd75287f129351c1ce165733e9ebf768714d4e2ea0ac
Opcode Fuzzy Hash: 9a9acf3db69eb6d95dbdbc78bbb79a8d2d683b7c61f38088546c4586e3cfe642
Instruction Fuzzy Hash: A321CF3260121DBBEB60DAA9C841DEFBBAEEF44350F10405BEE85E3250DA71A9408B94

Function 0108770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01087772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01087787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01087794

Strings

msctls_trackbar32, xrefs: 01087749

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 732f26d27bda009b2e84ce97b2cbb4224279ea963ac674b465520864679fb4ff
Instruction ID: be1138489cbdd296fde5faa347729d9d85409a23a69f2fb59ef1fe9383d90118
Opcode Fuzzy Hash: 732f26d27bda009b2e84ce97b2cbb4224279ea963ac674b465520864679fb4ff
Instruction Fuzzy Hash: 6711C172244209BAEB216F65CC45FEB7BA9FF89B54F114229FAC1A6090C672E451CB20

Function 01086920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010869B1

Strings

@U=u, xrefs: 010869B1
edit, xrefs: 01086986

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: dc679c4258a445a28ae340871587be2c7780b5dd5af9e979d9f539ad944a4036
Instruction ID: 1daf9140798a11d610d2ed789649b8b8c1263b809e7fe675d4e42bb2458b5b6b
Opcode Fuzzy Hash: dc679c4258a445a28ae340871587be2c7780b5dd5af9e979d9f539ad944a4036
Instruction Fuzzy Hash: 1811BF71108105ABEB51AE78DC40AEB37ADEB05374F114714F9E1972D0C636DC509760

Function 01058E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 0105AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0105AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01058E73

Strings

ComboBox, xrefs: 01058E12
ListBox, xrefs: 01058E3D
@U=u, xrefs: 01058E73

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: d6fa3b9f4fae10034ad687e1f2fddbb81721546a4b2e29b45e954de9672b49e3
Instruction ID: b76fb796c9fc3a00ca6c7b3c54d4d9580e5c5152f82f84c795ee26ced397a100
Opcode Fuzzy Hash: d6fa3b9f4fae10034ad687e1f2fddbb81721546a4b2e29b45e954de9672b49e3
Instruction Fuzzy Hash: D901F17164121AABAF55FBA5CC408FF7778AB16320F004A1AECE16B2D0EA355808DA50

Function 01058CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 0105AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0105AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 01058D6B

Strings

ComboBox, xrefs: 01058D0A
ListBox, xrefs: 01058D35
@U=u, xrefs: 01058D6B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: c9f82468bb3433c8c07c67354acfb050fabb6193566c0b5928e361443e9a3cfa
Instruction ID: 5c3e4a7a89d3cb8092d4b955b0b6017ef04669235f655ab1d7629f709c1194ac
Opcode Fuzzy Hash: c9f82468bb3433c8c07c67354acfb050fabb6193566c0b5928e361443e9a3cfa
Instruction Fuzzy Hash: 5101F271B4110AABEF15FBA1C991EFF77E8DF25240F10002AADC66B2D0DE255A088671

Function 01058D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Part of subcall function 0105AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0105AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 01058DEE

Strings

ComboBox, xrefs: 01058D8F
ListBox, xrefs: 01058DBA
@U=u, xrefs: 01058DEE

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: a3638a7ac5859312917a4de0d21c58f76f95f2735027162d45d64cb08d676c7b
Instruction ID: b33a0895d6533c7540aa85f5d78c6f51259d4bee55079a9dabac046f292f545b
Opcode Fuzzy Hash: a3638a7ac5859312917a4de0d21c58f76f95f2735027162d45d64cb08d676c7b
Instruction Fuzzy Hash: 4A01D672B4110ABBEF11FAA5C981EFF77ECDB25240F10411AADC6772D0DA255E08D671

Function 0108ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,010C57B0,0108D809,000000FC,?,00000000,00000000,?,?,?,0103B969,?,?,?,?,?), ref: 0108ACD1
GetFocus.USER32 ref: 0108ACD9

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

Part of subcall function 010025DB: GetWindowLongW.USER32(?,000000EB), ref: 010025EC

SendMessageW.USER32(0158E978,000000B0,000001BC,000001C0), ref: 0108AD4B

Strings

@U=u, xrefs: 0108AD4B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 913686b4f69ce1ba2b610b5a29272808c783cb19b39ca361de987c06696c650d
Instruction ID: b0cad9b196906b2405a4e36564708f60481e9bc0b6057dbe6afcb3a7026ec8fc
Opcode Fuzzy Hash: 913686b4f69ce1ba2b610b5a29272808c783cb19b39ca361de987c06696c650d
Instruction Fuzzy Hash: 4B018435704200CFD725BF38D898AA637E5FB89325F180269E5D6C72A4CB36AC468F50

Function 01016063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0101603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01016051

SendMessageW.USER32(?,0000000C,00000000,?), ref: 0101607F
GetParent.USER32(?), ref: 01050D46
InvalidateRect.USER32(00000000,?,01013A4F,?,00000000,00000001), ref: 01050D4D

Strings

@U=u, xrefs: 0101607F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: d5a35e7eb038af697c921892ccea3c20affe1cd82822075aceb7fe120bb66cdc
Instruction ID: b6c2651eac48f906a8d60947ad3fde81ca53a5727aba4f66a2b7a721ab4937d8
Opcode Fuzzy Hash: d5a35e7eb038af697c921892ccea3c20affe1cd82822075aceb7fe120bb66cdc
Instruction Fuzzy Hash: F3F0A730104200FBFF321F74DC09F9A7BA5AB05388F104464F9C45A06AC6FB64509B50

Function 01080DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,01081039), ref: 01080DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01080E07

Strings

advapi32.dll, xrefs: 01080DF0
RegDeleteKeyExW, xrefs: 01080E01

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 1ee2e8ba844517f273856a9bb0609fe293ee3f7358d96cd4b8b9ce1a316096de
Instruction ID: 9c1f15d29546a808a1b6b5bac4f777cafc807d4e8a967f6ae8130fd121f0a970
Opcode Fuzzy Hash: 1ee2e8ba844517f273856a9bb0609fe293ee3f7358d96cd4b8b9ce1a316096de
Instruction Fuzzy Hash: 8DD0C7B0544323CFDB20AF7AC8482CB7AE4AF05342F008C2EA6C2C6144E6B5D090CB00

Function 01004C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,01004BD0,?,01004DEF,?,010C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 01004C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 01004C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 01004C1D
kernel32.dll, xrefs: 01004C0C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: e91667ec9a826868ba54f33a90aac67c9ed6c2c83f671bc6e323b049d8cb0967
Instruction ID: e29360890cfa75af1e96c97ab4c1ddebb7212c50283e2b4a4ade57bb1bb4a7c3
Opcode Fuzzy Hash: e91667ec9a826868ba54f33a90aac67c9ed6c2c83f671bc6e323b049d8cb0967
Instruction Fuzzy Hash: D7D0C230500313CFEB216F75C91860ABAD5EF09252F008C6D94C1C6140E6F4C480C710

Function 01004C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,01004B83,?), ref: 01004C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 01004C56

Strings

kernel32.dll, xrefs: 01004C3F
Wow64RevertWow64FsRedirection, xrefs: 01004C50

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 387ba1b345e360757028fe326ad7bc35b78564d69144cf827c2b2cc241885bfd
Instruction ID: 158c9410914b3e3c7930d4bbe83cf3812aac329a5ab65aa86330cef3f38ad19d
Opcode Fuzzy Hash: 387ba1b345e360757028fe326ad7bc35b78564d69144cf827c2b2cc241885bfd
Instruction Fuzzy Hash: 41D0C230500713CFEB215F36C81860A76D4AF01251F10886D95D1CA154E674D4C0C710

Function 010790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,01078CF4,?,0108F910), ref: 010790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01079100

Strings

kernel32.dll, xrefs: 010790E9
GetModuleHandleExW, xrefs: 010790FA

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 660c3bce4e8759f92ff73bc492bd5b82d33514b2ce00b8f8ccfd114e8bc543f6
Instruction ID: 2d101b41a5374cfeae8270cade962dd6f858f327250b57e769140f4d15d2ae00
Opcode Fuzzy Hash: 660c3bce4e8759f92ff73bc492bd5b82d33514b2ce00b8f8ccfd114e8bc543f6
Instruction Fuzzy Hash: 6ED0C230914313CFDB209F39D41820676D4AF01261B01C83E94C1C6100E674C4C0C750

Function 01041714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 01041718
__swprintf.LIBCMT ref: 01041749

Strings

WIN_XPe, xrefs: 01041788
%.3d, xrefs: 01041723

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: dcd101e844535dfc188127bc280fd30e86a817b54a1e98892c832a0a9f6d1b20
Instruction ID: 336995df190165f9cb12126a9a9566dea92c94c584955ab21451078a6d4ef250
Opcode Fuzzy Hash: dcd101e844535dfc188127bc280fd30e86a817b54a1e98892c832a0a9f6d1b20
Instruction Fuzzy Hash: 81D017F1848119EBCB20DA9098C88FD737CBB1C101F000562F5D2A2080E23ABBD4CA21

Function 0105717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f0a78251c04df1571b9ff582af06a4fee65e9d41f5ee3a09ac08709f1113dd
Instruction ID: 53c740ec6453f9bd535cd73a7e960a77013bb7859bc24613899dbe99751e2774
Opcode Fuzzy Hash: 90f0a78251c04df1571b9ff582af06a4fee65e9d41f5ee3a09ac08709f1113dd
Instruction Fuzzy Hash: DEC15974A00206AFDB54CFA8C884AAFBBB5FF48710B548598E945EB251DB30ED81DB90

Function 0107E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0107E0BE
CharLowerBuffW.USER32(?,?), ref: 0107E101

Part of subcall function 0107D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0107D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0107E301
_memmove.LIBCMT ref: 0107E314

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 3bb3275440d7b8f12ae23f120ebeb96c58beceaefe3cd01556726c9d3a11051e
Instruction ID: 2a95dbddc658e9fd23cb4950fb53d2c1c13b6cd8a317c83e1385d3afd5d3015a
Opcode Fuzzy Hash: 3bb3275440d7b8f12ae23f120ebeb96c58beceaefe3cd01556726c9d3a11051e
Instruction Fuzzy Hash: 5BC15971A043029FC745DF28C48096ABBE4FF89714F0489ADF9D99B351D731E946CB86

Function 01078093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 010780C3
CoUninitialize.OLE32 ref: 010780CE

Part of subcall function 0105D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0105D5D4

VariantInit.OLEAUT32(?), ref: 010780D9
VariantClear.OLEAUT32(?), ref: 010783AA

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 3e15fb3abe9edf9ad77f60c6e2b5f13d53e3197193ece9a93d42d8692f6a336d
Instruction ID: d0d6ee0eccb221ed1f20202b8125856195cd173d6250467214a8aba485caf265
Opcode Fuzzy Hash: 3e15fb3abe9edf9ad77f60c6e2b5f13d53e3197193ece9a93d42d8692f6a336d
Instruction Fuzzy Hash: D7A15975604702DFDB51DF28C484A6EB7E4BF98728F048449E9D99B3A1CB30EE01CB96

Function 01057530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01092C7C,?), ref: 010576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01092C7C,?), ref: 01057702
CLSIDFromProgID.OLE32(?,?,00000000,0108FB80,000000FF,?,00000000,00000800,00000000,?,01092C7C,?), ref: 01057727
_memcmp.LIBCMT ref: 01057748

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9e59ea876547c7d50fa6825693b5fc6b2d3fec11adaea2c7bfe358b0bf4a790c
Instruction ID: a71465f812371888f6ab8d3bcd74460210f21e2e3c7dd3ae1f1c9926f1d04fac
Opcode Fuzzy Hash: 9e59ea876547c7d50fa6825693b5fc6b2d3fec11adaea2c7bfe358b0bf4a790c
Instruction Fuzzy Hash: B2814E71A0010AEFCB44DFA8C984DEEB7B9FF89315F204598E545AB250DB71AE06DB60

Function 0105687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0105688E
SysAllocString.OLEAUT32(00000000), ref: 01056937
VariantCopy.OLEAUT32 ref: 01056966
VariantClear.OLEAUT32(?), ref: 0105698D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: b13a4bbcb551931b5539089d75773cdfc55b6d2f73773a1a5e0475ddbed143d0
Instruction ID: f96db0e592f5443b62f7659ca5ccb8e3ec4fa3f13209c0ff3d61ea38467cadab
Opcode Fuzzy Hash: b13a4bbcb551931b5539089d75773cdfc55b6d2f73773a1a5e0475ddbed143d0
Instruction Fuzzy Hash: A551C5746003029ADFA4AF6AC490ABFB7E9AF55310F50D81FD9D6CB291DA36D880CB10

Function 010769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 010769D1
WSAGetLastError.WSOCK32(00000000), ref: 010769E1

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01076A45
WSAGetLastError.WSOCK32(00000000), ref: 01076A51

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: cd2160f4e921f6ffb0f2cbdacdd2bca2fc225175a6a5e3eb903f1bbe834c1adc
Instruction ID: c0cdee7d4fe5eb7b3b3314b4f0e446335c90f061df02effa36e5db8e78cf4414
Opcode Fuzzy Hash: cd2160f4e921f6ffb0f2cbdacdd2bca2fc225175a6a5e3eb903f1bbe834c1adc
Instruction Fuzzy Hash: 6241B174A40601AFFB61BF24CC85FAE77E4AB14B14F04C159FA999B3C2DA719D008B91

Function 0107641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0108F910), ref: 010764A7
_strlen.LIBCMT ref: 010764D9

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 89241fd5e1c0be146a1fb7266852b1322e946ecb8a96b9f74c50324fe993766d
Instruction ID: f182334f85fb3525bf109c39e5b0ddf5a0bda20160eb3cc5c56f6fac3971f220
Opcode Fuzzy Hash: 89241fd5e1c0be146a1fb7266852b1322e946ecb8a96b9f74c50324fe993766d
Instruction Fuzzy Hash: 50411731A00106AFDB15EB68DC84FFEB7A9AF14314F008155E9DA9B2D2DB31AD04CB54

Function 0106B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0106B89E
GetLastError.KERNEL32(?,00000000), ref: 0106B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0106B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0106B915

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 97d7e99aafb762d5bcb4ef482af6fa1d96731bb940aac48def590b4eba438753
Instruction ID: 8fc09b49c72412e385871ec37cd96f769f7ff4d0e245d4a0c16924611128ee31
Opcode Fuzzy Hash: 97d7e99aafb762d5bcb4ef482af6fa1d96731bb940aac48def590b4eba438753
Instruction Fuzzy Hash: F1411A75600512DFDB12EF15C184A9DBBE5AF59714F09C088EC8AAB3A2CB34FE01CB91

Function 0108AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0108AB60
GetWindowRect.USER32(?,?), ref: 0108ABD6
PtInRect.USER32(?,?,0108C014), ref: 0108ABE6
MessageBeep.USER32(00000000), ref: 0108AC57

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b696187515d5a6449b968137531f361bc99612908dcb12857e78ab878096783f
Instruction ID: 3584b6cae55abf578c59d754f5bbdb589f3706304f00e13af982f00524e3da05
Opcode Fuzzy Hash: b696187515d5a6449b968137531f361bc99612908dcb12857e78ab878096783f
Instruction Fuzzy Hash: ED419D34B08109DFCB21EF58C884BAE7BF5FB48300F1884AAE9D49B655D735A841CF90

Function 01060AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01060B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 01060B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 01060BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 01060BFB

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f6b31226abb51228aae20e0368771336a5ad01ede8183d6c6325736c946aebe2
Instruction ID: 6259b211e704b1e228b0687ad74dac5d00f65ad9dbf3362f3bfff13f4d3e6f4f
Opcode Fuzzy Hash: f6b31226abb51228aae20e0368771336a5ad01ede8183d6c6325736c946aebe2
Instruction Fuzzy Hash: 1F314B30A84209AEFB718E2DC805BFEBBEDEB45318F08929AF6C1511D9C77985508761

Function 01060C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 01060C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 01060C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 01060CE1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 01060D33

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e431429e1e56cfddf97b7af7d9b8b9a705f5b4b761b1974c35e4cb6ff1eab982
Instruction ID: 4ed8d1fc75b51d7317d32328d5745cb87ba8574974dfafc326b7c51f296d2863
Opcode Fuzzy Hash: e431429e1e56cfddf97b7af7d9b8b9a705f5b4b761b1974c35e4cb6ff1eab982
Instruction Fuzzy Hash: B331243098030DAEFB758B28C804BFEBBAEEB45320F04439AF5C1521D9C3799555C7A2

Function 010361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 010361FB
__isleadbyte_l.LIBCMT ref: 01036229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 01036257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0103628D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 9cafbccffa02552e31e004d27eb413f92a6c4125a2c4a1ef99019d224531532a
Instruction ID: a0da3e252f1186492e0ad8c64b931f23496b8f701f6262286f4281b6bc7f57a2
Opcode Fuzzy Hash: 9cafbccffa02552e31e004d27eb413f92a6c4125a2c4a1ef99019d224531532a
Instruction Fuzzy Hash: F031C030604656BFEF228E69CC44BAA7FF9BF82310F164069E8A487191D732DA50C790

Function 01084EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01084F02

Part of subcall function 01063641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0106365B
Part of subcall function 01063641: GetCurrentThreadId.KERNEL32 ref: 01063662
Part of subcall function 01063641: AttachThreadInput.USER32(00000000,?,01065005), ref: 01063669

GetCaretPos.USER32(?), ref: 01084F13
ClientToScreen.USER32(00000000,?), ref: 01084F4E
GetForegroundWindow.USER32 ref: 01084F54

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6ec32fb5c3afd499142a6be84b4c844e5af9bc6b2651d40b7a1bb1f9f1f7880a
Instruction ID: d8de46116c83296efed474bfe72eaae3cc655a9393b72a4e5c4d4060495f6f32
Opcode Fuzzy Hash: 6ec32fb5c3afd499142a6be84b4c844e5af9bc6b2651d40b7a1bb1f9f1f7880a
Instruction Fuzzy Hash: 9E310DB1D00109AFDB11EFB5C8849EFB7FDEF98304F10806AE495E7241DA759E058BA1

Function 0108C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

GetCursorPos.USER32(?), ref: 0108C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0103B9AB,?,?,?,?,?), ref: 0108C4E7
GetCursorPos.USER32(?), ref: 0108C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0103B9AB,?,?,?), ref: 0108C56E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 55b816b28a0937745c98f67bf665620890733d34ee2578c69720c646324976bd
Instruction ID: 60efa896642df6dc1d6d2146933f7533007bc36ad96923a9f4c981687e255424
Opcode Fuzzy Hash: 55b816b28a0937745c98f67bf665620890733d34ee2578c69720c646324976bd
Instruction Fuzzy Hash: F0318F35604018AFEF259F58C858EEE7BF5EB09320F044199FAC59B251CB36A990DFB4

Function 01058656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0105810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 01058121
Part of subcall function 0105810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0105812B
Part of subcall function 0105810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0105813A
Part of subcall function 0105810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 01058141
Part of subcall function 0105810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01058157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010586A3
_memcmp.LIBCMT ref: 010586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 010586FC
HeapFree.KERNEL32(00000000), ref: 01058703

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 39039fb51c3640fc31cdb70f1f2f8ed16c091da3f372e436f925573bb9d1c9c2
Instruction ID: 3cc04a0ed2ba35e94ad11f5f39d1960a8cdddc1f2205cc3bdf7b358b32534f0a
Opcode Fuzzy Hash: 39039fb51c3640fc31cdb70f1f2f8ed16c091da3f372e436f925573bb9d1c9c2
Instruction Fuzzy Hash: 3D219F31E00109EFDB50DFA9C948BEEB7F8EF44314F15809ADD84A7244D731AA05CB60

Function 0102098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 010209AE

Part of subcall function 01005A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01067896,?,?,00000000), ref: 01005A2C
Part of subcall function 01005A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01067896,?,?,00000000,?,?), ref: 01005A50

_fprintf.LIBCMT ref: 010209E5
OutputDebugStringW.KERNEL32(?), ref: 01055DBB

Part of subcall function 01024AAA: _flsall.LIBCMT ref: 01024AC3

__setmode.LIBCMT ref: 01020A1A

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 65fd4417cd53b50bf18a24bf7d769ffe7be4dc243efa904d55d602d1b390b9d1
Instruction ID: e43833ad4916b85cb37090c00c76ae30f17905e4ca3771fc072241e5d72349fa
Opcode Fuzzy Hash: 65fd4417cd53b50bf18a24bf7d769ffe7be4dc243efa904d55d602d1b390b9d1
Instruction Fuzzy Hash: 95118C32A042267FEB05B3B49C489FEB7AC9F65220F100055F1C9971C1EF70494287A1

Function 01071767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010717A3

Part of subcall function 0107182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0107184C
Part of subcall function 0107182D: InternetCloseHandle.WININET(00000000), ref: 010718E9

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: eb19d8ad3319c9e24bc2d8de4eab78e5dbad875ac5f645e70aebe003b2546157
Instruction ID: c8713c8caf39f8dee7b698b0f7d6d4f63192324673760897bf5c515461023d6d
Opcode Fuzzy Hash: eb19d8ad3319c9e24bc2d8de4eab78e5dbad875ac5f645e70aebe003b2546157
Instruction Fuzzy Hash: 12219231A04606BFEB529F649C00FBEBBE9FF48710F10401AFA91D6590DB71D41197A8

Function 01063A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0108FAC0), ref: 01063A64
GetLastError.KERNEL32 ref: 01063A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 01063A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0108FAC0), ref: 01063ADF

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 76944f5acb4231ff3152cf1417a522504b3f57704b9e56f8798883b5f36b3742
Instruction ID: c379865f36c3f1d966e40fe327b5c3c433391aa7b77ba9dd748f5852d49922cd
Opcode Fuzzy Hash: 76944f5acb4231ff3152cf1417a522504b3f57704b9e56f8798883b5f36b3742
Instruction Fuzzy Hash: 01217F749082029F9710EF38C8818AFBBE8BE55264F144A5DF4DDCB2D1DB319946DB92

Function 010350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01035101

Part of subcall function 0102571C: __FF_MSGBANNER.LIBCMT ref: 01025733
Part of subcall function 0102571C: __NMSG_WRITE.LIBCMT ref: 0102573A
Part of subcall function 0102571C: RtlAllocateHeap.NTDLL(01570000,00000000,00000001,00000000,?,?,?,01020DD3,?), ref: 0102575F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 8a27cac3bb438d0c4ae623e528aab3b5eea69f776a565a549987ae2b63d9b724
Instruction ID: e66b48da7e7c89d043063d265e9db137c585bf833d2e32490110b7c82d2180e1
Opcode Fuzzy Hash: 8a27cac3bb438d0c4ae623e528aab3b5eea69f776a565a549987ae2b63d9b724
Instruction Fuzzy Hash: E011E972504227AFCF323F78EC4469E3BDCAFA5261B10896EF9C49A264DE3584408790

Function 010044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010044CF

Part of subcall function 0100407C: _memset.LIBCMT ref: 010040FC
Part of subcall function 0100407C: _wcscpy.LIBCMT ref: 01004150
Part of subcall function 0100407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 01004160

KillTimer.USER32(?,00000001,?,?), ref: 01004524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 01004533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0103D4B9

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: aa4d09b8d85b2f8fe704b757643ed01ee9838a42d8678a6e7955b54b14eb8122
Instruction ID: 0b6eae4e8fc4ffb66ac94349a2807b970d3476738b3c52bd31769d341b47ac45
Opcode Fuzzy Hash: aa4d09b8d85b2f8fe704b757643ed01ee9838a42d8678a6e7955b54b14eb8122
Instruction Fuzzy Hash: C521F574908384AFF7739B688855BEABBECAB42319F0400CDE7DA96182C7752684CB45

Function 01076369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01005A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,01067896,?,?,00000000), ref: 01005A2C
Part of subcall function 01005A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,01067896,?,?,00000000,?,?), ref: 01005A50

gethostbyname.WSOCK32(?,?,?), ref: 01076399
WSAGetLastError.WSOCK32(00000000), ref: 010763A4
_memmove.LIBCMT ref: 010763D1
inet_ntoa.WSOCK32(?), ref: 010763DC

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 07f98ca4ce1d645cf9b5d30f02d62000f8f0ad0917aa8e0328d9d8e1d12d47b9
Instruction ID: b37ec33b7b886b3e5b6e66b4b132669d94124165f46e374b8df069b23b5fb010
Opcode Fuzzy Hash: 07f98ca4ce1d645cf9b5d30f02d62000f8f0ad0917aa8e0328d9d8e1d12d47b9
Instruction Fuzzy Hash: 1F11603190010AAFDF01FBA4DD45CEEB7B8AF15214F144065E586B72A1DB31AE54CBA1

Function 01058B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 01058B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01058B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01058B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 01058BA4

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 80a388f9a12afe5b89f5c6cc9a5a81f7b6be765ea24314d2b34983f15fe7ce99
Instruction ID: 5ee2dd55866a553f8e825ec278d8bdb8cb90482053bb1c4222560456a2354ee4
Opcode Fuzzy Hash: 80a388f9a12afe5b89f5c6cc9a5a81f7b6be765ea24314d2b34983f15fe7ce99
Instruction Fuzzy Hash: 6C114C79900219FFEB11DFA5C884FAEBBB8FB48710F204196EE40B7250D6716E10DB94

Function 01001290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

DefDlgProcW.USER32(?,00000020,?), ref: 010012D8
GetClientRect.USER32(?,?), ref: 0103B5FB
GetCursorPos.USER32(?), ref: 0103B605
ScreenToClient.USER32(?,?), ref: 0103B610

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: bf3fd1e85c2cfe9c9ad1832df177874947874565f39b78c3da3aa76721d2a3d8
Instruction ID: 22060fc0521ca1478f2f3ce60b49dfa56fd1a93150d551b7458b80369d268a3c
Opcode Fuzzy Hash: bf3fd1e85c2cfe9c9ad1832df177874947874565f39b78c3da3aa76721d2a3d8
Instruction Fuzzy Hash: 65113D7560001AEFDB11EFA8D8899FE7BB8FB05300F400555FA81E7280C735FA618BA5

Function 01061142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0105FCED,?,01060D40,?,00008000), ref: 0106115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0105FCED,?,01060D40,?,00008000), ref: 01061184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0105FCED,?,01060D40,?,00008000), ref: 0106118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0105FCED,?,01060D40,?,00008000), ref: 010611C1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 51efbdcf148a8110130b8c194fb934256f36f8e4c1c676e4577875cf32ebb1ba
Instruction ID: d7b71a6ca0c616fc173d90f4d6cf0079e4dfaddc61ac90dd40c567757df7afcf
Opcode Fuzzy Hash: 51efbdcf148a8110130b8c194fb934256f36f8e4c1c676e4577875cf32ebb1ba
Instruction Fuzzy Hash: FD115A31C0461DD7CF109FA4D888AEEBBB8FF49711F004046EAC0BA244CB359550CBD1

Function 0105D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0105D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0105D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0105D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0105D897

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: e66128ac73156f1fa40b71291f73ca9c938748c133290eaa5a0728612ed4add5
Instruction ID: 396d566eeb0d24fd151e782a43c391717359b436bd2d955f6a96a1c81f429c20
Opcode Fuzzy Hash: e66128ac73156f1fa40b71291f73ca9c938748c133290eaa5a0728612ed4add5
Instruction Fuzzy Hash: A711A571605305DBF3208F90DC08FA7BBBCEB00700F00455BAA99C6040D7B5E9048BA1

Function 01036FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 01036FDB

Part of subcall function 010376C2: __fltout2.LIBCMT ref: 010376EB

__cftog_l.LIBCMT ref: 01037001
__cftoe_l.LIBCMT ref: 01037033

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: fb1c0fa57074dbacb2156ae8b681eaa5e6954d0b456b60372ce124904d59632e
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BC014CBA44014AFBDF165F88CC45CEE7F6ABB68250F488455FE9858030D237C5B1AB81

Function 0108B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0108B2E4
ScreenToClient.USER32(?,?), ref: 0108B2FC
ScreenToClient.USER32(?,?), ref: 0108B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0108B33B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e1d0c8698fb23201d6b5e268fe095587075f5d11a8aa143f679d69e575597457
Instruction ID: 6183ce7b78b470d14d426c40110373a28d304b5fe0df35f48fafae4eb39eaf89
Opcode Fuzzy Hash: e1d0c8698fb23201d6b5e268fe095587075f5d11a8aa143f679d69e575597457
Instruction Fuzzy Hash: 141174B9D0420AEFDB51DFA9C4849EEBBF9FF08214F108156E954E3210D735AA618F50

Function 0108B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0108B644
_memset.LIBCMT ref: 0108B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,010C6F20,010C6F64), ref: 0108B682
CloseHandle.KERNEL32 ref: 0108B694

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 0b912af71dec3da1be0449826b9395f4a0e39769a139150d49746f7c9064e100
Instruction ID: dcf83b52cb03ae76439f4766faf3cf39747c4a1428ab3baf4b1cd121b31c3e98
Opcode Fuzzy Hash: 0b912af71dec3da1be0449826b9395f4a0e39769a139150d49746f7c9064e100
Instruction Fuzzy Hash: 98F05EB25403127EE2302765AC05FBB3A9CEB08695F804020FAC9E9285D77B88118BA8

Function 01066BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 01066BE6

Part of subcall function 010676C4: _memset.LIBCMT ref: 010676F9

_memmove.LIBCMT ref: 01066C09
_memset.LIBCMT ref: 01066C16
LeaveCriticalSection.KERNEL32(?), ref: 01066C26

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: b64f819e9127dc7ac78dcf31b57d6e09fc829c0aa00bcebeb07d2367fd487cba
Instruction ID: b19bee410f42baa2c1bd0d80e1d66104bd7bac587a4f471f3415cf9d3c5a9cb1
Opcode Fuzzy Hash: b64f819e9127dc7ac78dcf31b57d6e09fc829c0aa00bcebeb07d2367fd487cba
Instruction Fuzzy Hash: 28F0543A100211ABCF016F55DC84A8ABB29EF55320F04C051FE489E21AD735E811CBB4

Function 01002218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 01002231
SetTextColor.GDI32(?,000000FF), ref: 0100223B
SetBkMode.GDI32(?,00000001), ref: 01002250
GetStockObject.GDI32(00000005), ref: 01002258
GetWindowDC.USER32(?,00000000), ref: 0103BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0103BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0103BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0103BEC2
GetPixel.GDI32(00000000,?,?), ref: 0103BEE2
ReleaseDC.USER32(?,00000000), ref: 0103BEED

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: f2fd82375a045d0451d272ffeea2dddeb9b9f65e62f6186fd148bf67a0341fee
Instruction ID: 606c0a323cd8f4ab8861e97f21f483cc4b7802def50af11ca4f609ad74c67ac2
Opcode Fuzzy Hash: f2fd82375a045d0451d272ffeea2dddeb9b9f65e62f6186fd148bf67a0341fee
Instruction Fuzzy Hash: 6FE03031108145AAEF615F78E84D7D83F54EB46336F108396FBE9480D5C7764590DB21

Function 01058712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0105871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,010582E6), ref: 01058722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010582E6), ref: 0105872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,010582E6), ref: 01058736

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 79004e96d539497dd5cb368e8e9210d26ce4f12fddbd1e135fbb016edab3da53
Instruction ID: 01b1db4a919ed5ebc81633c2102b71703a89bbc1ffa49c60f222a63cd4cd7b9b
Opcode Fuzzy Hash: 79004e96d539497dd5cb368e8e9210d26ce4f12fddbd1e135fbb016edab3da53
Instruction Fuzzy Hash: 24E086366193129FDBB05FB55D0CB5B3BACEF54791F148858BAC5C9044D63D8052CB50

Function 0105B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0105B4BE

Strings

AutoIt3GUI, xrefs: 0105B436
Container, xrefs: 0105B43B

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 2d0589e7f0aed0e4f96b00b58014b21742e15e594d748217961381a8220d06b5
Instruction ID: 265b8ffac1d756d00a41809014354f605ebee9d7139b56ee7b352072584a153a
Opcode Fuzzy Hash: 2d0589e7f0aed0e4f96b00b58014b21742e15e594d748217961381a8220d06b5
Instruction Fuzzy Hash: 37914C70600601AFDB94DF68C884BABBBE5FF49714F10856DED86DB291DB71E841CB50

Function 0106AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0101FC86: _wcscpy.LIBCMT ref: 0101FCA9

Part of subcall function 01009837: __itow.LIBCMT ref: 01009862
Part of subcall function 01009837: __swprintf.LIBCMT ref: 010098AC

__wcsnicmp.LIBCMT ref: 0106B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0106B0F6

Strings

LPT, xrefs: 0106B027

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 1f1ebadac092de2ccba98ec990d6b2badd291c60bd4f3dc64208d8933966b2ec
Instruction ID: a35fc6b1f2bbcd97994e16a4badb0142db7bac73c727c37a3bf3188b95731acf
Opcode Fuzzy Hash: 1f1ebadac092de2ccba98ec990d6b2badd291c60bd4f3dc64208d8933966b2ec
Instruction Fuzzy Hash: 7E616FB5A00215EFDB15DF98C890EEEB7F8EB08710F404099F996EB291D670AE44CB50

Function 01012957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 01012968
GlobalMemoryStatusEx.KERNEL32(?), ref: 01012981

Strings

@, xrefs: 01012975

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c8a27486a0bab28337a8f3daaf580aae9d1b799779b03b0fcb41e5434bc1bbb7
Instruction ID: 6764b0cdede51319a5e228dae01ed856625d484f297fb0a555937ff96dbddf48
Opcode Fuzzy Hash: c8a27486a0bab28337a8f3daaf580aae9d1b799779b03b0fcb41e5434bc1bbb7
Instruction Fuzzy Hash: A8516772408B459BE321EF14D885BEFBBE8FF94344F81884DF2D881195DB718928CB66

Function 01069734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 01004F0B: __fread_nolock.LIBCMT ref: 01004F29

_wcscmp.LIBCMT ref: 01069824
_wcscmp.LIBCMT ref: 01069837

Strings

FILE, xrefs: 01069770

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: a4abbee88f2d2830a3ca7fc17a5b74c4a7cf5ea9d3d92cc6a21a58bfe4c54886
Instruction ID: ed0bb9527a6fc646a0620fa471e49101a2258b495c6f710009838ef998f90020
Opcode Fuzzy Hash: a4abbee88f2d2830a3ca7fc17a5b74c4a7cf5ea9d3d92cc6a21a58bfe4c54886
Instruction Fuzzy Hash: 1741DB71A0021ABEEF219EA5CC45FEFBBFDDF85714F000469FA44EB180DA71A9048B65

Function 0107258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0107259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010725D4

Strings

|, xrefs: 010725A5

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 2752e260ff3a1e893db07823d21eab101867663d9410bd521b37f700ce50db39
Instruction ID: 5b8e9d56f6cc42b1cf33fec3304a4654a329cda16220df2d023117e880832e7c
Opcode Fuzzy Hash: 2752e260ff3a1e893db07823d21eab101867663d9410bd521b37f700ce50db39
Instruction Fuzzy Hash: 79310A71D0011AABDF11EFA4CC84EEEBFB8FF18350F10005AE999A6161DB355955DB60

Function 01087A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 01087B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01087B76

Strings

', xrefs: 01087ACA

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: dab12c4a4c568ae90e3ebb05c3039ee816d6adeb8e54d05ebd5626f2dfeb7812
Instruction ID: 5fd9140f36cf5afd2d263762be17bd37cdc57261143e86d6d4cf3655827cee01
Opcode Fuzzy Hash: dab12c4a4c568ae90e3ebb05c3039ee816d6adeb8e54d05ebd5626f2dfeb7812
Instruction Fuzzy Hash: D5411B74A0520A9FDB54DFA8C880BDABBF5FF49300F20016AEA84AB345D771A951CF90

Function 01086A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01086B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01086B53

Strings

static, xrefs: 01086AB3

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: e4c7521e492f623b7cc25ec3110c662926b4a4c085eb80ad3514453e58699ad1
Instruction ID: 73ff5ead170af180e3d1b0ebe4e356b236a00f591075bf341cffcf092d13c2c9
Opcode Fuzzy Hash: e4c7521e492f623b7cc25ec3110c662926b4a4c085eb80ad3514453e58699ad1
Instruction Fuzzy Hash: 50319071200605AEEB11AF79CC40BFB77E9FF48764F118619F9E997190DA31A891CB60

Function 0105994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 01059965
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0105999F

Strings

@U=u, xrefs: 01059965, 0105999F

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 977fe32f97f92b296f386bcee45e3678d966bd7b14af8ae7bfca83518083b273
Instruction ID: c2ee12cc289216d46dbd767399ba82e0fa61035206e3200a170ceec4e3efe5b1
Opcode Fuzzy Hash: 977fe32f97f92b296f386bcee45e3678d966bd7b14af8ae7bfca83518083b273
Instruction Fuzzy Hash: E521EB31D00206EBDF52EB68C880DFFBBB9EF98614F144059EED5A7290DA755841C7A0

Function 010628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01062911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0106294C

Strings

0, xrefs: 0106290A

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c1cfa7e2f436488f59eab151dcccd4d8a4c6880076bb9fabde5439a78315c89b
Instruction ID: 54247fb588db29eda0f7b208200d9d88bd9954670e1d9edd0e407f3765f5b378
Opcode Fuzzy Hash: c1cfa7e2f436488f59eab151dcccd4d8a4c6880076bb9fabde5439a78315c89b
Instruction Fuzzy Hash: 35316F31A003069FEB65DE5CCD85BEEBFEDEF85390F180059EAC5A61A0DB709544CB61

Function 010739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 01073A66

Part of subcall function 01007DE1: _memmove.LIBCMT ref: 01007E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 01073A58
, $, xrefs: 01073AA6

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 200fa91a3a1d30cb3514119d937feec5fb925ccaccc1df45ffd319eeb64e79b0
Instruction ID: 89672f3cf59cd77323c6f74f5a56701c91fff5cad995d57fedb8827e66ce3d86
Opcode Fuzzy Hash: 200fa91a3a1d30cb3514119d937feec5fb925ccaccc1df45ffd319eeb64e79b0
Instruction Fuzzy Hash: F7218C71A0021EBADF15FF64CC81EEE7BB9BB54300F404459E985AB180DA34E941CBA9

Function 0105A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0101603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01016051

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0105AA10
_strlen.LIBCMT ref: 0105AA1B

Strings

@U=u, xrefs: 0105AA10

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 7dc46deb01b442653e1b0f0b11a521b6842061575c5030ff4d9311f60f68813e
Instruction ID: 1350bb64f08de89f07ca5b2b0d66632281bacbab707727fb4c0b63f5a0e4c585
Opcode Fuzzy Hash: 7dc46deb01b442653e1b0f0b11a521b6842061575c5030ff4d9311f60f68813e
Instruction Fuzzy Hash: 40112732700207AADF95BE78DC819FF7BB99F59240F00016EEE868B192DE2598458660

Function 01086865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 010655FD: GetLocalTime.KERNEL32 ref: 0106560A
Part of subcall function 010655FD: _wcsncpy.LIBCMT ref: 0106563F
Part of subcall function 010655FD: _wcsncpy.LIBCMT ref: 01065671
Part of subcall function 010655FD: _wcsncpy.LIBCMT ref: 010656A4
Part of subcall function 010655FD: _wcsncpy.LIBCMT ref: 010656E6

SendMessageW.USER32(?,00001002,00000000,?), ref: 010868FF

Strings

SysDateTimePick32, xrefs: 010868BD
@U=u, xrefs: 010868FF

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: 0c69845497b974dc528c465265312b4df69e2ec42cd26976390d868b6b419692
Instruction ID: dd642c12e4e32c6ae93a60cc5f169c36c140be3b8f2ec2f47ed229af753059db
Opcode Fuzzy Hash: 0c69845497b974dc528c465265312b4df69e2ec42cd26976390d868b6b419692
Instruction Fuzzy Hash: 86215C71354219AFEF22AE68DC81FFE33A9EB44350F210619F9D4AB1C0D676EC808760

Function 01059225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0105923E

Part of subcall function 010613DE: GetWindowThreadProcessId.USER32(?,?), ref: 01061409
Part of subcall function 010613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0105925A,00000034,?,?,00001004,00000000,00000000), ref: 01061419
Part of subcall function 010613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0105925A,00000034,?,?,00001004,00000000,00000000), ref: 0106142F

Part of subcall function 010614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,01059296,?,?,00000034,00000800,?,00000034), ref: 010614E6

SendMessageW.USER32(?,00001073,00000000,?), ref: 010592A5

Part of subcall function 01061487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 010614B1

Strings

@U=u, xrefs: 0105923E, 010592A5

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: 2cec2c190ef06adc1d1d22db58ba782407e78bbbecc812070929dec212828e26
Instruction ID: ffd10c88169ce2dc33d5ba67ab88354ecdf2d9b08024f1739674ee87b997de33
Opcode Fuzzy Hash: 2cec2c190ef06adc1d1d22db58ba782407e78bbbecc812070929dec212828e26
Instruction Fuzzy Hash: 40218331901129EBEF61DBA8DC80FDEBBB8FF19354F1001A5F988A7190DA715A44CF90

Function 010866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01086761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0108676C

Strings

Combobox, xrefs: 0108672E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 395b78d8b7c79ea8eeec6f35871670da59fbaaddc3228ba9a198946fb8d0da31
Instruction ID: 32c214650e0cb78d7f274a07bf63b68ceaf482a1eef8c5d171594eb9797bdb5a
Opcode Fuzzy Hash: 395b78d8b7c79ea8eeec6f35871670da59fbaaddc3228ba9a198946fb8d0da31
Instruction Fuzzy Hash: D8119375204209AFEF62AF58DC80EEB37AAFB48364F110129F9D497291E6369C5187A0

Function 010896F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 01089778, 010897A1

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 63d7f6ca863a8b22e13b6553ffc87fb005ad288b5641fc0e50ed49855ef25982
Instruction ID: 51a2f4a9eea9c7decdf42c599fc5e979ab50516a8aa5ed71010f1ad9e6226b37
Opcode Fuzzy Hash: 63d7f6ca863a8b22e13b6553ffc87fb005ad288b5641fc0e50ed49855ef25982
Instruction Fuzzy Hash: 10218C35218118BFEB11BE68CC45FBE37E4FB49318F404195FAD2DA1D0C672A910CB60

Function 01086C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 01001D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 01001D73
Part of subcall function 01001D35: GetStockObject.GDI32(00000011), ref: 01001D87
Part of subcall function 01001D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 01001D91

GetWindowRect.USER32(00000000,?), ref: 01086C71
GetSysColor.USER32(00000012), ref: 01086C8B

Strings

static, xrefs: 01086C4E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6c4fd730c8ba193efcea820bddc51d292ca39ebc6a0da5225936447811646466
Instruction ID: 78e373819bd225e189f22d51e42ef4d16637e4fbaba989ce4a652ee29e077be7
Opcode Fuzzy Hash: 6c4fd730c8ba193efcea820bddc51d292ca39ebc6a0da5225936447811646466
Instruction Fuzzy Hash: D0214A72A1420AAFDB14EFB8C845AFA7BA8FB08304F014619FA95D2240D635E8509B60

Function 010629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01062A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 01062A41

Strings

0, xrefs: 01062A18

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d12e78596358b06575f27887f6c24ab4c25098680f8a5f80cede82665f7a0ee2
Instruction ID: f4fd8e4c38c0bddda5b6564e1b6cbcfcf31fee6ca0c3b719369165ad4f2d48ec
Opcode Fuzzy Hash: d12e78596358b06575f27887f6c24ab4c25098680f8a5f80cede82665f7a0ee2
Instruction Fuzzy Hash: 4A11E632A01214ABEB70DF9CDC44BEE7BFCAB45204F044061EAD5F7290D7B0A90ACB91

Function 010721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0107222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01072255

Strings

<local>, xrefs: 0107221D

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b8207128b9e471d1e2079035e9c1ecd5e8995521d9a74f31755d6b14ef0dc3f8
Instruction ID: 29a005dab2c7df7b6f29fc7e1c8a94d6908e1a0f923180ea3a256f82d236d35a
Opcode Fuzzy Hash: b8207128b9e471d1e2079035e9c1ecd5e8995521d9a74f31755d6b14ef0dc3f8
Instruction Fuzzy Hash: 4411E970941225FAEB258F558C98EFBFFECFF06651F00826AF59586100D3709552C6F4

Function 010884E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 01088530

Strings

@U=u, xrefs: 01088530, 0108856C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 809c87b6574719135b89e03c5c74246eb4223e136caff5e2f3dd0a48016588f8
Instruction ID: 779e3d610bfb443fb6c453141d1826485106093de558343f24051a590b28e26b
Opcode Fuzzy Hash: 809c87b6574719135b89e03c5c74246eb4223e136caff5e2f3dd0a48016588f8
Instruction Fuzzy Hash: 0021EA7560410AEF8B15DFA8D8408EE7BB5FB4C350B408195FD85A7354D631A961DBA0

Function 010865B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 0108662C

Strings

button, xrefs: 01086603
@U=u, xrefs: 0108662C

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: 156e58d4d10675074bfa6c5b6525ffc6eeaf0c22721acd9c68389d102e8ce5f5
Instruction ID: 72f48950d45be31cd6283e1317741b055430ca74400fde4d0731d4ac18888989
Opcode Fuzzy Hash: 156e58d4d10675074bfa6c5b6525ffc6eeaf0c22721acd9c68389d102e8ce5f5
Instruction Fuzzy Hash: 9A11E572154205ABDF11AF64DC11FEA37A9FF0C318F114218FAD1A7190C677E8619B60

Function 0108788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 010878D8

Strings

@U=u, xrefs: 010878D8

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 36d092bae9815223683b059b44ab87020db7a3054c1b9f2a85c61659fd6fd247
Instruction ID: b346b56d7a6de22852e6ea8943714b1519fa93c0448b4933223d270b21fdd614
Opcode Fuzzy Hash: 36d092bae9815223683b059b44ab87020db7a3054c1b9f2a85c61659fd6fd247
Instruction Fuzzy Hash: 1E11B130508744AFD721DF38C891AE7BBE9BF09310F20864DE9EA47385DB7169419B60

Function 010594A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 010614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,01059296,?,?,00000034,00000800,?,00000034), ref: 010614E6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 01059509
SendMessageW.USER32(?,0000102B,?,00000000), ref: 0105952E

Strings

@U=u, xrefs: 01059509, 0105952E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 7382065dec64f1833da41a7b33d27896b6576a63fe8efd21a0d030520673eb74
Instruction ID: 040304d757640733aca5cbf2f8e4611b7d7f4c4307da68dc2c4d12a245bb352e
Opcode Fuzzy Hash: 7382065dec64f1833da41a7b33d27896b6576a63fe8efd21a0d030520673eb74
Instruction Fuzzy Hash: C5012B32900219EBDB21AF28DC45FEEBB7CDB14314F10416AF995A70C0DBB56D64CB60

Function 01068D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 01068DAC
__fread_nolock.LIBCMT ref: 01068DC1

Strings

EA06, xrefs: 01068DF3

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 4b549098b0a6ff846ee483c956ef226111cf928608051ebf5e753c360ea50915
Instruction ID: 57107b80fb6f1018f4b4cdf1e72080bd600c12b164688d6980b2885231a77601
Opcode Fuzzy Hash: 4b549098b0a6ff846ee483c956ef226111cf928608051ebf5e753c360ea50915
Instruction Fuzzy Hash: E001B9719042287EDB28DAA8DC55EFE7BFCDB15211F00419FE592D6181E575E6048760

Function 010595D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 010595FB
SendMessageW.USER32(?,0000040D,?,00000000), ref: 0105962E

Part of subcall function 01061487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 010614B1

Part of subcall function 01007BCC: _memmove.LIBCMT ref: 01007C06

Strings

@U=u, xrefs: 010595FB, 0105962E

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: 59ae8b642faa87a2c7048ae798d04f9052b7ac5fd990f9cbf58ad5f09f8b2ed8
Instruction ID: ec320dafb98c7924ac501cc93f0c8c11b7da428856066a95a04ff8a5779b1a8a
Opcode Fuzzy Hash: 59ae8b642faa87a2c7048ae798d04f9052b7ac5fd990f9cbf58ad5f09f8b2ed8
Instruction Fuzzy Hash: 47016171900119EFDB60AE60DC80EDA777CFB28244F80C0A6F6C997150DE715E99CF90

Function 0108C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 01002612: GetWindowLongW.USER32(?,000000EB), ref: 01002623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,0103B93A,?,?,?), ref: 0108C5F1

Part of subcall function 010025DB: GetWindowLongW.USER32(?,000000EB), ref: 010025EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0108C5D7

Strings

@U=u, xrefs: 0108C5D7

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 4d3824e4e16d0bbf6258d902502878a8fcbeacb035c9e73c191fcc8acd034fb0
Instruction ID: a6f1e81d90d2c72e48287f10377479f46296f3171a2a6be9054dcba6d62e76ee
Opcode Fuzzy Hash: 4d3824e4e16d0bbf6258d902502878a8fcbeacb035c9e73c191fcc8acd034fb0
Instruction Fuzzy Hash: 5601B935204204AFEB216F18DD58EAF3BB6FB85764F040168FAC11B2D0CB326851DB70

Function 0105953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0105954C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 01059564

Strings

@U=u, xrefs: 0105954C, 01059564

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: a49c2fc8fcbe784f11ff87607a28b398af4f4c325af11602caaa6519c0764e8f
Instruction ID: f5e6aba5be2e8e84fc5705c01c2ba52d4b55449551f81607b7f323570bf1abac
Opcode Fuzzy Hash: a49c2fc8fcbe784f11ff87607a28b398af4f4c325af11602caaa6519c0764e8f
Instruction Fuzzy Hash: 01E0E535342212F6F37015758C49FDB2F4ADB88BA9F150024BF81590C4C9D2096183A0

Function 01064F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 01064F46
_wcscmp.LIBCMT ref: 01064F58

Strings

#32770, xrefs: 01064F52

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: cf263d5e92986afccae17cb2af41b7085205fd95e6324015294dead016eb9508
Instruction ID: d6eb33ff40e9e900a5e06697a5e0a1d8b7a0da6b9487e4793f3e10f17cbd304a
Opcode Fuzzy Hash: cf263d5e92986afccae17cb2af41b7085205fd95e6324015294dead016eb9508
Instruction Fuzzy Hash: B3E061325002392BE3309B599C49FE7F7ECEB55B30F000057FD84D7000D560964187E0

Function 0103B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0103B314: _memset.LIBCMT ref: 0103B321

Part of subcall function 01020940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0103B2F0,?,?,?,0100100A), ref: 01020945

IsDebuggerPresent.KERNEL32(?,?,?,0100100A), ref: 0103B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0100100A), ref: 0103B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0103B2FE

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 546bb4272da06eba9cbc7fb7b28b35e2347c9b1ce01529e0590f4d26a2e318a1
Instruction ID: 9859e8b1f208e4dd660cae2f5285ffdbbfa327a78e4f094c34bf54451a241e05
Opcode Fuzzy Hash: 546bb4272da06eba9cbc7fb7b28b35e2347c9b1ce01529e0590f4d26a2e318a1
Instruction Fuzzy Hash: 43E06D702003128FE731EF69E4043867AE8AF50308F008A6CE8C6C7244EBB9E444CBA1

Function 01041935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 01041775

Part of subcall function 0107BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0104195E,?), ref: 0107BFFE
Part of subcall function 0107BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0107C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0104196D

Strings

WIN_XPe, xrefs: 01041788

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: f24ef3fed71846a16c96f2768702e800b44e8a95afb2f81a16c4754b8d33eb43
Instruction ID: 5657014d9cb0f64dee42eddd7d3b359cfb65ba405a9bec929dffa810e6fe46a8
Opcode Fuzzy Hash: f24ef3fed71846a16c96f2768702e800b44e8a95afb2f81a16c4754b8d33eb43
Instruction Fuzzy Hash: 12F0EDB0804109DFEB25DBA5C9D8AECBBF8BB18301F5400D5E192A2194DB766F84CF64

Function 01085964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0108596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01085981

Part of subcall function 01065244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010652BC

Strings

Shell_TrayWnd, xrefs: 01085967

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 32c0d5e9d2150d0699205902c7035d3c23031e1186c3092b046023fdc0f15214
Instruction ID: 1e4ff5d75f165a1f1abc2381ce5b0102b5f0da629dbeb98a5d0e1a8ad48b4bd2
Opcode Fuzzy Hash: 32c0d5e9d2150d0699205902c7035d3c23031e1186c3092b046023fdc0f15214
Instruction Fuzzy Hash: F7D0C931388312B6E674BA709C4EFDA7A58AB14B50F000829B3C9AA1D4C9E5A800C764

Function 01085998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010859AE
PostMessageW.USER32(00000000), ref: 010859B5

Part of subcall function 01065244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 010652BC

Strings

Shell_TrayWnd, xrefs: 010859A7

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1bf2bafd91b7587e117f7261bdaab346bbde8aa0294a38be6a88e58ad032c49b
Instruction ID: a6daf8fa24942ad1c9a773220e9f328634d7757295a87d2062df92ab46479987
Opcode Fuzzy Hash: 1bf2bafd91b7587e117f7261bdaab346bbde8aa0294a38be6a88e58ad032c49b
Instruction Fuzzy Hash: A8D0C9313843127AE674BA709C4EFDA7A58AB15B50F000829B3C5AA1D4C9E5A800C764

Function 010593DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 010593E9
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 010593F7

Strings

@U=u, xrefs: 010593E9, 010593F7

Memory Dump Source

Source File: 00000000.00000002.1365772127.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1365710763.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.000000000108F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365822734.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1365999447.00000000010BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1366037954.00000000010C7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_FJRUb5lb9m.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 327e51c886fd6151e9d35ec7c8331fb97bd7df9e83ca5e5a3d9ceb1c409b550b
Instruction ID: de232310734ec920216e33186768838e1455f3b68d61708d3e0287293dd3545a
Opcode Fuzzy Hash: 327e51c886fd6151e9d35ec7c8331fb97bd7df9e83ca5e5a3d9ceb1c409b550b
Instruction Fuzzy Hash: 6CC04C311551C1BAEB311A77BC0DD8B3F3DE7CFF96721026CB291950A9C66A00A5D734

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FJRUb5lb9m.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut3BFA.tmp

C:\Users\user\AppData\Local\Temp\hepatoduodenostomy

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
FJRUb5lb9m.exe

Function 01003B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 010049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 01004E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 01069155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0100301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 01003041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0100708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 01003A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 01003633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 01003766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 015B14F8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 010039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 015B1278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160
fileCOMMON

Function 0100407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 0100686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON